Edit tour
Windows
Analysis Report
nCBC3f6tz1.dll
Overview
General Information
| Sample name: | nCBC3f6tz1.dllrenamed because original name is a hash value |
| Original sample name: | 426fa8eecccaa92eb1bb7a298a37b434f98dd8445f58796c1414ada17a059a9a.dll |
| Analysis ID: | 1544789 |
| MD5: | 7012991b1134738dcf2209c247965b9f |
| SHA1: | c36405cdeeefc0c6ea2e664b0965c5c4cda16a79 |
| SHA256: | 426fa8eecccaa92eb1bb7a298a37b434f98dd8445f58796c1414ada17a059a9a |
| Tags: | 2024bankerdllgolangloadermekotiouser-johnk3r |
| Infos: | |
 | |
Detection
| Score: | 60 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
loaddll32.exe (PID: 1456 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\nCB C3f6tz1.dl l" MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 5308 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3168 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\nCB C3f6tz1.dl l",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 3096 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",#1 MD5: 889B99C52A60DD49227C5E485A016679) 
WerFault.exe (PID: 6596 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 096 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 4632 cmdline:
rundll32.e xe C:\User s\user\Des ktop\nCBC3 f6tz1.dll, BarCreate MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4940 cmdline:
rundll32.e xe C:\User s\user\Des ktop\nCBC3 f6tz1.dll, BarDestroy MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4924 cmdline:
rundll32.e xe C:\User s\user\Des ktop\nCBC3 f6tz1.dll, BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1220 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",BarCreat e MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4108 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",BarDestr oy MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2364 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",BarFreeR ec MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1196 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeSetFo cus MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1696 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeSetDi rty MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3868 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeResiz e MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7180 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkePaint 2 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7192 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeKillF ocus MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7224 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeIsDir ty MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7236 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeIniti alize MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7252 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeGetCa retRect MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7276 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeFireM ouseWheelE vent MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7292 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeFireM ouseEvent MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7308 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeFireK eyUpEvent MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7324 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeFireK eyPressEve nt MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7348 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeFireK eyDownEven t MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7368 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeFireC ontextMenu Event MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7380 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeFinal ize MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7400 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeDestr oyWebView MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7416 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",wkeCreat eWebView MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7428 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",dbkFCall WrapperAdd r MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 7556 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 428 -s 640 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 7452 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",__dbk_fc all_wrappe r MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7464 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",TMethodI mplementat ionInterce pt MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 7564 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 464 -s 640 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 7476 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\nCBC 3f6tz1.dll ",BarRecog nize MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 4_2_0040D1C4 | |
| Source: | Code function: | 4_2_0040CBF8 | |
| Source: | Code function: | 30_2_0436D1C4 | |
| Source: | Code function: | 30_2_0436CBF8 | |
| Source: | Code function: | 32_2_041DD1C4 | |
| Source: | Code function: | 32_2_041DCBF8 | |
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 4_2_004EA1D8 | |
| Source: | Code function: | 4_2_004EAA7C | |
| Source: | Code function: | 4_2_004F6444 | |
| Source: | Code function: | 4_2_004F6704 | |
| Source: | Code function: | 4_2_004E6918 | |
| Source: | Code function: | 4_2_004B0F64 | |
| Source: | Code function: | 4_2_004B10A8 | |
| Source: | Code function: | 4_2_0043B4C4 | |
| Source: | Code function: | 4_2_004FFD00 | |
| Source: | Code function: | 4_2_004EFE80 | |
| Source: | Code function: | 4_2_004F1FC4 | |
| Source: | Code function: | 4_2_004F5F80 | |
| Source: | Code function: | 30_2_04456444 | |
| Source: | Code function: | 30_2_04456704 | |
| Source: | Code function: | 30_2_04410F64 | |
| Source: | Code function: | 30_2_04446918 | |
| Source: | Code function: | 30_2_0439B4C4 | |
| Source: | Code function: | 30_2_044110A8 | |
| Source: | Code function: | 30_2_0445FD00 | |
| Source: | Code function: | 30_2_0444FE80 | |
| Source: | Code function: | 30_2_04451FC4 | |
| Source: | Code function: | 30_2_04455F80 | |
| Source: | Code function: | 32_2_0420B4C4 | |
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 4_2_004E5AA0 | |
| Source: | Code function: | 4_2_004219D8 | |
| Source: | Code function: | 4_2_004AA910 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | |||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 4_2_00508FA8 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 4_2_0050E0D6 | |
| Source: | Code function: | 4_2_0050E511 | |
| Source: | Code function: | 4_2_00460069 | |
| Source: | Code function: | 4_2_00504032 | |
| Source: | Code function: | 4_2_0050A13C | |
| Source: | Code function: | 4_2_004380A5 | |
| Source: | Code function: | 4_2_005041C2 | |
| Source: | Code function: | 4_2_0046624C | |
| Source: | Code function: | 4_2_00464268 | |
| Source: | Code function: | 4_2_004BE2E5 | |
| Source: | Code function: | 4_2_004BA2FB | |
| Source: | Code function: | 4_2_004C42F5 | |
| Source: | Code function: | 4_2_00468300 | |
| Source: | Code function: | 4_2_004C0341 | |
| Source: | Code function: | 4_2_00502390 | |
| Source: | Code function: | 4_2_0050A3EA | |
| Source: | Code function: | 4_2_0043A3D1 | |
| Source: | Code function: | 4_2_005023A1 | |
| Source: | Code function: | 4_2_00464454 | |
| Source: | Code function: | 4_2_0050E5EE | |
| Source: | Code function: | 4_2_004C460D | |
| Source: | Code function: | 4_2_0050E669 | |
| Source: | Code function: | 4_2_0050E7D4 | |
| Source: | Code function: | 4_2_0046670D | |
| Source: | Code function: | 4_2_0046671D | |
| Source: | Code function: | 4_2_0048281E | |
| Source: | Code function: | 4_2_004648E6 | |
| Source: | Code function: | 4_2_0042EA58 | |
| Source: | Code function: | 4_2_004C2A31 | |
| Source: | Code function: | 4_2_00468B61 | |
| Source: | Code function: | 4_2_00508B95 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Last function: | ||
| Source: | Code function: | 4_2_0040D1C4 | |
| Source: | Code function: | 4_2_0040CBF8 | |
| Source: | Code function: | 30_2_0436D1C4 | |
| Source: | Code function: | 30_2_0436CBF8 | |
| Source: | Code function: | 32_2_041DD1C4 | |
| Source: | Code function: | 32_2_041DCBF8 | |
| Source: | Code function: | 4_2_0040EE84 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_4-47804 | ||
| Source: | API call chain: | graph_30-47060 | ||
| Source: | API call chain: | graph_32-31748 | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Process queried: | |||
| Source: | Code function: | 4_2_004B8000 | |
| Source: | Code function: | 4_2_00508FA8 | |
| Source: | Code function: | 4_2_00508B90 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 4_2_004079E8 | |
| Source: | Code function: | 4_2_0040D2FC | |
| Source: | Code function: | 4_2_0040C79C | |
| Source: | Code function: | 4_2_00428FD0 | |
| Source: | Code function: | 4_2_0042920C | |
| Source: | Code function: | 4_2_00425334 | |
| Source: | Code function: | 4_2_00425380 | |
| Source: | Code function: | 30_2_0436D2FC | |
| Source: | Code function: | 30_2_0436C79C | |
| Source: | Code function: | 30_2_04388FD0 | |
| Source: | Code function: | 30_2_0438920C | |
| Source: | Code function: | 30_2_04385334 | |
| Source: | Code function: | 30_2_04385380 | |
| Source: | Code function: | 32_2_041DD2FC | |
| Source: | Code function: | 32_2_041DC79C | |
| Source: | Code function: | 32_2_041F920C | |
| Source: | Code function: | 32_2_041F5334 | |
| Source: | Code function: | 32_2_041F5380 | |
| Source: | Code function: | 32_2_041F8FD0 | |
| Source: | Code function: | 4_2_00423868 | |
| Source: | Code function: | 4_2_0040C520 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 11 Process Injection | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 1 Clipboard Data | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Rundll32 | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 25 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 47% | ReversingLabs | Win32.Trojan.Midie | ||
| 100% | Avira | TR/Redcap.ystkm |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1544789 |
| Start date and time: | 2024-10-29 18:50:08 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 1s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 42 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | nCBC3f6tz1.dllrenamed because original name is a hash value |
| Original Sample Name: | 426fa8eecccaa92eb1bb7a298a37b434f98dd8445f58796c1414ada17a059a9a.dll |
| Detection: | MAL |
| Classification: | mal60.winDLL@63/13@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.20
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- VT rate limit hit for: nCBC3f6tz1.dll
| Time | Type | Description |
|---|---|---|
| 13:51:12 | API Interceptor | |
| 13:51:28 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9d3e772da6c0c3b2ba98571a98f1ccb5316d883_7522e4b5_b13a919c-48d8-47a8-ac20-04e70e997bbc\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8639997692035788 |
| Encrypted: | false |
| SSDEEP: | 192:agRiyOFqt0BU/wjeTpLzuiFFZ24IO8dci:7RiTFquBU/wjeBzuiFFY4IO8dci |
| MD5: | 0132FAA35C5E7B5327D53065F8250AEB |
| SHA1: | 87FDA78C0E159828718465982665FA1C320BF377 |
| SHA-256: | 3DA4C718C2CFBFC6372F00E9F4DBD67863A2E8F10CFF2A9F08AEDA28C09051DE |
| SHA-512: | BCC1B37E7BDEABD31EE1563156127DD4DB5B5F094BD1562D06261F8AC1C4DEB3FC3BC936AF7F47C8833522EAC2107A2C3B738CC974037640A87FF6F8B4708C26 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c66a12a3cf7201bf6f31cc259909e9e2c78f020_7522e4b5_7d002d39-5284-4d12-ae4d-a51d443037c3\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8694102111278192 |
| Encrypted: | false |
| SSDEEP: | 192:HeFixOTKqq0BU/wjeTpLzuiFFZ24IO84ci:+FiI+qxBU/wjeBzuiFFY4IO84ci |
| MD5: | E86397837C0AE92DF04945BB3EEB88FA |
| SHA1: | D2863A24DF979A43756FE447F74EC29FCA000E55 |
| SHA-256: | F20A4D88C5A5D2ED899D43968AFA6275EEA50E3E07F0967F43F288A256F7DF88 |
| SHA-512: | 223088A24A7F8570C6C83844998BB8037E73C1608BD2FB8BF9007FB2D5F1308062B92221F2F15A1468CAB2B2B20057CB908650D8AAA20A5450DBE08D0920EA90 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c66a12a3cf7201bf6f31cc259909e9e2c78f020_7522e4b5_8c7c462f-9bf7-41c5-b513-6f865a843684\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8697903095984804 |
| Encrypted: | false |
| SSDEEP: | 192:ivFiXOP7qq0BU/wjeTpLzuiFFZ24IO84ci:8i+zqxBU/wjeBzuiFFY4IO84ci |
| MD5: | BA14E2BC5693178E2692B039635F55D0 |
| SHA1: | 51E359A24818C7423CCDC6CBFA0C2DDE250A1815 |
| SHA-256: | EB46A1B425F00B40F298B1910ED137900DF5B58AB5D10BCA24DCD81992E4AF74 |
| SHA-512: | B63B46D114F046A56CB7875767A0FB7588FE84E41A5DDD3F293C119DAA1443BB59BDC9EA8A7EE4ECB0A912733D43C840B691AFEC1A871955D65164A1BC4A6B49 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 43708 |
| Entropy (8bit): | 1.9118257940178096 |
| Encrypted: | false |
| SSDEEP: | 192:8aYvJbXZyO5H4JnIeh7+obAJ1K5H9O7jaJ8iHf7:0LN5HonIeh5sJ1K5H9eif |
| MD5: | 382FDA770D76FAC3B86AC77848C1BD87 |
| SHA1: | 3F01B560663B4A3F80B812B453FFFFBE9C2A6DB4 |
| SHA-256: | CD5E9EDEC6EE474162E36F0F345B25E381228675DF9DE9213814EB6283C01B22 |
| SHA-512: | 705AC63AD1C21E905FB1A9292578C7B32601830679EC8BCBD4D6D1A35AEA9D816C93BA1F1238C2714AB6D1C615CCEB91C885F1E55467550C842E89F4328C50B3 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8318 |
| Entropy (8bit): | 3.688450466573787 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJRm6IUE6Yvr6Wgmf8gTfprQ89bsdsf5km:R6lXJA6IUE6YD6Wgmf86/sWfP |
| MD5: | F64D7C3DDEB1D70326E99210EEB5998E |
| SHA1: | 4712E81AF6BA82F38363412B35B8FDC4297CC8FB |
| SHA-256: | 00092D1F50A07F7A4F17E5244B130EDB5C1E162C2488C953A3C96FCB743465CB |
| SHA-512: | 553246A3ECA1A1F5A80BE5E1D183C639BD06E1EF5728C21E5624D4C502D416F0BE27D398F11394C3F3D91B8EA843142B5E91B28C942BCA32BB4E7AD88E86F9BB |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4751 |
| Entropy (8bit): | 4.448190135228524 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsAJg77aI9P8WpW8VYv0Ym8M4JCdP+hnFeso+q8vjP+hYMGScSid:uIjfGI7d17VmBJzhBoKShtJ3id |
| MD5: | 18B7F73FAA1625B4EE290E8AA277ADE3 |
| SHA1: | 8E25BE00883267C93B5F83612D01283C46882073 |
| SHA-256: | 38871BF24B126884C4314D7836935F4F39B48905EE8B1942576520D46776AD7A |
| SHA-512: | ED2ACE09330F77A0256EE031B1E966B3E1708B9467765A1950317C6174E673398D23DB9544C4DF54749A9B4952D962A2BB4408558E68873CF49A390A14123522 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 42300 |
| Entropy (8bit): | 1.9478092830830245 |
| Encrypted: | false |
| SSDEEP: | 192:P1pNLCvk5XZsXO5H4qULWN1+qAERn6JvO:tXCEs+5HdUyNAqA6 |
| MD5: | C7E1759718953F24DB8428A98A41FF0B |
| SHA1: | E0FAF4548F7E700950B9812A838783865B38DC27 |
| SHA-256: | A3842A3BE927EEC3784907F9C2527B096751DD1ACDEE2C433F992FA2336182E5 |
| SHA-512: | F1AA63B15DD4DABD04DAE75000970C67EE783B1A25EC21DFCF08025C455F9C6F6D1A2C03BD0CCD626E693975B17085CA2241ACDC6FD5AB85D0B9550163904221 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 42840 |
| Entropy (8bit): | 1.980200881121982 |
| Encrypted: | false |
| SSDEEP: | 96:5W8ZZd6ciA4hFyoPKkJBUhXZebvoi75I4v4BR+7RtVc+o5mzvwOjqFZG2pjPvBW1:PZOvzIXZ7O5H4HGwO2pvDIBSHM5vPKc |
| MD5: | C470FB31A7266BFEB96B6420897C9E79 |
| SHA1: | 0C687731EFC7ED73E25D4C0BCB0CEC186CAF6A75 |
| SHA-256: | E93F9435C66A58D10F8DD2E2D7E874F2CF3D48B91CFB4FE48769F1EA3EE2AAAA |
| SHA-512: | 9174DBE5A0CD8589E6F51AF0D8E136B688251BCB4D7282A53B0DCEC887A513D41629E74AEE89A5227B710712F4FA35AD721425B708421671BEC265653ABDC38A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8330 |
| Entropy (8bit): | 3.687957068536289 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJU86IUtFW/6YMH6ggmf8gTfprZ89bUEsf/Ecm:R6lXJn6IUtFO6Yk6ggmf86kU3f/m |
| MD5: | B64D725BD76C3CD70407A6843EC98408 |
| SHA1: | 2BC0F98711BAB6ACACB7EC641780D2DC7EAB19FF |
| SHA-256: | F0DD215729FDA1786FDE042FE8B0F6E4802F906B44CDE06C18FC81A3B1086917 |
| SHA-512: | 269AD73E855452BF3715A8A889EEC4213DA2E62D94410949C2A2BF633C183BD72CA64458FB0AA427D922308709CBFAEA1F7306B661B4C02D09B34AD55B4351EE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8266 |
| Entropy (8bit): | 3.6918792275299306 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJc76IUntS6YMD6ggmfTgnfprZ89bUesfNcm:R6lXJY6IUntS6YQ6ggmfTekUdfD |
| MD5: | 1E4B36F3292CB02B0AFC8408676084D3 |
| SHA1: | 5D0096BFE5A695DCC7A4B0ECCAE2E1F6A878EBDA |
| SHA-256: | F70BCBDE0E5B63EAC4690B4E901FD7E1772CC59F5DC30A34F1F19E85FA793514 |
| SHA-512: | 2B29474F7E0B5A5DBFF602F55C549EB6615EB907C26EDC8695A45C818B85E839330E2F311AA4D4999CC6174EDBC2BE53BD18A959C3678F7AB80AF3B155747728 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4751 |
| Entropy (8bit): | 4.448158924178178 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsAJg77aI9P8WpW8VYjYm8M4JCdP+hnFno+q8vjP+hHGScSgd:uIjfGI7d17VDJzhRoKShHJ3gd |
| MD5: | 7E431B22C95AB9CC67410E4952358EC5 |
| SHA1: | 4D70B78154EA1A6C5783A3D402C383B994FDE4F0 |
| SHA-256: | D9E583BA368C9009EA59933479B2F1551A916FF0B935974B07226ACBFFE7D0C6 |
| SHA-512: | A1C116C65E4663F5D00ED9124F557B24F51892AA974ECA4B8E24E90A8FBE8434D3DBA98323032D68BE9D13C99E23A90107B6450D60C6544963BCFEDA8FB15E4C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4650 |
| Entropy (8bit): | 4.463138133741678 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsAJg77aI9P8WpW8VYQiPYm8M4JCdP+KF1+q8/8aQGScSud:uIjfGI7d17V3JzibvJ3ud |
| MD5: | CBD6B5B416FE8C59D32A2377DA0BACDF |
| SHA1: | 4E8B0EB73ED3E21BA8B1DF87247B8F6413709DFD |
| SHA-256: | 9C69A727287BF54F320806A99187C6CE456DCA21B66D4CAFE79F7C3F3ACDF106 |
| SHA-512: | 656B0398A827037B12B4F4816CFACB1CFB572A05CCE7A08DD34100BF369F2A81B1C0CDEAD4ABFE8CD636E45570F9E08ECCA41706290FE72A323A7DEBD24CACFB |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.466257755934301 |
| Encrypted: | false |
| SSDEEP: | 6144:QIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:1XD94+WlLZMM6YFHT+G |
| MD5: | CB6D5DF843FFF05D892AF105E54560CF |
| SHA1: | 88F58F6AFB1E7F304313743C321067E755FE0D94 |
| SHA-256: | 25FAB15638AEA09291B86007D1940C03B3CBB1B225D62686CB9708FB1DA4F316 |
| SHA-512: | DE0096A755C5233CED42FDAEAF0B11DD0867FB3D27082C699BA29CD6A917E8BE4F19040D236E80340119937A2A5285E3AA38050F10EEF2F32CED15DFB2AA59C6 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.648219399869683 |
| TrID: |
|
| File name: | nCBC3f6tz1.dll |
| File size: | 1'270'784 bytes |
| MD5: | 7012991b1134738dcf2209c247965b9f |
| SHA1: | c36405cdeeefc0c6ea2e664b0965c5c4cda16a79 |
| SHA256: | 426fa8eecccaa92eb1bb7a298a37b434f98dd8445f58796c1414ada17a059a9a |
| SHA512: | b614d2edcebe1560562300499b0744aab2d8f6348b98b8f4bbd0f3bf4f804cf615d33600cc3bfd55942ed4679be603b3bb8162fd09d1e9766e5b24f09ec003a8 |
| SSDEEP: | 24576:DGkMq/UR+FgcAf11t36U2cjDz3YTMVKh:hR3F2DKU9DzoTMVK |
| TLSH: | 24455C62F245643EC4AA0A364977AD50583FB7A2755AEC1E57F4088CCE3A5802F3E74F |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x50eed0 |
| Entrypoint Section: | .itext |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI |
| DLL Characteristics: | |
| Time Stamp: | 0x66F1D604 [Mon Sep 23 20:56:36 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 6327992c879b906e750778c69d550fed |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFC0h |
| mov eax, 0050A450h |
| call 00007F2AF8CCABFDh |
| call 00007F2AF8CC4018h |
| lea eax, dword ptr [eax+00h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x122000 | 0x2a3 | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x11f000 | 0x1c46 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x13d000 | 0x4600 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x124000 | 0x1852c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x11f5a4 | 0x464 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x121000 | 0x366 | .didata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x10ca38 | 0x10cc00 | c28d3315c6cf633aa713c8ea5f598524 | False | 0.3667360101744186 | data | 6.491607362705958 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0x10e000 | 0xee8 | 0x1000 | ab7dc8c516f6ff063fe164a8ca424a96 | False | 0.533935546875 | data | 6.067594508535782 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x10f000 | 0x8fa0 | 0x9000 | b52f8616a65ec421538aeb614017352b | False | 0.6366102430555556 | data | 6.62898746697328 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x118000 | 0x62f4 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x11f000 | 0x1c46 | 0x1e00 | bd166391d3b2991897d3f90ec0b419cb | False | 0.32083333333333336 | data | 4.974350011480841 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .didata | 0x121000 | 0x366 | 0x400 | 9c7b1e6fd492c18332b403fa3ad29c2e | False | 0.3544921875 | data | 3.0967012674854977 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x122000 | 0x2a3 | 0x400 | cd924b0cd3e6cf1a21119645d23b5f74 | False | 0.408203125 | data | 3.9902888665768597 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rdata | 0x123000 | 0x44 | 0x200 | c9f8bfa36b2dc5163b75d3196d251b45 | False | 0.15625 | data | 1.1660636886017055 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x124000 | 0x1852c | 0x18600 | 71671c2d2eeecdee8a180d069287c025 | False | 0.5805588942307692 | data | 6.710825998888914 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x13d000 | 0x4600 | 0x4600 | d8cd2ec23cd0c16ce8f3bd004f37743a | False | 0.2739955357142857 | data | 3.6872696770617823 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_STRING | 0x13d460 | 0x31c | DOS executable (COM, 0x8C-variant) | 0.4258793969849246 | ||
| RT_STRING | 0x13d77c | 0xb5c | data | 0.2548143053645117 | ||
| RT_STRING | 0x13e2d8 | 0x428 | data | 0.37406015037593987 | ||
| RT_STRING | 0x13e700 | 0x3c4 | data | 0.37655601659751037 | ||
| RT_STRING | 0x13eac4 | 0x3cc | data | 0.2757201646090535 | ||
| RT_STRING | 0x13ee90 | 0x394 | data | 0.4334061135371179 | ||
| RT_STRING | 0x13f224 | 0x4e4 | data | 0.35303514376996803 | ||
| RT_STRING | 0x13f708 | 0x374 | data | 0.3563348416289593 | ||
| RT_STRING | 0x13fa7c | 0x454 | data | 0.38898916967509023 | ||
| RT_STRING | 0x13fed0 | 0x1ec | data | 0.3983739837398374 | ||
| RT_STRING | 0x1400bc | 0xc4 | data | 0.6428571428571429 | ||
| RT_STRING | 0x140180 | 0x170 | data | 0.5597826086956522 | ||
| RT_STRING | 0x1402f0 | 0x334 | data | 0.41585365853658535 | ||
| RT_STRING | 0x140624 | 0x408 | data | 0.3168604651162791 | ||
| RT_STRING | 0x140a2c | 0x36c | data | 0.4018264840182648 | ||
| RT_STRING | 0x140d98 | 0x2b8 | data | 0.4367816091954023 | ||
| RT_RCDATA | 0x141050 | 0x10 | data | 1.5 | ||
| RT_RCDATA | 0x141060 | 0x37c | data | 0.602017937219731 | ||
| RT_RCDATA | 0x1413dc | 0x2 | data | English | United States | 5.0 |
| RT_VERSION | 0x1413e0 | 0x1e8 | data | English | United States | 0.4979508196721312 |
| DLL | Import |
|---|---|
| oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
| advapi32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey |
| user32.dll | CharNextW, LoadStringW |
| kernel32.dll | Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle |
| kernel32.dll | GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary |
| user32.dll | ReleaseDC, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, LoadImageW, LoadIconW, GetSystemMetrics, GetSysColor, GetIconInfo, GetDC, GetClipboardData, FrameRect, FillRect, DrawTextExW, DrawIconEx, DrawFocusRect, DestroyIcon, CreateIcon, CopyIcon, CharUpperBuffW, CharUpperW, CharLowerBuffW |
| gdi32.dll | UnrealizeObject, StretchDIBits, StretchBlt, SetWinMetaFileBits, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, RoundRect, ResizePalette, Rectangle, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStretchBltMode, GetStockObject, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutW, ExtFloodFill, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc |
| version.dll | VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW |
| kernel32.dll | WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetFilePointer, SetEvent, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, IsDebuggerPresent, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, IsBadReadPtr, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GetVersionExW, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetProcessHeap, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, EnumSystemLocalesW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateFileW, CreateEventW, CompareStringW, CloseHandle |
| advapi32.dll | RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey |
| kernel32.dll | Sleep |
| netapi32.dll | NetApiBufferFree, NetWkstaGetInfo |
| oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit |
| ole32.dll | CoCreateInstance, IsEqualGUID |
| msvcrt.dll | memset, memcpy |
| Name | Ordinal | Address |
|---|---|---|
| BarCreate | 4 | 0x50a444 |
| BarDestroy | 5 | 0x50a440 |
| BarFreeRec | 6 | 0x50a43c |
| BarRecognize | 7 | 0x50a438 |
| TMethodImplementationIntercept | 3 | 0x45f330 |
| __dbk_fcall_wrapper | 2 | 0x41041c |
| dbkFCallWrapperAddr | 1 | 0x51b630 |
| wkeCreateWebView | 13 | 0x50a420 |
| wkeDestroyWebView | 8 | 0x50a434 |
| wkeFinalize | 9 | 0x50a430 |
| wkeFireContextMenuEvent | 16 | 0x50a414 |
| wkeFireKeyDownEvent | 12 | 0x50a424 |
| wkeFireKeyPressEvent | 14 | 0x50a41c |
| wkeFireKeyUpEvent | 23 | 0x50a3f8 |
| wkeFireMouseEvent | 15 | 0x50a418 |
| wkeFireMouseWheelEvent | 17 | 0x50a410 |
| wkeGetCaretRect | 20 | 0x50a404 |
| wkeInitialize | 22 | 0x50a3fc |
| wkeIsDirty | 21 | 0x50a400 |
| wkeKillFocus | 19 | 0x50a408 |
| wkePaint2 | 24 | 0x50a3f4 |
| wkeResize | 11 | 0x50a428 |
| wkeSetDirty | 10 | 0x50a42c |
| wkeSetFocus | 18 | 0x50a40c |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 29, 2024 18:51:23.754456997 CET | 53 | 60345 | 1.1.1.1 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 13:51:01 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x560000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 13:51:01 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 13:51:02 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 13:51:02 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 13:51:02 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 13:51:02 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 13:51:05 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 13:51:08 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 22 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 23 |
| Start time: | 13:51:11 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 24 |
| Start time: | 13:51:12 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 25 |
| Start time: | 13:51:12 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 26 |
| Start time: | 13:51:12 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 27 |
| Start time: | 13:51:12 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 28 |
| Start time: | 13:51:12 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 29 |
| Start time: | 13:51:12 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 30 |
| Start time: | 13:51:12 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 31 |
| Start time: | 13:51:12 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 32 |
| Start time: | 13:51:12 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 33 |
| Start time: | 13:51:12 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xda0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Has exited: | true |
| Target ID: | 36 |
| Start time: | 13:51:13 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 37 |
| Start time: | 13:51:13 |
| Start date: | 29/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 9.6% |
| Total number of Nodes: | 332 |
| Total number of Limit Nodes: | 36 |
Graph
Function 0040D2FC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D1C4 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EE84 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CDE8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040961C Relevance: 6.2, APIs: 4, Instructions: 161threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0050E000 Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427884 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D9EDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D3C8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D4EC Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405600 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C278 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C520 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004FFD00 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 742windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CBF8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00508FA8 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 202libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00508B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AA910 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C79C Relevance: 4.6, APIs: 3, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B8000 Relevance: 3.1, APIs: 2, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E5AA0 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004219D8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425334 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042920C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425380 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428FD0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423868 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004F6704 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004F6444 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B4C4 Relevance: .4, Instructions: 408COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004F5F80 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B0F64 Relevance: .1, Instructions: 102COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B10A8 Relevance: .1, Instructions: 102COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E6918 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004079E8 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004EC71C Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 357windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425DC8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004ED7A0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 258windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004253AC Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 216threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004266A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004085C8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410594 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E9A04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004061E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040591C Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 298sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CA0 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E6084 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E98 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004EA974 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004098D0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E65E0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E6234 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E6A9C Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004ED0C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B7154 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043690C Relevance: 7.8, APIs: 5, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004F0894 Relevance: 7.6, APIs: 6, Instructions: 148COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004EC31C Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E619C Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423C28 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E3ED0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C998 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004EA788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004EDF8C Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004EEDD0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00508C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D8F38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 1% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 334 |
| Total number of Limit Nodes: | 36 |
Graph
Function 0436D2FC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436D1C4 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436CDE8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436961C Relevance: 6.2, APIs: 4, Instructions: 161threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0446E000 Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04387884 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436D3C8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436D4EC Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04365600 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436C278 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436EE84 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436CBF8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0444C71C Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 357windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436C520 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0444D7A0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 258windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 043853AC Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 216threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04385DC8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 199threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 043685C8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04370594 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04468FA8 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 202libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04449A04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436591C Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 298sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04365CA0 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04446084 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04365E98 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0444E9A8 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0444A974 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 043698D0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 044465E0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04446234 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04446A9C Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 043661E4 Relevance: 9.1, APIs: 6, Instructions: 51fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0444D0C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0439690C Relevance: 7.8, APIs: 5, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04461CB0 Relevance: 7.8, APIs: 5, Instructions: 258COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04450894 Relevance: 7.6, APIs: 6, Instructions: 148COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04468B90 Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0444C31C Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0444619C Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04383C28 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04443ED0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0436C998 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0444A788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0444DF8C Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0440A910 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0444EDD0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04468C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 0.9% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 222 |
| Total number of Limit Nodes: | 14 |
Graph
Function 041DD2FC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041DD1C4 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041DCDE8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041D961C Relevance: 6.2, APIs: 4, Instructions: 161threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041F7884 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041DD3C8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041DD4EC Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041D5600 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041DC278 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041DCBF8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041F53AC Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 216threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041F5DC8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 199threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041D85C8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041E0594 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 042D8FA8 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 202libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041D591C Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 298sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041D5CA0 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041D5E98 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041D98D0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041D61E4 Relevance: 9.1, APIs: 6, Instructions: 51fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0420690C Relevance: 7.8, APIs: 5, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 042D8B90 Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041F3C28 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 041DC998 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 042D8C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|