Edit tour
Windows
Analysis Report
KzHndnydSG.dll
Overview
General Information
| Sample name: | KzHndnydSG.dllrenamed because original name is a hash value |
| Original sample name: | 5144ec5b8e4375671dd921a235f83dbe1620c50091bd6c9f91eb0cf362ea7c7f.exe |
| Analysis ID: | 1568429 |
| MD5: | 6af2398f4f0239a8fc1d7e64bf0b3be3 |
| SHA1: | b9af7cc99389dcee4157d095b6479cbe4c3670fe |
| SHA256: | 5144ec5b8e4375671dd921a235f83dbe1620c50091bd6c9f91eb0cf362ea7c7f |
| Tags: | 185-216-71-202exeuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
CobaltStrike
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file does not import any functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
loaddll64.exe (PID: 7748 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\KzH ndnydSG.dl l" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 7756 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7800 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\KzH ndnydSG.dl l",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 7824 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",#1 MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7808 cmdline:
rundll32.e xe C:\User s\user\Des ktop\KzHnd nydSG.dll, D3DAssembl e MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7932 cmdline:
rundll32.e xe C:\User s\user\Des ktop\KzHnd nydSG.dll, D3DCompile MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7964 cmdline:
rundll32.e xe C:\User s\user\Des ktop\KzHnd nydSG.dll, D3DCompile 2 MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7560 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DAssem ble MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 3820 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DCompi le MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 1852 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DCompi le2 MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 1968 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",IEX MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4344 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",DebugSet Mute MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4348 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DWrite BlobToFile MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4240 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DStrip Shader MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4244 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DSetBl obPart MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 3420 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DRetur nFailure1 MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6916 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DRefle ctLibrary MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5936 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DRefle ct MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7140 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DReadF ileToBlob MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7536 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DPrepr ocess MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6524 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DLoadM odule MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 744 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DGetTr aceInstruc tionOffset s MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4780 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DGetOu tputSignat ureBlob MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6256 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DGetIn putSignatu reBlob MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7000 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DGetIn putAndOutp utSignatur eBlob MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7644 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DGetDe bugInfo MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5580 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DGetBl obPart MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 2156 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DDisas sembleRegi on MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6532 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DDisas semble11Tr ace MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6616 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DDisas semble10Ef fect MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7672 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DDisas semble MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7876 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DDecom pressShade rs MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 764 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DCreat eLinker MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7864 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DCreat eFunctionL inkingGrap h MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7860 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DCreat eBlob MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7868 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DCompr essShaders MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 3276 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\KzHn dnydSG.dll ",D3DCompi leFromFile MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Cobalt Strike, CobaltStrike | Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. |
{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 18500, "MaxGetSize": 2140839, "Jitter": 35, "C2Server": "185.216.71.202,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\wermgr.exe", "Spawnto_x64": "%windir%\\sysnative\\wermgr.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 12345, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 24576, "ProcInject_PrependAppend_x86": ["REBLQ0xIkGaQDx8AZg8fBAAPHwQADx8ADx8A", "Empty"], "ProcInject_PrependAppend_x64": ["REBLQ0xIkGaQDx8AZg8fBAAPHwQADx8ADx8A", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| Click to see the 14 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CobaltStrike_2 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_4 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_2 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_4 | Yara detected CobaltStrike | Joe Security | ||
| Click to see the 10 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-04T16:18:11.371997+0100 | 2028765 | 3 | Unknown Traffic | 192.168.2.9 | 49824 | 185.216.71.202 | 443 | TCP |
| 2024-12-04T16:18:40.107699+0100 | 2028765 | 3 | Unknown Traffic | 192.168.2.9 | 49843 | 185.216.71.202 | 443 | TCP |
| 2024-12-04T16:19:11.124435+0100 | 2028765 | 3 | Unknown Traffic | 192.168.2.9 | 49873 | 185.216.71.202 | 443 | TCP |
| 2024-12-04T16:19:41.497897+0100 | 2028765 | 3 | Unknown Traffic | 192.168.2.9 | 49901 | 185.216.71.202 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
Networking | |
|---|
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Code function: | 11_2_00007FF8E7D9F9C5 | |
| Source: | Code function: | 3_3_0000021A8507AC60 | |
| Source: | Code function: | 3_3_0000021A85049680 | |
| Source: | Code function: | 3_3_0000021A8507B544 | |
| Source: | Code function: | 3_3_0000021A85079F34 | |
| Source: | Code function: | 3_3_0000021A85088750 | |
| Source: | Code function: | 3_3_0000021A8507F9E4 | |
| Source: | Code function: | 3_3_0000021A8505B1F4 | |
| Source: | Code function: | 3_3_0000021A85084AA8 | |
| Source: | Code function: | 3_3_0000021A85085900 | |
| Source: | Code function: | 3_3_0000021A8504916C | |
| Source: | Code function: | 3_2_0000021A8512CB5C | |
| Source: | Code function: | 3_2_0000021A851373D0 | |
| Source: | Code function: | 3_2_0000021A851305E4 | |
| Source: | Code function: | 3_2_0000021A85137D40 | |
| Source: | Code function: | 3_2_0000021A85129D70 | |
| Source: | Code function: | 3_2_0000021A8512B860 | |
| Source: | Code function: | 3_2_0000021A8512BFCC | |
| Source: | Code function: | 4_3_000001D38B844AA8 | |
| Source: | Code function: | 4_3_000001D38B81B1F4 | |
| Source: | Code function: | 4_3_000001D38B83F9E4 | |
| Source: | Code function: | 4_3_000001D38B845900 | |
| Source: | Code function: | 4_3_000001D38B80916C | |
| Source: | Code function: | 4_3_000001D38B839F34 | |
| Source: | Code function: | 4_3_000001D38B848750 | |
| Source: | Code function: | 4_3_000001D38B809680 | |
| Source: | Code function: | 4_3_000001D38B83B544 | |
| Source: | Code function: | 4_3_000001D38B83AC60 | |
| Source: | Code function: | 4_2_000001D38B8CCB5C | |
| Source: | Code function: | 4_2_000001D38B8CB860 | |
| Source: | Code function: | 4_2_000001D38B8CBFCC | |
| Source: | Code function: | 4_2_000001D38B8D05E4 | |
| Source: | Code function: | 4_2_000001D38B8D7D40 | |
| Source: | Code function: | 4_2_000001D38B8C9D70 | |
| Source: | Code function: | 4_2_000001D38B8D73D0 | |
| Source: | Code function: | 6_2_0000021A31BBB860 | |
| Source: | Code function: | 6_2_0000021A31BBBFCC | |
| Source: | Code function: | 6_2_0000021A31BBCB5C | |
| Source: | Code function: | 6_2_0000021A31BB9D70 | |
| Source: | Code function: | 7_2_000002220BBAB860 | |
| Source: | Code function: | 7_2_000002220BBABFCC | |
| Source: | Code function: | 7_2_000002220BBA9D70 | |
| Source: | Code function: | 7_2_000002220BBACB5C | |
| Source: | Code function: | 11_2_00007FF8E7D9F9C5 | |
| Source: | Code function: | 11_2_00007FF8E7DAAF2D | |
| Source: | Code function: | 11_2_00007FF8E7D7EBDF | |
| Source: | Code function: | 11_2_00007FF8E7DAD4F4 | |
| Source: | Code function: | 11_2_00007FF8E7DA52E8 | |
| Source: | Code function: | 11_2_00007FF8E7DAE1E8 | |
| Source: | Code function: | 11_2_00007FF8E7DC31C0 | |
| Source: | Code function: | 11_2_00007FF8E7DAD9D2 | |
| Source: | Code function: | 11_2_00007FF8E7D853CE | |
| Source: | Code function: | 11_2_00007FF8E7D764CC | |
| Source: | Code function: | 11_2_00007FF8E7D788D2 | |
| Source: | Code function: | 11_2_00007FF8E7DAB8A7 | |
| Source: | Code function: | 11_2_00007FF8E7D96FB5 | |
| Source: | Code function: | 11_2_00007FF8E7D752B3 | |
| Source: | Code function: | 11_2_00007FF8E7D7A87D | |
| Source: | Code function: | 11_2_00007FF8E7DAC280 | |
| Source: | Code function: | 11_2_00007FF8E7DB477C | |
| Source: | Code function: | 11_2_00007FF8E7D7B38D | |
| Source: | Code function: | 11_2_00007FF8E7D73C5D | |
| Source: | Code function: | 11_2_00007FF8E7D94A5B | |
| Source: | Code function: | 11_2_00007FF8E7D7146E | |
| Source: | Code function: | 11_2_00007FF8E7D7876C | |
| Source: | Code function: | 11_2_00007FF8E7DB1D75 | |
| Source: | Code function: | 11_2_00007FF8E7D84973 | |
| Source: | Code function: | 11_2_00007FF8E7DAC63D | |
| Source: | Code function: | 11_2_00007FF8E7DAD149 | |
| Source: | Code function: | 11_2_00007FF8E7D75452 | |
| Source: | Code function: | 11_2_00007FF8E7D8EA27 | |
| Source: | Code function: | 11_2_00007FF8E7D99902 | |
| Source: | Code function: | 11_2_00007FF8E7DAC4F8 | |
| Source: | Code function: | 11_2_00007FF8E7DADB17 | |
| Source: | Code function: | 11_2_00007FF8E7DAC008 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_0000021A850FA35E | |
| Source: | Code function: | 3_2_0000021A8513252F | |
| Source: | Code function: | 3_2_0000021A850FBD59 | |
| Source: | Code function: | 3_2_0000021A8513A5DD | |
| Source: | Code function: | 3_2_0000021A850FA71F | |
| Source: | Code function: | 4_2_000001D38B89A35E | |
| Source: | Code function: | 4_2_000001D38B89A71F | |
| Source: | Code function: | 4_2_000001D38B8DA5DD | |
| Source: | Code function: | 4_2_000001D38B8D252F | |
| Source: | Code function: | 4_2_000001D38B89BD59 | |
| Source: | Code function: | 6_2_0000021A31B8A71F | |
| Source: | Code function: | 6_2_0000021A31B8A35E | |
| Source: | Code function: | 6_2_0000021A31B8BD59 | |
| Source: | Code function: | 7_2_000002220BB7A71F | |
| Source: | Code function: | 7_2_000002220BB7BD59 | |
| Source: | Code function: | 7_2_000002220BB7A35E | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | NtClose: | |||
| Source: | NtDeviceIoControlFile: | Jump to behavior | ||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtDeviceIoControlFile: | Jump to behavior | ||
| Source: | NtAllocateVirtualMemory: | Jump to behavior | ||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtCreateThreadEx: | Jump to behavior | ||
| Source: | NtSetSecurityObject: | Jump to behavior | ||
| Source: | NtAllocateVirtualMemory: | Jump to behavior | ||
| Source: | NtAllocateVirtualMemory: | Jump to behavior | ||
| Source: | NtQuerySystemInformation: | Jump to behavior | ||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtQueryVolumeInformationFile: | Jump to behavior | ||
| Source: | NtQueryInformationToken: | Jump to behavior | ||
| Source: | NtQueryInformationToken: | Jump to behavior | ||
| Source: | NtClose: | |||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtUnmapViewOfSection: | Jump to behavior | ||
| Source: | NtDelayExecution: | Jump to behavior | ||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtAllocateVirtualMemory: | Jump to behavior | ||
| Source: | NtAllocateVirtualMemory: | Jump to behavior | ||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtQuerySystemInformation: | Jump to behavior | ||
| Source: | NtAllocateVirtualMemory: | Jump to behavior | ||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtSetInformationThread: | Jump to behavior | ||
| Source: | NtProtectVirtualMemory: | Jump to behavior | ||
| Source: | NtAllocateVirtualMemory: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 3_2_0000021A85107CFC | |
| Source: | Key value queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | 12 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Abuse Elevation Control Mechanism | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 11 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 Account Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Abuse Elevation Control Mechanism | NTDS | 1 System Owner/User Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 2 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Rundll32 | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 47% | ReversingLabs | Win64.Backdoor.Cobeacon |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0035.t-0009.t-msedge.net | 13.107.246.63 | true | false | high | |
| fp2e7a.wpc.phicdn.net | 192.229.221.95 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.216.71.202 | unknown | Germany | 43659 | CLOUDCOMPUTINGDE | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1568429 |
| Start date and time: | 2024-12-04 16:15:49 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 9m 14s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 43 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | KzHndnydSG.dllrenamed because original name is a hash value |
| Original Sample Name: | 5144ec5b8e4375671dd921a235f83dbe1620c50091bd6c9f91eb0cf362ea7c7f.exe |
| Detection: | MAL |
| Classification: | mal92.troj.evad.winDLL@72/0@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): crl.edge.digicert.com, ts-crl.ws.symantec.com, crl-symcprod.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: KzHndnydSG.dll
⊘No simulations
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0035.t-0009.t-msedge.net | Get hash | malicious | CobaltStrike | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| fp2e7a.wpc.phicdn.net | Get hash | malicious | FormBook, GuLoader | Browse |
| |
| Get hash | malicious | AZORult | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | RHADAMANTHYS | Browse |
| ||
| Get hash | malicious | RHADAMANTHYS | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Credential Flusher | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDCOMPUTINGDE | Get hash | malicious | Mirai, Gafgyt, Okiru | Browse |
| |
| Get hash | malicious | Mirai, Gafgyt, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Gafgyt, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Gafgyt, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Gafgyt, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Gafgyt, Okiru | Browse |
| ||
| Get hash | malicious | Mirai, Gafgyt, Okiru | Browse |
| ||
| Get hash | malicious | RedLine, Xmrig | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.411261737500153 |
| TrID: |
|
| File name: | KzHndnydSG.dll |
| File size: | 1'050'144 bytes |
| MD5: | 6af2398f4f0239a8fc1d7e64bf0b3be3 |
| SHA1: | b9af7cc99389dcee4157d095b6479cbe4c3670fe |
| SHA256: | 5144ec5b8e4375671dd921a235f83dbe1620c50091bd6c9f91eb0cf362ea7c7f |
| SHA512: | 3414921782c6de919255cd50e8468b92e39439dd164bf0251ea175c5c669cd97bbb391cf6bfd0001e8ae02f414a8376d4a55dd450217236c0e9aeed3f5c38884 |
| SSDEEP: | 12288:HIDvCzFdigSVXfIG1gb73dhbWK9WTHtFfpMunHvpKLiT0s+u7oGCF0JFihLt3A+Y:kCF1G1gyauhCiSu7YKkhhZY |
| TLSH: | F1255A76A9F65A2AF0D8A07E1C7B8F6109B43DF44464D1FB03F0203A6AE21505F9DB5B |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....V(e.........." .........8......-........................................`......+/....`........................................ |
 | |
| Icon Hash: | 1a1de1e5e1239e38 |
| Entrypoint: | 0x18003af2d |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x180000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x6528569E [Thu Oct 12 20:27:10 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: |
| Signature Valid: | false |
| Signature Issuer: | CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 7F2E08A290C8767AFAFAFFFE09BE1149 |
| Thumbprint SHA-1: | 3B75816D15A6D8F4598E9CF5603F1839EE84D73D |
| Thumbprint SHA-256: | 9D9365087330DF525292796A656A389C13E4F37ADA62693F4A951C0CB1B8B0BC |
| Serial: | 12F0277E0F233B39F9419B06E8CDE352 |
| Instruction |
|---|
| push ebp |
| inc ecx |
| push edi |
| inc ecx |
| push esi |
| inc ecx |
| push ebp |
| inc ecx |
| push esp |
| push esi |
| push edi |
| push ebx |
| dec eax |
| sub esp, 000000F8h |
| dec eax |
| lea ebp, dword ptr [esp+00000080h] |
| mov dword ptr [ebp+5Ch], edx |
| xorps xmm0, xmm0 |
| movups dqword ptr [ebp+3Ch], xmm0 |
| movaps ebp+30h, dqword ptr [xmm0] |
| movaps ebp+20h, dqword ptr [xmm0] |
| movaps ebp+10h, dqword ptr [xmm0] |
| movaps ebp+00h, dqword ptr [xmm0] |
| movaps ebp-10h, dqword ptr [xmm0] |
| movaps ebp-20h, dqword ptr [xmm0] |
| cmp dword ptr [000AB10Bh], 0Ah |
| mov eax, dword ptr [000AB101h] |
| setl cl |
| lea edx, dword ptr [eax+01h] |
| imul edx, eax |
| test dl, 00000001h |
| sete al |
| mov edx, ecx |
| and dl, al |
| mov byte ptr [ebp+77h], dl |
| xor cl, al |
| mov byte ptr [ebp+76h], cl |
| xor eax, eax |
| dec eax |
| lea ecx, dword ptr [0001EBA5h] |
| dec eax |
| arpl word ptr [eax+ecx], dx |
| xor dword ptr [ebp+edx*4-20h], 00001E27h |
| dec eax |
| add eax, 04h |
| dec eax |
| cmp eax, 68h |
| jne 00007F595909E58Ch |
| mov eax, 000008C0h |
| xor ecx, ecx |
| dec eax |
| mov dword ptr [ebp-58h], ecx |
| dec eax |
| lea esi, dword ptr [0001ECFDh] |
| dec eax |
| lea edi, dword ptr [0001ED5Ah] |
| dec esp |
| lea esi, dword ptr [0001ED5Bh] |
| dec esp |
| lea ecx, dword ptr [0001EAF8h] |
| dec esp |
| lea edx, dword ptr [0001EC31h] |
| dec esp |
| lea edi, dword ptr [0001ED36h] |
| dec esp |
| lea ebp, dword ptr [0001ED27h] |
| dec esp |
| lea esp, dword ptr [0001ED18h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x509c6 | 0x386 | .text |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xe9000 | 0x1b758 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x50d4c | 0x4f8 | .text |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0xfee00 | 0x1820 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x105000 | 0x2c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x5b5b0 | 0x140 | .text |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5b104 | 0x5b200 | d943478eebdc6fcb7301e02c5972a6ae | False | 0.34970582561728397 | data | 5.890325051671784 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x5d000 | 0x8afd8 | 0x87c00 | fd87fa614ce73418aaaef9b097d68526 | False | 0.34015848008747696 | data | 6.1041379360185495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .sdata | 0xe8000 | 0x30 | 0x200 | f927ec16777b24dc4dfb58c1c73b2751 | False | 0.056640625 | data | 0.41911781941489346 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0xe9000 | 0x1b758 | 0x1b800 | 28bd58503c3e58848ffcef5b44b72905 | False | 0.8856001420454546 | data | 7.577434366625928 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x105000 | 0x2c | 0x200 | dd37af5637020c49f853952bd28448ab | False | 0.10546875 | data | 0.5163459669794561 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xe96e8 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.3445121951219512 |
| RT_ICON | 0xe9d50 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.5067204301075269 |
| RT_ICON | 0xea038 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 288 | English | United States | 0.5676229508196722 |
| RT_ICON | 0xea220 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.625 |
| RT_ICON | 0xea348 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.6284648187633263 |
| RT_ICON | 0xeb1f0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.7766245487364621 |
| RT_ICON | 0xeba98 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | English | United States | 0.8358294930875576 |
| RT_ICON | 0xec160 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.5939306358381503 |
| RT_ICON | 0xec6c8 | 0x13b8e | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9997895570795474 |
| RT_ICON | 0x100258 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5776970954356846 |
| RT_ICON | 0x102800 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.6177298311444653 |
| RT_ICON | 0x1038a8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.6778688524590164 |
| RT_ICON | 0x104230 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.6879432624113475 |
| RT_GROUP_ICON | 0x104698 | 0xbc | data | English | United States | 0.6170212765957447 |
| RT_VERSION | 0xe9340 | 0x3a4 | data | English | United States | 0.45493562231759654 |
| Name | Ordinal | Address |
|---|---|---|
| D3DAssemble | 1 | 0x18003d768 |
| D3DCompile | 2 | 0x18003d9d2 |
| D3DCompile2 | 3 | 0x18003d89b |
| D3DCompileFromFile | 4 | 0x18003c63d |
| D3DCompressShaders | 5 | 0x18003c3c5 |
| D3DCreateBlob | 6 | 0x18003d28e |
| D3DCreateFunctionLinkingGraph | 7 | 0x18003b9ec |
| D3DCreateLinker | 8 | 0x18003cc62 |
| D3DDecompressShaders | 9 | 0x18003c280 |
| D3DDisassemble | 10 | 0x18003d012 |
| D3DDisassemble10Effect | 11 | 0x18003bed1 |
| D3DDisassemble11Trace | 12 | 0x18003c008 |
| D3DDisassembleRegion | 13 | 0x18003c14d |
| D3DGetBlobPart | 14 | 0x18003cedb |
| D3DGetDebugInfo | 15 | 0x18003cb2f |
| D3DGetInputAndOutputSignatureBlob | 16 | 0x18003b8a7 |
| D3DGetInputSignatureBlob | 17 | 0x18003bd9e |
| D3DGetOutputSignatureBlob | 18 | 0x18003bc65 |
| D3DGetTraceInstructionOffsets | 19 | 0x18003bb1f |
| D3DLoadModule | 20 | 0x18003d4f4 |
| D3DPreprocess | 21 | 0x18003d3c1 |
| D3DReadFileToBlob | 22 | 0x18003c9ec |
| D3DReflect | 23 | 0x18003db17 |
| D3DReflectLibrary | 24 | 0x18003c782 |
| D3DReturnFailure1 | 25 | 0x18003c8b5 |
| D3DSetBlobPart | 26 | 0x18003cd95 |
| D3DStripShader | 27 | 0x18003d149 |
| D3DWriteBlobToFile | 28 | 0x18003c4f8 |
| DebugSetMute | 29 | 0x18003d635 |
| IEX | 30 | 0x18003dc5a |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-04T16:18:11.371997+0100 | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 192.168.2.9 | 49824 | 185.216.71.202 | 443 | TCP |
| 2024-12-04T16:18:40.107699+0100 | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 192.168.2.9 | 49843 | 185.216.71.202 | 443 | TCP |
| 2024-12-04T16:19:11.124435+0100 | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 192.168.2.9 | 49873 | 185.216.71.202 | 443 | TCP |
| 2024-12-04T16:19:41.497897+0100 | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 192.168.2.9 | 49901 | 185.216.71.202 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 4, 2024 16:18:06.529167891 CET | 49824 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:06.529207945 CET | 443 | 49824 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:06.529278040 CET | 49824 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:06.537703037 CET | 49824 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:06.537718058 CET | 443 | 49824 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:11.371926069 CET | 443 | 49824 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:11.371997118 CET | 49824 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:12.024350882 CET | 49824 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:12.024391890 CET | 443 | 49824 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:12.033190012 CET | 49828 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:12.033252954 CET | 443 | 49828 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:12.033318996 CET | 49828 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:12.033622026 CET | 49828 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:12.033638000 CET | 443 | 49828 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:16.979782104 CET | 443 | 49828 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:16.980535030 CET | 49828 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:17.617750883 CET | 49828 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:17.617773056 CET | 443 | 49828 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:17.620914936 CET | 49831 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:17.620954037 CET | 443 | 49831 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:17.621021986 CET | 49831 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:17.621114016 CET | 49831 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:17.621159077 CET | 443 | 49831 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:17.621211052 CET | 49831 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:34.587663889 CET | 49843 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:34.587712049 CET | 443 | 49843 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:34.587785959 CET | 49843 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:35.262460947 CET | 49843 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:35.262494087 CET | 443 | 49843 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:40.107507944 CET | 443 | 49843 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:40.107698917 CET | 49843 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:40.799866915 CET | 49843 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:40.799889088 CET | 443 | 49843 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:40.810472012 CET | 49849 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:40.810519934 CET | 443 | 49849 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:40.810584068 CET | 49849 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:40.810920954 CET | 49849 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:40.810928106 CET | 443 | 49849 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:45.656960964 CET | 443 | 49849 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:45.657032013 CET | 49849 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:46.300682068 CET | 49849 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:46.300724030 CET | 443 | 49849 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:46.312330961 CET | 49854 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:46.312391996 CET | 443 | 49854 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:46.312464952 CET | 49854 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:46.312591076 CET | 49854 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:18:46.312635899 CET | 443 | 49854 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:18:46.312685966 CET | 49854 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:05.602777958 CET | 49873 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:05.602838039 CET | 443 | 49873 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:05.602933884 CET | 49873 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:06.274463892 CET | 49873 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:06.274506092 CET | 443 | 49873 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:11.124361992 CET | 443 | 49873 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:11.124434948 CET | 49873 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:11.806694984 CET | 49873 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:11.806734085 CET | 443 | 49873 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:11.821742058 CET | 49878 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:11.821794987 CET | 443 | 49878 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:11.821866989 CET | 49878 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:11.822441101 CET | 49878 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:11.822453022 CET | 443 | 49878 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:16.668773890 CET | 443 | 49878 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:16.668909073 CET | 49878 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:17.314708948 CET | 49878 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:17.314754009 CET | 443 | 49878 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:17.326632977 CET | 49884 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:17.326680899 CET | 443 | 49884 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:17.326805115 CET | 49884 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:17.326886892 CET | 49884 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:17.326932907 CET | 443 | 49884 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:17.327020884 CET | 49884 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:36.016300917 CET | 49901 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:36.016345978 CET | 443 | 49901 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:36.016416073 CET | 49901 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:36.680788040 CET | 49901 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:36.680818081 CET | 443 | 49901 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:41.497802973 CET | 443 | 49901 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:41.497896910 CET | 49901 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:42.149719000 CET | 49901 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:42.149749994 CET | 443 | 49901 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:42.158153057 CET | 49906 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:42.158195019 CET | 443 | 49906 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:42.158277988 CET | 49906 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:42.158525944 CET | 49906 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:19:42.158540010 CET | 443 | 49906 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:47.012856007 CET | 443 | 49906 | 185.216.71.202 | 192.168.2.9 |
| Dec 4, 2024 16:19:47.013056040 CET | 49906 | 443 | 192.168.2.9 | 185.216.71.202 |
| Dec 4, 2024 16:20:20.322170973 CET | 49906 | 443 | 192.168.2.9 | 185.216.71.202 |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 4, 2024 16:16:34.297009945 CET | 1.1.1.1 | 192.168.2.9 | 0x560c | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 4, 2024 16:16:34.297009945 CET | 1.1.1.1 | 192.168.2.9 | 0x560c | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false | ||
| Dec 4, 2024 16:16:38.069500923 CET | 1.1.1.1 | 192.168.2.9 | 0x11d1 | No error (0) | s-part-0035.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 4, 2024 16:16:38.069500923 CET | 1.1.1.1 | 192.168.2.9 | 0x11d1 | No error (0) | 13.107.246.63 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:16:39 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\loaddll64.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff694b80000 |
| File size: | 165'888 bytes |
| MD5 hash: | 763455F9DCB24DFEECC2B9D9F8D46D52 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |
| Target ID: | 1 |
| Start time: | 10:16:39 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70f010000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 2 |
| Start time: | 10:16:39 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70fc30000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 10:16:39 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 10:16:39 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 10:16:42 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 10:16:45 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 12 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 13 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 14 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 15 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 16 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 17 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 18 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 19 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 20 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 21 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 22 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 23 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 24 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 25 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 26 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 27 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 28 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 29 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 30 |
| Start time: | 10:17:40 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 31 |
| Start time: | 10:17:41 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 32 |
| Start time: | 10:17:41 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 33 |
| Start time: | 10:17:41 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 34 |
| Start time: | 10:17:41 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 35 |
| Start time: | 10:17:42 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 36 |
| Start time: | 10:17:42 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 37 |
| Start time: | 10:17:42 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 38 |
| Start time: | 10:17:42 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 39 |
| Start time: | 10:17:42 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 40 |
| Start time: | 10:17:42 |
| Start date: | 04/12/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d40d0000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 0.8% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 2.9% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 24 |
Graph
Function 0000021A85107CFC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 187stringCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A8505D107 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A8510D0FC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 110COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A851000A4 Relevance: 4.6, APIs: 3, Instructions: 93networkCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A850FF9C0 Relevance: 1.6, APIs: 1, Instructions: 150networkCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A8512CB5C Relevance: 32.5, APIs: 16, Strings: 2, Instructions: 1030COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A8512BFCC Relevance: 32.5, APIs: 16, Strings: 2, Instructions: 1022COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A851305E4 Relevance: 28.7, APIs: 14, Strings: 2, Instructions: 678COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A8507F9E4 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A8507B544 Relevance: 25.1, APIs: 13, Strings: 1, Instructions: 594COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A8505B1F4 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 564COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A85129D70 Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A85137D40 Relevance: .8, Instructions: 783COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A851373D0 Relevance: .8, Instructions: 761COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A85049680 Relevance: .4, Instructions: 404COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A8504916C Relevance: .4, Instructions: 367COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A8507B3CC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 260COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A85130EEC Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A85131CD8 Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A85131B60 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A85139EA0 Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A85130504 Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A8512F828 Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A85129B34 Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A850F460C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A8507B198 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A85139D20 Relevance: 10.6, APIs: 7, Instructions: 108COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A851299D8 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A85134818 Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A8512A6D0 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A85102854 Relevance: 9.2, APIs: 6, Instructions: 202COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A8512A1E8 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A85101080 Relevance: 9.1, APIs: 6, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A850F4170 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A850FCB50 Relevance: 7.8, APIs: 6, Instructions: 344COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A85134424 Relevance: 7.7, APIs: 5, Instructions: 201COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A850F54F0 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A8512BD98 Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A8510CF00 Relevance: 7.6, APIs: 6, Instructions: 146COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A851346C8 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A851268D4 Relevance: 6.5, APIs: 5, Instructions: 219COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A851292BC Relevance: 6.3, APIs: 5, Instructions: 96COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A8512A1F4 Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A850F10D0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A85139728 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A850570FC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A8510B940 Relevance: 5.3, APIs: 4, Instructions: 321COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A85129924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A850812F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A85078D24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A850FFBEC Relevance: 5.2, APIs: 4, Instructions: 221COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A850F4300 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0000021A85127594 Relevance: 5.1, APIs: 4, Instructions: 111COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A85127D04 Relevance: 5.1, APIs: 4, Instructions: 84stringCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 1.1% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 24 |
Graph
Function 000001D38B8A7CFC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 187stringCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B81D107 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8AD0FC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 110COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8A00A4 Relevance: 4.6, APIs: 3, Instructions: 93networkCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B89F9C0 Relevance: 1.6, APIs: 1, Instructions: 150networkCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B83F9E4 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B83B3CC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 260COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8D0EEC Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8D1CD8 Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8D1B60 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8D9EA0 Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8D0504 Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8CF828 Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8C9B34 Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B89460C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B83B198 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8D9D20 Relevance: 10.6, APIs: 7, Instructions: 108COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8C99D8 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8D4818 Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8CA6D0 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8A2854 Relevance: 9.2, APIs: 6, Instructions: 202COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8CA1E8 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8A1080 Relevance: 9.1, APIs: 6, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B894170 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B89CB50 Relevance: 7.8, APIs: 6, Instructions: 344COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8D4424 Relevance: 7.7, APIs: 5, Instructions: 201COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8954F0 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8CBD98 Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8ACF00 Relevance: 7.6, APIs: 6, Instructions: 146COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8D46C8 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8C68D4 Relevance: 6.5, APIs: 5, Instructions: 219COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8C92BC Relevance: 6.3, APIs: 5, Instructions: 96COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8CA1F4 Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8910D0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8D9728 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8170FC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8AB940 Relevance: 5.3, APIs: 4, Instructions: 321COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8C9924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8412F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B838D24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B89FBEC Relevance: 5.2, APIs: 4, Instructions: 221COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B894300 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 000001D38B8C7594 Relevance: 5.1, APIs: 4, Instructions: 111COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000001D38B8C7D04 Relevance: 5.1, APIs: 4, Instructions: 84stringCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 0.2% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 9 |
| Total number of Limit Nodes: | 2 |
Graph
Function 0000021A31B9D0FC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 110COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BC0EEC Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BC1CD8 Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BC1B60 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BC0504 Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BBF828 Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BB9B34 Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31B8460C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BB99D8 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BC4818 Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BBA6D0 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31B92854 Relevance: 9.2, APIs: 6, Instructions: 202COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BBA1E8 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31B91080 Relevance: 9.1, APIs: 6, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31B84170 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31B8CB50 Relevance: 7.8, APIs: 6, Instructions: 344COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31B854F0 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BBBD98 Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31B9CF00 Relevance: 7.6, APIs: 6, Instructions: 146COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BC46C8 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BB68D4 Relevance: 6.5, APIs: 5, Instructions: 219COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BB92BC Relevance: 6.3, APIs: 5, Instructions: 96COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BBA1F4 Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31B810D0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BC9728 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BB9CB4 Relevance: 6.1, APIs: 4, Instructions: 64COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31B9B940 Relevance: 5.3, APIs: 4, Instructions: 321COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BB9924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31B84300 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BB7594 Relevance: 5.1, APIs: 4, Instructions: 111COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0000021A31BB7D04 Relevance: 5.1, APIs: 4, Instructions: 84stringCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB8D0FC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 110COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBB0EEC Relevance: 16.6, APIs: 11, Instructions: 108COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBB1CD8 Relevance: 15.1, APIs: 10, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBB1B60 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBB0504 Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBAF828 Relevance: 13.6, APIs: 9, Instructions: 71COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBA9B34 Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB7460C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBA99D8 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBB4818 Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBAA6D0 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB82854 Relevance: 9.2, APIs: 6, Instructions: 202COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBAA1E8 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB81080 Relevance: 9.1, APIs: 6, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB74170 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB7CB50 Relevance: 7.8, APIs: 6, Instructions: 344COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB754F0 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBABD98 Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB8CF00 Relevance: 7.6, APIs: 6, Instructions: 146COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBB46C8 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBA68D4 Relevance: 6.5, APIs: 5, Instructions: 219COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBA92BC Relevance: 6.3, APIs: 5, Instructions: 96COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBAA1F4 Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB710D0 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBB9728 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBA9CB4 Relevance: 6.1, APIs: 4, Instructions: 64COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB8B940 Relevance: 5.3, APIs: 4, Instructions: 321COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBA9924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BB74300 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBA7594 Relevance: 5.1, APIs: 4, Instructions: 111COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002220BBA7D04 Relevance: 5.1, APIs: 4, Instructions: 84stringCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Callgraph
Function 00007FF8E7D9F9C5 Relevance: 22.4, APIs: 2, Strings: 8, Instructions: 4854nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|