Windows
Analysis Report
6q0LW5Szsb.dll
Overview
General Information
Sample name: | 6q0LW5Szsb.dllrenamed because original name is a hash value |
Original sample name: | 0728C17205BDE428AF3D9933EB367B88.dll |
Analysis ID: | 1502150 |
MD5: | 0728c17205bde428af3d9933eb367b88 |
SHA1: | c0b7bc01abb8352c3f4227c2af5a2510195058eb |
SHA256: | c24387cd9dd49c18e111bb6ef9d28e247b8bcca0dc9c54e550f2d596e9a82cb5 |
Tags: | dllGh0stRAT |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 5232 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\6q0 LW5Szsb.dl l" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 5568 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3168 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\6q0 LW5Szsb.dl l",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 3604 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\6q0L W5Szsb.dll ",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2260 cmdline:
rundll32.e xe C:\User s\user\Des ktop\6q0LW 5Szsb.dll, CanUnloadN ow MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6572 cmdline:
rundll32.e xe C:\User s\user\Des ktop\6q0LW 5Szsb.dll, DarkAngle MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 7024 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 572 -s 720 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 4924 cmdline:
rundll32.e xe C:\User s\user\Des ktop\6q0LW 5Szsb.dll, GetClassOb ject MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6884 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\6q0L W5Szsb.dll ",CanUnloa dNow MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5856 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\6q0L W5Szsb.dll ",DarkAngl e MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 3980 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 856 -s 724 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 3368 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\6q0L W5Szsb.dll ",GetClass Object MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5664 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\6q0L W5Szsb.dll ",Unregist erServer MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2504 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\6q0L W5Szsb.dll ",Register Server MD5: 889B99C52A60DD49227C5E485A016679)
- svchost.exe (PID: 3368 cmdline:
C:\Windows \SysWOW64\ svchost.ex e -k imgsv c MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
- svchost.exe (PID: 3608 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 2008 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 460 -p 65 72 -ip 657 2 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 6996 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 428 -p 58 56 -ip 585 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 1620 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 524 -p 32 28 -ip 322 8 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 1004 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 548 -p 17 12 -ip 171 2 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- svchost.exe (PID: 1904 cmdline:
C:\Windows \SysWOW64\ svchost.ex e -k imgsv c MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
- cleanup
{"C2 url": "115.230.124.27"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP | Detects executables embedding registry key / value combination manipulating RDP / Terminal Services | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
gh0st | unknown | https://github.com/jackcr/ |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP | Detects executables embedding registry key / value combination manipulating RDP / Terminal Services | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
gh0st | unknown | https://github.com/jackcr/ |
| |
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
gh0st | unknown | https://github.com/jackcr/ |
| |
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
GhostDragon_Gh0stRAT | Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report | Florian Roth |
| |
GhostDragon_Gh0stRAT | Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report | Florian Roth |
| |
Click to see the 4 entries |
System Summary |
---|
Source: | Author: vburov: |
Timestamp: | 2024-08-31T08:32:45.072145+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62548 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:45.072145+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62548 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:45.072145+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62548 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:20.007832+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62556 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:20.007832+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62556 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:20.007832+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62556 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:08.828342+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 49737 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:08.828342+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 49737 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:08.828342+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 49737 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:19.104194+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62537 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:19.104194+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62537 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:19.104194+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62537 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:49.787185+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62549 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:49.787185+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62549 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:49.787185+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62549 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:29.411116+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62543 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:29.411116+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62543 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:29.411116+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62543 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:34:02.900555+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62562 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:34:02.900555+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62562 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:34:02.900555+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62562 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:42.235407+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62560 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:42.235407+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62560 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:42.235407+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62560 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:31:58.559842+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 49730 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:31:58.559842+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 49730 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:31:58.559842+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 49730 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:52.496650+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62561 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:52.496650+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62561 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:52.496650+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62561 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:09.738414+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62555 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:09.738414+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62555 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:09.738414+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62555 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:38.498327+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62547 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:38.498327+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62547 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:38.498327+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62547 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:31.967008+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62559 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:31.967008+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62559 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:33:31.967008+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62559 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:53.200037+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62551 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:53.200037+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62551 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:53.200037+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62551 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:59.464269+0200 |
SID: | 2013214 |
Severity: | 1 |
Source Port: | 62554 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:59.464269+0200 |
SID: | 2016922 |
Severity: | 1 |
Source Port: | 62554 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Timestamp: | 2024-08-31T08:32:59.464269+0200 |
SID: | 2021716 |
Severity: | 1 |
Source Port: | 62554 |
Destination Port: | 9026 |
Protocol: | TCP |
Classtype: | Malware Command and Control Activity Detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | Network Connect: | Jump to behavior |
Source: | URLs: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 7_2_10008800 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 7_2_1000DA60 |
Source: | Code function: | 7_2_1000DA60 | |
Source: | Code function: | 28_2_1000DA60 |
Source: | Code function: | 7_2_1000DB20 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 7_2_10009F00 |
Source: | Code function: | 7_2_1000FC60 | |
Source: | Code function: | 28_2_1000FC60 |
Source: | Code function: | 7_2_10017800 | |
Source: | Code function: | 7_2_10018450 | |
Source: | Code function: | 7_2_10019490 | |
Source: | Code function: | 7_2_1001609D | |
Source: | Code function: | 7_2_100030E0 | |
Source: | Code function: | 7_2_10014140 | |
Source: | Code function: | 7_2_10009160 | |
Source: | Code function: | 7_2_10017D80 | |
Source: | Code function: | 7_2_10015E4E | |
Source: | Code function: | 7_2_10016720 | |
Source: | Code function: | 28_2_10017800 | |
Source: | Code function: | 28_2_10018450 | |
Source: | Code function: | 28_2_10019490 | |
Source: | Code function: | 28_2_1001609D | |
Source: | Code function: | 28_2_100030E0 | |
Source: | Code function: | 28_2_10014140 | |
Source: | Code function: | 28_2_10009160 | |
Source: | Code function: | 28_2_10017D80 | |
Source: | Code function: | 28_2_10015E4E | |
Source: | Code function: | 28_2_10016720 |
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 7_2_10012880 | |
Source: | Code function: | 28_2_10012880 |
Source: | Code function: | 7_2_100126F0 | |
Source: | Code function: | 28_2_100126F0 |
Source: | Code function: | 28_2_1000A050 |
Source: | Code function: | 7_2_100126F0 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static file information: |
Source: | Code function: | 7_2_10012C40 |
Source: | Code function: | 7_2_100198BE | |
Source: | Code function: | 28_2_100198BE | |
Source: | Code function: | 28_2_1001C339 |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Code function: | 7_2_10012840 |
Source: | Code function: | 7_2_10007CB0 |
Source: | Code function: | 7_2_10013930 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Stalling execution: | graph_28-5697 |
Source: | Window / User API: | Jump to behavior |
Source: | Decision node followed by non-executed suspicious API: | graph_7-5728 |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Evasive API call chain: | graph_28-5915 |
Source: | API coverage: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 28_2_10011CB0 |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 7_2_100124A0 |
Source: | Code function: | 7_2_1000D6E0 |
Source: | Code function: | 7_2_10012C40 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | Jump to behavior |
Source: | Code function: | 7_2_1000D880 |
Source: | Code function: | 7_2_1000D880 |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 7_2_1000B310 |
Source: | Code function: | 7_2_1000B310 |
Source: | Code function: | 7_2_100044F0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 7_2_10008740 | |
Source: | Code function: | 7_2_10008B80 | |
Source: | Code function: | 28_2_10008740 | |
Source: | Code function: | 28_2_10008B80 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | OS Credential Dumping | 1 Account Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 12 Service Execution | 12 Windows Service | 1 Access Token Manipulation | 1 Obfuscated Files or Information | LSASS Memory | 2 System Information Discovery | Remote Desktop Protocol | 3 Clipboard Data | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 12 Windows Service | 1 DLL Side-Loading | Security Account Manager | 21 Security Software Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 111 Process Injection | 11 Masquerading | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 21 Virtualization/Sandbox Evasion | LSA Secrets | 2 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Access Token Manipulation | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 111 Process Injection | DCSync | 1 System Owner/User Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Rundll32 | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 1 Indicator Removal | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
97% | ReversingLabs | Win32.Backdoor.Farfli | ||
82% | Virustotal | Browse | ||
100% | Avira | BDS/Farfli.kj.2 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | BDS/Farfli.kj.2 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
2% | Virustotal | Browse |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
115.230.124.27 | unknown | China | 58461 | CT-HANGZHOU-IDCNo288Fu-chunRoadCN | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1502150 |
Start date and time: | 2024-08-31 08:31:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 2s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 29 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 6q0LW5Szsb.dllrenamed because original name is a hash value |
Original Sample Name: | 0728C17205BDE428AF3D9933EB367B88.dll |
Detection: | MAL |
Classification: | mal100.troj.evad.winDLL@43/20@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.21, 52.168.117.173, 20.42.65.92
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
Time | Type | Description |
---|---|---|
02:32:05 | API Interceptor | |
02:32:29 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
115.230.124.27 | Get hash | malicious | GhostRat | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CT-HANGZHOU-IDCNo288Fu-chunRoadCN | Get hash | malicious | GhostRat | Browse |
| |
Get hash | malicious | GhostRat, Mimikatz | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Phisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
Process: | C:\Windows\SysWOW64\rundll32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 3.12931539265142 |
Encrypted: | false |
SSDEEP: | 96:aUDtnBfntQIruSU3z++G4jXKIK7nKHKVKn5K6NKZK7fQKVKn5K6NKZKDB7KlKKKo:aUDLFlrY3zxU++bjVecaXb |
MD5: | 4DF397A8BC405ADB4DC1BD5514160DD6 |
SHA1: | 6D85E8227DE7C795A60B78C8C007036A55718022 |
SHA-256: | 38FC241B43F8ED6FF7F49428893B9C254C6C7DA0D395A16FB78E4CB771A26342 |
SHA-512: | B110EAF85869914FD2106F2A7DEFC5DB301F5E291F3B7824B16ED32992243314FB3F20614820F39D374641CD41F01376D12CE22D8C94F712FE38473DD30068BC |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\rundll32.exe |
File Type: | |
Category: | modified |
Size (bytes): | 15366656 |
Entropy (8bit): | 7.982893184217124 |
Encrypted: | false |
SSDEEP: | 24576:awBxInMvAeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeH:pY |
MD5: | E1A622FCFF75ED2222E3FCB91DE0EBF4 |
SHA1: | B473CBCCD5253A41C5E5F560B946D4A9101C4D1A |
SHA-256: | 9DF0D8877F242B1333FC6616EED4245288015300D0F97DF8A12C42C3785BC389 |
SHA-512: | 2AF015D4F7C20ED740D9F1C5F7BF33EE9B39AEF6889F0D57BAB0F4B50BB97138BE7F4A80ACD8F339DB5E8BD29E9AAA7C0D261FD08C2CC55858F59A1B343EA702 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Preview: |
Process: | C:\Windows\SysWOW64\rundll32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5cf5e224613134a37ddf2607be84f14f88d626b_7522e4b5_9ac05968-a9d1-4749-8297-cb651de4856e\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9061045976973231 |
Encrypted: | false |
SSDEEP: | 192:LLpi3Oc90BU/wjeTKkQzuiFFZ24IO8dci:piec+BU/wjeozuiFFY4IO8dci |
MD5: | 3AC753B1A823D96DE5A5B57848D4604B |
SHA1: | D73B3BAE4F3C4B87E8E7C06DB4ECBC7A63B0CFF6 |
SHA-256: | BA61396806DF8BA907B769ACE61ADBB8574093C33D6EF25B05E12A31DF47FEF0 |
SHA-512: | 4F9B53056E04A0FC47A8E40BC2B91ACC34973DC94469714071E36D2F9B9C3C5E8853921A230CE93B939F41C204E4E60FA3277E4C12D3B4851AE9C01A06801FCF |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5cf5e224613134a37ddf2607be84f14f88d626b_7522e4b5_b61d6f76-aa3b-4130-bbcc-ef02a7e65198\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9060330173383339 |
Encrypted: | false |
SSDEEP: | 192:EuihOe90BU/wjeTKkQzuiFFZ24IO8dci:Ri4e+BU/wjeozuiFFY4IO8dci |
MD5: | 7DD308BF97378354F727CDC294C7FBAB |
SHA1: | 13982E7657F80CE70379CA95A32FA8D1BF28D8F0 |
SHA-256: | B78C564BE9930294ADF0B35BDBCF1E5C03B418C8FFE6D02524E2E6C7C6823D1F |
SHA-512: | C5C567A3B9DF3171065840F50CEBD1FEDFCC439AD26B9C7B89EA8B53542B54EB6BDF50E5F68396199164AC86BEBEEB5767E4E15C9934918E5CA7D362D61AE8D0 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 79266 |
Entropy (8bit): | 3.0988078399124723 |
Encrypted: | false |
SSDEEP: | 768:sDOID3+gZSsv6UHSZIyIdgpQWGQQ+EjE/QdTTdk6VlI:sNugZSTUaQgOWGQzEjE/eTTdk6VlI |
MD5: | EFEE57153CD78D2D3AD19567638F8093 |
SHA1: | 9EA0BDB9E8FFBE6DD4902426B36C72598726396B |
SHA-256: | E764C8EF26825276D3EE49A2A7BFA00D27B1BD127C02D9D958B5E6B97F746456 |
SHA-512: | 5F065FB48C010802B0B07615B9960BC7BFB7C04BAC114B6951D85B82E12CB564441D23712B26CA250F2C38ECAE5B0F4DECEF47494F02E68D3A258F8374137B00 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13340 |
Entropy (8bit): | 2.686085685414526 |
Encrypted: | false |
SSDEEP: | 96:TiZYWKabFicgKl1oY7YyHWePHSiQYEZlJ7tHimzIKlFwNQm6raJl9MVFEID63:2ZDKvckcNpqJXnaJl9MVFzD63 |
MD5: | 46C702A31D6AFF12F2CE3EBE8D0B5452 |
SHA1: | EC66A2B4832578936490B8217089176176D081BF |
SHA-256: | 7C7FA4E448674E443CCF346E29E033E6FA01F0883C01DD35333525D8612D1419 |
SHA-512: | 9AA19321F5E1A0EC32C85F5CB17B1052BCFDF53B8BB82F3782E0F5B124FFE9AF2A7BE6CDCD35D150C9CF6AFA5227781F268EBEFF6AA7DB2A81ABABDDCF4A1659 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 79292 |
Entropy (8bit): | 3.0989769950875456 |
Encrypted: | false |
SSDEEP: | 1536:HcKriw+Z0TAUbQSDZVGBFM0X7nBTTdk6V6:HcKriw+Z0TAUbQSDZVGBFM0X7nFTdk60 |
MD5: | FDBF601363E9849D2FFAFFE54B0D024A |
SHA1: | 3B59D8F3C58ABEDEDD895B5F9755539D87269E29 |
SHA-256: | 266D021C78B3B8C89BBD5F0084F16788196B866DA4DACE94B8093922584FD44C |
SHA-512: | 13698528E3AC4212D5A474B0F2FBFD6FBE76035B7C9F4D21A04E4B65DE304D0D0A4A7B8C5E746F158C5089F74A800310CD456509600AB81D0A80091DEB3C274B |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13340 |
Entropy (8bit): | 2.6856573196626523 |
Encrypted: | false |
SSDEEP: | 96:TiZYWzvM7We9YtOY+WyHSXYEZ/SwtHimIUlZwMDkZaxlDM0F5Im63:2ZDz3CiOQSkwaxlDM0Fmm63 |
MD5: | C19383BB5B6FC60BB6A02A5BC1EA31E9 |
SHA1: | EE617B45C96B4AB7AE4589C5C52774FCD7FC083E |
SHA-256: | 19A69EA7D8FDE9AA4B1B9ACE346A68A5095D2BF9285E606D05DAC2562849C8ED |
SHA-512: | 1A4113254835CCF8C7F81CD6C72309E35C0EF9E4D62827F6AEEABAA10B602F5DD14F8D44E9AD509E6AF6FC296226D643D794FBC7FB3D1345068D1997979500A1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 44674 |
Entropy (8bit): | 2.0073961573164962 |
Encrypted: | false |
SSDEEP: | 192:+EIwU4gSEZyO5H4LCkDF7x9WQIzoRFWv3I:1TUIEz5H6Cuxx9WQIzoe |
MD5: | D3D87A662A76ABFD34F54512C10FC360 |
SHA1: | 36AECDD464203243BCF7BF1D867828B76369969A |
SHA-256: | 1F6771EB9FEBD6469627CD3984388B95E213F4DDAC132FD11D58A6E390BBB32C |
SHA-512: | 4B263251DF73A7649261855BEF63E2A500498D2265E4FED647EA22D78FC776D48B8D5570C23BDE99F1BD5297A9A98EC974BF71E158907796143318CCDA82553E |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8266 |
Entropy (8bit): | 3.6910885328366456 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJTN6IKw6Yct6GgmfTrcprT89brysflZm:R6lXJ56IKw6Y26GgmfTr9rxfy |
MD5: | 54FCBD72B30DAA39CFD31FEBE19A9BC2 |
SHA1: | C30BF1E4DB59AFF4995B4F2BB722E03A4C07E6D0 |
SHA-256: | 2DFC183378CF17746F1E36A5C1DEBE8BF2482C9C52E2BACFC8248931AFF44C63 |
SHA-512: | EA363AE08A6AD6B335F7FA9E3D6322C4CE62590A2BECD9AA6866CBEC581B2003ACCB14967A6F35C0FE3EC575748E1A70D4DA78C88606A3E85CC9F4A95362EB69 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 82904 |
Entropy (8bit): | 3.095290380930575 |
Encrypted: | false |
SSDEEP: | 768:ntqsFvSaQICTQaDYIAkEh8r0X1d/iTdBQvzZKe72QnYb3HCVgg:ntqiyTQaDhQ8yXgd2vz0e7PYbXCVgg |
MD5: | 44F033BC8BD8B5B9BE65CE8EC6A6C484 |
SHA1: | 47C48105C48E4F3111E4717AE69EDF45EDB44E6E |
SHA-256: | 0644FCB0DEE84391E7D8DE2B90166F168DF85453C1D6E5D102623F9D77657A59 |
SHA-512: | 706B2364B31B0341E9E28EBBC3BEA9F3DD6332FF204EA1BC450153D5D527C25D6DFEBFA78B37C1D596A3E337F9887254B77509D1CADEF4B986D4649A98E285D1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4654 |
Entropy (8bit): | 4.460332275322351 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsV6Jg77aI9Q7WpW8VYkSYm8M4JCdPqFV+q8/A+WGScStd:uIjfVII7CK7VFbJ9xJ3td |
MD5: | BA25393DBE866B612C9D036981681BDA |
SHA1: | 692518F6A968629322917CA3BE2AF210C208351A |
SHA-256: | 410330BEEE29227D1563E5E92054605F25A75AA9ADF31D90750866682755100A |
SHA-512: | CC60BBE3E13EE1306BB9B2E8C44841F929009AD2BE42AB3856BB75016698A8BA3C57EAD79599D64BC2289EA1CB6A14AA57B0E31A2CA639FBB1998F19F9E825FB |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13340 |
Entropy (8bit): | 2.6857920331064995 |
Encrypted: | false |
SSDEEP: | 96:TiZYWv+MbVskd2YpYHNWUHpmYEZZMtEi14glowF2IEiAaHlJMGFUIm63:2ZDv+K2OY7CsnMaHlJMGFDm63 |
MD5: | 9A8036D6482E71B88B784C375BBF4996 |
SHA1: | 71FA38DE1BB4BC8F5CE3306F5C5DC6A5C28FCCE7 |
SHA-256: | A3ED0C0ACE50F4FBD16246B630542567BA552E5E7C1453CEA54FF7A55318A2DE |
SHA-512: | A5A1E935544386D9E3BA45C457EBEE98E740E7974BFCDDC053038472B688FD8739AC843DB51642BA845BBB7A58E658488F00AA59D389E0B6D8BFC9868292E815 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 43902 |
Entropy (8bit): | 2.0469730234586154 |
Encrypted: | false |
SSDEEP: | 192:8sRwUygSE1qHoO5H4LCIJkwbtTetZ9C9wLTgAYYlDJ:byUWE1+v5H6CytCtZ9C9UUaJ |
MD5: | E4741C276A224BF90DD9347764271FB2 |
SHA1: | 1A88D7CFC916487FFDD27D96A489BF954F034AA4 |
SHA-256: | 9AA5215E0486CDDA42096D1A54A076A36067FB3CDD06F7D452680325C328190A |
SHA-512: | 8CEFF0F8DF2C47E323E7B112A19705A193A52032003594E96EC0895422E5BF2C5304B8216C1085396F39A246285AA9D0BE43A01842C0D61F4827DCDE6A037B43 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8264 |
Entropy (8bit): | 3.693116197302792 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJzD6I3W6Yci6r2gmfTrcprO89bdWsf1v/m:R6lXJX6I3W6Yp6r2gmfTr+d1f4 |
MD5: | 8C36D903C6BE1AA438164A5CC01ADD7B |
SHA1: | 190D72301D3FF2FF561C7E30CC264F0222DD2D14 |
SHA-256: | 2417475FC78069BB36EFD0E9717ECB2FDE3F2A86EAD22ADF7048953E188AEBBF |
SHA-512: | F5EAB4ABC9D6E9EF71A4AC6F215AA40920F8E4D396496DDF0B94D9BEA92143C5737A87161CC0C9C629131F96B02A31BEDBDBEDFD9E06EF167465DB60BB29168D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4654 |
Entropy (8bit): | 4.461398494496469 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsV6Jg77aI9Q7WpW8VYkdYm8M4JCdPqFs+q8/A4kGScSnd:uIjfVII7CK7VF8JkwkJ3nd |
MD5: | 551A067B1F61BB8F95D29A1E701E5C02 |
SHA1: | 326AFB4054F4DE232AB685BD976347AF65528F21 |
SHA-256: | 18149EB636925E66CE803BBECAC8D08D045CEA58ED717D66F1B88F7ECEF9A2B9 |
SHA-512: | EE4D4AD375A68BC5B3DE24E99B856DDDD34F8157E3E7D95B6F1A3942C54AA416F32BAB2BCF58F125ACD5A616FBC6507D369C445B128FF7F740A94E8DCCE106B1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 82916 |
Entropy (8bit): | 3.095364091504676 |
Encrypted: | false |
SSDEEP: | 768:rNokveWLEbUIfqdQ4AkEA870K1dtiTdBa48vKZc47UQnYb3HCL5q:rN5pLKUIfqbh8PXqdBaJvKy47RYbXCtq |
MD5: | E0B471E17F466EA56DA46401D5DDDD24 |
SHA1: | ED28784D939DF1687F250A6B833BD3AFA4E9DA45 |
SHA-256: | 80DEE2F5815A4F7720653378F93436ECA25072CF553A519A3DBEDCF6AFC41922 |
SHA-512: | 4F999752B57118F98DF0D81E19EB5784C47E1312DAE6ACDEC1C72F7E24A740F6BE0DB35DB0D4D1B475C7C94B2CD2477A6CC4ABFF16799E37D954456DEBAFE89D |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13340 |
Entropy (8bit): | 2.6856132870318707 |
Encrypted: | false |
SSDEEP: | 96:TiZYWaTgT3GYHY3rWbHDYEZqt0tEiIq4ClQvw/tMc3ahlHMMF7IF63:2ZD9Ggq+FahlHMMF0F63 |
MD5: | 746DD7909CBA1E1E34EE21C7F68FBC4E |
SHA1: | C937431EC1221352039D91E8BF50C2F551FBF348 |
SHA-256: | 9059075CFA815F0A8ACE182924A46252FD106E22FE54A87A93C67DF3431E7F79 |
SHA-512: | 23F7677E847DAA514D1EFD30A3ABC5B7C36B47D0A5074C2142A4546E93ECDDD2E57628188C0A9D8B37EB23AA9E8937352BDF30EF3FAF0B0BD9F58CF212F25008 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.469661465775917 |
Encrypted: | false |
SSDEEP: | 6144:AIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNOdwBCswSbn:FXD94zWlLZMM6YFHM+n |
MD5: | F3C3F74D20B2C94EC4DF66D9F00E3A6F |
SHA1: | EF0DE8C04C9F6447D5997CBD914AC87DF8DC027A |
SHA-256: | 0DD11AC05DF3204E18BF391997B4512BABD31B7BC3DB877426486B58CEDB19B8 |
SHA-512: | 59B197A772AB0A589D6BE65E55C2C30EDBF95A43E41A09E759DEF632F4460ED406D4D44F770B7AF8F6204FE17A03AA5F6C1FCD6E9F6158974F5D80AE9D386111 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.974436863909568 |
TrID: |
|
File name: | 6q0LW5Szsb.dll |
File size: | 9'277'952 bytes |
MD5: | 0728c17205bde428af3d9933eb367b88 |
SHA1: | c0b7bc01abb8352c3f4227c2af5a2510195058eb |
SHA256: | c24387cd9dd49c18e111bb6ef9d28e247b8bcca0dc9c54e550f2d596e9a82cb5 |
SHA512: | dfc7fe789ee3f404a878b6be42f36ae2ead35f6eafa9e5d848002a6e964572b4307daaeea5ca86abb35eb4416119753ba273dd8a52ed49cb1063af69c30ca509 |
SSDEEP: | 24576:awBxInMvAeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/:pw |
TLSH: | 5896CF8AEFCA403A5C888A5E6D955E7D30E04C33EDD7564F83BAC192E53893ED2C9C15 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Rep.Rep.Rep.)y|.Vep.=z{.Sep..y~.Qep.=zz.Vep.=zt.Vep..zz.^ep.Req..ep..j-.]ep..z{.Jep..cv.Sep..zt.Sep.RichRep................ |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x100199ba |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL |
DLL Characteristics: | |
Time Stamp: | 0x4ED44AC8 [Tue Nov 29 03:00:24 2011 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 03d93b4f8804305bc99ec1a9ad570642 |
Instruction |
---|
push ebp |
mov ebp, esp |
push ebx |
mov ebx, dword ptr [ebp+08h] |
push esi |
mov esi, dword ptr [ebp+0Ch] |
push edi |
mov edi, dword ptr [ebp+10h] |
test esi, esi |
jne 00007F3EACC8FB5Bh |
cmp dword ptr [10021A98h], 00000000h |
jmp 00007F3EACC8FB78h |
cmp esi, 01h |
je 00007F3EACC8FB57h |
cmp esi, 02h |
jne 00007F3EACC8FB74h |
mov eax, dword ptr [10021AA8h] |
test eax, eax |
je 00007F3EACC8FB5Bh |
push edi |
push esi |
push ebx |
call eax |
test eax, eax |
je 00007F3EACC8FB5Eh |
push edi |
push esi |
push ebx |
call 00007F3EACC8FA6Ah |
test eax, eax |
jne 00007F3EACC8FB56h |
xor eax, eax |
jmp 00007F3EACC8FBA0h |
push edi |
push esi |
push ebx |
call 00007F3EACC89A7Bh |
cmp esi, 01h |
mov dword ptr [ebp+0Ch], eax |
jne 00007F3EACC8FB5Eh |
test eax, eax |
jne 00007F3EACC8FB89h |
push edi |
push eax |
push ebx |
call 00007F3EACC8FA46h |
test esi, esi |
je 00007F3EACC8FB57h |
cmp esi, 03h |
jne 00007F3EACC8FB78h |
push edi |
push esi |
push ebx |
call 00007F3EACC8FA35h |
test eax, eax |
jne 00007F3EACC8FB55h |
and dword ptr [ebp+0Ch], eax |
cmp dword ptr [ebp+0Ch], 00000000h |
je 00007F3EACC8FB63h |
mov eax, dword ptr [10021AA8h] |
test eax, eax |
je 00007F3EACC8FB5Ah |
push edi |
push esi |
push ebx |
call eax |
mov dword ptr [ebp+0Ch], eax |
mov eax, dword ptr [ebp+0Ch] |
pop edi |
pop esi |
pop ebx |
pop ebp |
retn 000Ch |
int3 |
jmp dword ptr [1001B11Ch] |
jmp dword ptr [1001B118h] |
jmp dword ptr [1001B114h] |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
jmp dword ptr [1001B26Ch] |
jmp dword ptr [1001B2B0h] |
jmp dword ptr [1001B2B4h] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x1da60 | 0xa9 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1caf8 | 0xc8 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x22000 | 0x7a8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x23000 | 0x181c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1b000 | 0x2bc | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x190b0 | 0x19200 | f3c6b8b7e6ea17f2219b2a929986d8c3 | False | 0.4990865982587065 | data | 6.5919885591410905 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x1b000 | 0x2b09 | 0x2c00 | f5dae12ff1c3ec04ec8d2b43f68f417a | False | 0.3515625 | data | 5.056505942594322 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1e000 | 0x3aac | 0x2e00 | 692d0eba4c2e863cf8633fda024ae263 | False | 0.33203125 | data | 4.700923804804761 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x22000 | 0x7a8 | 0x800 | e8e44ccdf6f04d981af78adce055ce0f | False | 0.43115234375 | data | 4.099246128377401 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x23000 | 0x1c20 | 0x1e00 | 9bfe4feca1ac74e0cb4034cf464bbbb8 | False | 0.6720052083333333 | data | 6.039125545458622 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x222b8 | 0x4ec | data | Chinese | China | 0.42142857142857143 |
RT_MANIFEST | 0x220a0 | 0x215 | XML 1.0 document, ASCII text, with very long lines (533), with no line terminators | Chinese | China | 0.575984990619137 |
DLL | Import |
---|---|
KERNEL32.dll | Sleep, LoadLibraryA, CloseHandle, GetProcAddress |
USER32.dll | DispatchMessageA, TranslateMessage, GetMessageA, wsprintfA, CharNextA, ExitWindowsEx, GetWindowTextA, MessageBoxA, LoadCursorA, BlockInput, SendMessageA, keybd_event, MapVirtualKeyA, SetCapture, WindowFromPoint, SetCursorPos, mouse_event, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, GetClipboardData, GetSystemMetrics, SetRect, GetDC, GetDesktopWindow, ReleaseDC, DestroyCursor, GetCursorInfo, GetCursorPos, GetWindowThreadProcessId, LoadIconA, RegisterClassA, LoadMenuA, CreateWindowExA, CloseWindow, IsWindow, PostMessageA, OpenDesktopA, GetThreadDesktop, GetUserObjectInformationA, OpenInputDesktop, SetThreadDesktop, CloseDesktop, IsWindowVisible |
GDI32.dll | GetStockObject |
ADVAPI32.dll | OpenProcessToken, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, IsValidSid, LookupAccountNameA, LsaClose, LookupPrivilegeValueA, AdjustTokenPrivileges, StartServiceA, CreateServiceA, LockServiceDatabase, ChangeServiceConfig2A, UnlockServiceDatabase, RegisterServiceCtrlHandlerA, SetServiceStatus, RegOpenKeyA, LsaRetrievePrivateData, GetTokenInformation, LookupAccountSidA, RegSaveKeyA, RegRestoreKeyA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegQueryInfoKeyA, RegEnumKeyExA, InitializeSecurityDescriptor, AllocateAndInitializeSid, GetLengthSid, InitializeAcl, AddAccessAllowedAce, SetSecurityDescriptorDacl, FreeSid, OpenSCManagerA, OpenServiceA, DeleteService, CloseServiceHandle, OpenEventLogA, ClearEventLogA, CloseEventLog, RegCreateKeyExA, RegSetValueExA, LsaFreeMemory, LsaOpenPolicy |
SHELL32.dll | SHGetSpecialFolderPathA |
MSVCRT.dll | _strrev, _stricmp, malloc, _strnicmp, _adjust_fdiv, _initterm, ??1type_info@@UAE@XZ, calloc, srand, _access, wcstombs, _beginthreadex, _errno, strncmp, strrchr, atoi, _except_handler3, free, _strcmpi, strchr, strncpy, sprintf, rand, _CxxThrowException, strstr, _ftol, ceil, putchar, memmove, __CxxFrameHandler, puts, ??3@YAXPAX@Z, ??2@YAPAXI@Z |
WS2_32.dll | htonl, inet_ntoa, ntohs, getsockname, bind, getpeername, accept, listen, recvfrom, __WSAFDIsSet, WSASocketA, sendto, connect, inet_addr, send, closesocket, select, recv, socket, htons, setsockopt, WSAStartup, WSACleanup, WSAIoctl, gethostbyname |
MSVCP60.dll | ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB, ?_Xran@std@@YAXXZ, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z, ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z |
WTSAPI32.dll | WTSFreeMemory, WTSQuerySessionInformationA |
Name | Ordinal | Address |
---|---|---|
CanUnloadNow | 1 | 0x10012480 |
DarkAngle | 2 | 0x100124a0 |
GetClassObject | 3 | 0x10012480 |
RegisterServer | 4 | 0x10012480 |
UnregisterServer | 5 | 0x10012480 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | China |
Timestamp | Protocol | SID | Signature | Severity | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|---|
2024-08-31T08:32:45.072145+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62548 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:45.072145+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62548 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:45.072145+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62548 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:20.007832+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62556 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:20.007832+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62556 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:20.007832+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62556 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:08.828342+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 49737 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:08.828342+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 49737 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:08.828342+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 49737 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:19.104194+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62537 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:19.104194+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62537 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:19.104194+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62537 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:49.787185+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62549 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:49.787185+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62549 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:49.787185+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62549 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:29.411116+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62543 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:29.411116+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62543 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:29.411116+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62543 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:34:02.900555+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62562 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:34:02.900555+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62562 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:34:02.900555+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62562 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:42.235407+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62560 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:42.235407+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62560 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:42.235407+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62560 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:31:58.559842+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 49730 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:31:58.559842+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 49730 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:31:58.559842+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 49730 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:52.496650+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62561 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:52.496650+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62561 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:52.496650+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62561 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:09.738414+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62555 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:09.738414+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62555 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:09.738414+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62555 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:38.498327+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62547 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:38.498327+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62547 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:38.498327+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62547 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:31.967008+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62559 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:31.967008+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62559 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:33:31.967008+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62559 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:53.200037+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62551 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:53.200037+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62551 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:53.200037+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62551 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:59.464269+0200 | TCP | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | 1 | 62554 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:59.464269+0200 | TCP | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | 1 | 62554 | 9026 | 192.168.2.4 | 115.230.124.27 |
2024-08-31T08:32:59.464269+0200 | TCP | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | 1 | 62554 | 9026 | 192.168.2.4 | 115.230.124.27 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 31, 2024 08:31:58.446017027 CEST | 49730 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:31:58.451004982 CEST | 9026 | 49730 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:31:58.451164961 CEST | 49730 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:31:58.559842110 CEST | 49730 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:31:58.564675093 CEST | 9026 | 49730 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:08.728307009 CEST | 49730 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:08.730112076 CEST | 49737 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:08.735259056 CEST | 9026 | 49737 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:08.735354900 CEST | 49737 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:08.828341961 CEST | 49737 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:08.833318949 CEST | 9026 | 49737 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:18.992126942 CEST | 49737 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:18.995527983 CEST | 62537 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:19.000343084 CEST | 9026 | 62537 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:19.000442028 CEST | 62537 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:19.104193926 CEST | 62537 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:19.109023094 CEST | 9026 | 62537 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:29.275684118 CEST | 62537 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:29.278136969 CEST | 62543 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:29.282993078 CEST | 9026 | 62543 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:29.283082962 CEST | 62543 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:29.411115885 CEST | 62543 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:29.416141033 CEST | 9026 | 62543 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:38.384582043 CEST | 62543 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:38.385621071 CEST | 62547 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:38.392349005 CEST | 9026 | 62547 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:38.392426968 CEST | 62547 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:38.498327017 CEST | 62547 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:38.503278971 CEST | 9026 | 62547 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:44.947073936 CEST | 62547 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:44.947798014 CEST | 62548 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:44.952723026 CEST | 9026 | 62548 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:44.952933073 CEST | 62548 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:45.072144985 CEST | 62548 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:45.077054024 CEST | 9026 | 62548 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:49.681328058 CEST | 62548 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:49.682040930 CEST | 62549 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:49.686867952 CEST | 9026 | 62549 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:49.686959028 CEST | 62549 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:49.787184954 CEST | 62549 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:49.791985035 CEST | 9026 | 62549 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:53.087587118 CEST | 62549 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:53.088541985 CEST | 62551 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:53.093374014 CEST | 9026 | 62551 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:53.093447924 CEST | 62551 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:53.200037003 CEST | 62551 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:53.205288887 CEST | 9026 | 62551 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:55.572134972 CEST | 62551 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:59.333962917 CEST | 62554 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:59.338913918 CEST | 9026 | 62554 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:32:59.340864897 CEST | 62554 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:59.464268923 CEST | 62554 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:32:59.469427109 CEST | 9026 | 62554 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:09.619055033 CEST | 62554 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:09.619885921 CEST | 62555 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:09.624703884 CEST | 9026 | 62555 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:09.624793053 CEST | 62555 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:09.738414049 CEST | 62555 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:09.744549036 CEST | 9026 | 62555 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:19.884638071 CEST | 62555 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:19.885271072 CEST | 62556 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:19.890074968 CEST | 9026 | 62556 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:19.890166998 CEST | 62556 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:20.007832050 CEST | 62556 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:20.012653112 CEST | 9026 | 62556 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:30.165817022 CEST | 62556 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:30.166377068 CEST | 62557 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:30.171231031 CEST | 9026 | 62557 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:30.171287060 CEST | 62557 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:31.813101053 CEST | 62559 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:31.817900896 CEST | 9026 | 62559 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:31.818111897 CEST | 62559 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:31.967008114 CEST | 62559 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:31.971771955 CEST | 9026 | 62559 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:42.119246960 CEST | 62559 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:42.120461941 CEST | 62560 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:42.125739098 CEST | 9026 | 62560 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:42.125808954 CEST | 62560 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:42.235407114 CEST | 62560 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:42.240287066 CEST | 9026 | 62560 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:52.384608984 CEST | 62560 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:52.385755062 CEST | 62561 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:52.390634060 CEST | 9026 | 62561 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:33:52.390710115 CEST | 62561 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:52.496649981 CEST | 62561 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:33:52.501449108 CEST | 9026 | 62561 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:34:02.650228024 CEST | 62561 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:34:02.651130915 CEST | 62562 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:34:02.655955076 CEST | 9026 | 62562 | 115.230.124.27 | 192.168.2.4 |
Aug 31, 2024 08:34:02.656023026 CEST | 62562 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:34:02.900554895 CEST | 62562 | 9026 | 192.168.2.4 | 115.230.124.27 |
Aug 31, 2024 08:34:02.905407906 CEST | 9026 | 62562 | 115.230.124.27 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 31, 2024 08:32:15.579358101 CEST | 53 | 51427 | 1.1.1.1 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 02:31:56 |
Start date: | 31/08/2024 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x960000 |
File size: | 126'464 bytes |
MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 1 |
Start time: | 02:31:56 |
Start date: | 31/08/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 02:31:56 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 02:31:56 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 02:31:56 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 02:31:56 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\svchost.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa50000 |
File size: | 46'504 bytes |
MD5 hash: | 1ED18311E3DA35942DB37D15FA40CC5B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 02:31:59 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 02:31:59 |
Start date: | 31/08/2024 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6eef20000 |
File size: | 55'320 bytes |
MD5 hash: | B7F884C1B74A263F746EE12A5F7C9F6A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 9 |
Start time: | 02:31:59 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x890000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 02:31:59 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x890000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 11 |
Start time: | 02:32:02 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 12 |
Start time: | 02:32:05 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 13 |
Start time: | 02:32:05 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 14 |
Start time: | 02:32:05 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 15 |
Start time: | 02:32:05 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 16 |
Start time: | 02:32:05 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 17 |
Start time: | 02:32:05 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x890000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 18 |
Start time: | 02:32:06 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x890000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 22 |
Start time: | 02:32:54 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x890000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 26 |
Start time: | 02:33:29 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x890000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 28 |
Start time: | 02:33:30 |
Start date: | 31/08/2024 |
Path: | C:\Windows\SysWOW64\svchost.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa50000 |
File size: | 46'504 bytes |
MD5 hash: | 1ED18311E3DA35942DB37D15FA40CC5B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Has exited: | false |
Execution Graph
Execution Coverage: | 3.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 18.4% |
Total number of Nodes: | 304 |
Total number of Limit Nodes: | 5 |
Graph
Function 10013930 Relevance: 86.0, APIs: 23, Strings: 26, Instructions: 226libraryloaderfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012C40 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 232registrylibraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100124A0 Relevance: 38.6, APIs: 15, Strings: 7, Instructions: 119libraryloaderregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100126F0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 48serviceCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012880 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 33libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100131E0 Relevance: 77.2, APIs: 13, Strings: 31, Instructions: 209libraryloaderfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100129D0 Relevance: 52.7, APIs: 16, Strings: 14, Instructions: 211libraryregistryfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10009DD0 Relevance: 49.1, APIs: 7, Strings: 21, Instructions: 108libraryloaderfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012640 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61librarystringloaderCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012950 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100128F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1001990F Relevance: 3.8, APIs: 3, Instructions: 54COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010C90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008800 Relevance: 61.5, APIs: 29, Strings: 6, Instructions: 294libraryloadernetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10009160 Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 317networklibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000D6E0 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 147libraryloaderkeyboardCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008B80 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 101librarynetworkloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000DA60 Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 68libraryloaderclipboardCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B310 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 133libraryloadermemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10009F00 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 116libraryserviceloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000DB20 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 80libraryclipboardloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100030E0 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 360libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24serviceCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008740 Relevance: 6.1, APIs: 4, Instructions: 55networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007CB0 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000FC60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11shutdownCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1001609D Relevance: .5, Instructions: 514COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10015E4E Relevance: .5, Instructions: 514COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10018450 Relevance: .5, Instructions: 502COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10017800 Relevance: .4, Instructions: 379COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10014140 Relevance: .4, Instructions: 373COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10019490 Relevance: .4, Instructions: 359COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10017D80 Relevance: .3, Instructions: 295COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10016720 Relevance: .1, Instructions: 127COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B880 Relevance: 89.5, APIs: 14, Strings: 37, Instructions: 231libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100106A0 Relevance: 86.1, APIs: 13, Strings: 36, Instructions: 328libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F8F0 Relevance: 82.6, APIs: 33, Strings: 14, Instructions: 306libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A640 Relevance: 80.7, APIs: 14, Strings: 32, Instructions: 229libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001200 Relevance: 75.5, APIs: 31, Strings: 12, Instructions: 267libraryloadersleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000AAC5 Relevance: 72.0, APIs: 9, Strings: 32, Instructions: 294libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004980 Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 272libraryloaderstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000EBF0 Relevance: 68.6, APIs: 15, Strings: 24, Instructions: 357libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005CB0 Relevance: 68.4, APIs: 13, Strings: 26, Instructions: 186libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006A40 Relevance: 68.4, APIs: 8, Strings: 31, Instructions: 172libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B500 Relevance: 59.7, APIs: 11, Strings: 23, Instructions: 194libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005EB0 Relevance: 59.7, APIs: 12, Strings: 22, Instructions: 188libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100060A0 Relevance: 57.9, APIs: 12, Strings: 21, Instructions: 183libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005A20 Relevance: 56.2, APIs: 19, Strings: 13, Instructions: 221libraryloadersleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100109D0 Relevance: 56.2, APIs: 10, Strings: 22, Instructions: 187libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000AE00 Relevance: 51.0, APIs: 10, Strings: 19, Instructions: 213libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B060 Relevance: 51.0, APIs: 21, Strings: 8, Instructions: 210libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007490 Relevance: 50.9, APIs: 8, Strings: 21, Instructions: 134libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003F60 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 252networklibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006860 Relevance: 49.2, APIs: 8, Strings: 20, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100120D0 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 210libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100024F0 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 196libraryloadernetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003D90 Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 156libraryloadernetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003730 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 204librarystringsleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005530 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 177libraryloadersleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000FC90 Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 130libraryloaderwindowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004360 Relevance: 43.9, APIs: 15, Strings: 10, Instructions: 123libraryloaderstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100057D0 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 200libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000FF60 Relevance: 42.1, APIs: 7, Strings: 17, Instructions: 116libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100039E0 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 147libraryloadersleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A050 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 100libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006440 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 193libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001000 Relevance: 38.7, APIs: 7, Strings: 15, Instructions: 171libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E1F0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 236libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F000 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 199libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011CB0 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 150libraryloaderregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002220 Relevance: 35.1, APIs: 5, Strings: 15, Instructions: 127libraryloadernetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010D40 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 103librarywindowloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000DC60 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E030 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 159libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10013C00 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 157libraryloaderstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10009760 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 293libraryloaderregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011EE0 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 189libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10013430 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 103libraryregistryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002AB0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 75libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001600 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 151libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000D060 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 123libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007EE0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 172libraryloadernetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008CC0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 165stringlibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000356A Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 152networksleeplibraryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002070 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 110libraryloadersleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F200 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 96libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011AF0 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 85libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BAE0 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 82libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F2F0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 108libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010090 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100023C0 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 84libraryloadersleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BFF0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 219libraryregistryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100101D0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 121libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010410 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 79libraryloaderthreadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F830 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 65libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008EE0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181libraryloadernetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A8A0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BE30 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 166libraryregistryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F6A0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 130libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004D10 Relevance: 22.9, APIs: 15, Instructions: 369COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001F50 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001890 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 89librarywindowloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005170 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 76libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100118F0 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 59libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E5D0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 175libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A2B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 140libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001E30 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 96librarysleeploaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007C20 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 55libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012F30 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 115registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A4C0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 104libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011150 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 56libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F420 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10009590 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 81libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002D20 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87sleeplibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005720 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 70libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000FE10 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002E90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000CFA0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 65libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B740 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 59libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003053 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 48stringregistryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E840 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 176libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10013090 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 105registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000D1B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007B40 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94librarystringloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007A60 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 93librarystringloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011A50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000CF10 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001C80 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 58libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100096B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100045F0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 47libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B490 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 45libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010500 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42librarythreadloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006770 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 80libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000C5E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 79libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100105D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78libraryloaderthreadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100114C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 65libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001D90 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000D4E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100014E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B800 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 49libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011440 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 49libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012780 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49serviceCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010160 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F5E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F640 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006C60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001D30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B2C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100021B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BC90 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 29libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006D70 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001780 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 119libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010BF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderwindowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000EAB0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010E50 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34libraryloaderwindowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002BA0 Relevance: 9.1, APIs: 6, Instructions: 135COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100053D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 131librarysleeploaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001AC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100119C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004700 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100112D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002F50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000FEC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011200 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001A40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E9F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E5A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002830 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BBE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BCE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A470 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000CAD0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000CC30 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000C940 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100052D0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100066B0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 7.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 3.2% |
Total number of Nodes: | 431 |
Total number of Limit Nodes: | 15 |
Graph
Function 1000A050 Relevance: 49.1, APIs: 22, Strings: 6, Instructions: 100libraryloaderprocessCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011CB0 Relevance: 38.6, APIs: 14, Strings: 8, Instructions: 150libraryloaderregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10013930 Relevance: 84.2, APIs: 20, Strings: 28, Instructions: 226libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100120D0 Relevance: 56.2, APIs: 20, Strings: 12, Instructions: 210libraryloadersleepCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B060 Relevance: 54.5, APIs: 23, Strings: 8, Instructions: 210libraryloaderfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007490 Relevance: 54.4, APIs: 10, Strings: 21, Instructions: 134libraryloadersleepCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100024F0 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 196libraryloadernetworkCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100124A0 Relevance: 45.6, APIs: 18, Strings: 8, Instructions: 119libraryloaderregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000FF60 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 116libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10013C00 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 157libraryloaderfileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002220 Relevance: 35.1, APIs: 5, Strings: 15, Instructions: 127libraryloadernetworkCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011AF0 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 85libraryloaderprocessCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10013430 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 103librarysleepregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002070 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 110libraryloadersleepCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002AB0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 75libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10009590 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 81libraryloaderthreadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012F30 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 115registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002D20 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87sleeplibrarynetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10013090 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 105registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011A50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100119C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000FEC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1001990F Relevance: 3.8, APIs: 3, Instructions: 54COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010C90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100123D0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10016850 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10016870 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10009160 Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 317networklibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008B80 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 101librarynetworkloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000DA60 Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 68libraryloaderclipboardCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100030E0 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 360libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100126F0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 48serviceCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012880 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 33libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008740 Relevance: 6.1, APIs: 4, Instructions: 55networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B880 Relevance: 89.5, APIs: 14, Strings: 37, Instructions: 231libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100106A0 Relevance: 86.1, APIs: 13, Strings: 36, Instructions: 328libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F8F0 Relevance: 82.6, APIs: 33, Strings: 14, Instructions: 306libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A640 Relevance: 80.7, APIs: 14, Strings: 32, Instructions: 229libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001200 Relevance: 75.5, APIs: 31, Strings: 12, Instructions: 267libraryloadersleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100131E0 Relevance: 75.5, APIs: 12, Strings: 31, Instructions: 209libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000AAC5 Relevance: 73.8, APIs: 9, Strings: 33, Instructions: 294libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004980 Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 272libraryloaderstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000EBF0 Relevance: 68.6, APIs: 15, Strings: 24, Instructions: 357libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005CB0 Relevance: 68.4, APIs: 13, Strings: 26, Instructions: 186libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006A40 Relevance: 68.4, APIs: 8, Strings: 31, Instructions: 172libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008800 Relevance: 61.5, APIs: 29, Strings: 6, Instructions: 294libraryloadernetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B500 Relevance: 61.4, APIs: 11, Strings: 24, Instructions: 194libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005EB0 Relevance: 59.7, APIs: 12, Strings: 22, Instructions: 188libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100060A0 Relevance: 57.9, APIs: 12, Strings: 21, Instructions: 183libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005A20 Relevance: 56.2, APIs: 19, Strings: 13, Instructions: 221libraryloadersleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100109D0 Relevance: 56.2, APIs: 10, Strings: 22, Instructions: 187libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000AE00 Relevance: 51.0, APIs: 10, Strings: 19, Instructions: 213libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003F60 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 252networklibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006860 Relevance: 49.2, APIs: 8, Strings: 20, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100129D0 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 211libraryregistryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003D90 Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 156libraryloadernetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10009DD0 Relevance: 47.4, APIs: 6, Strings: 21, Instructions: 108libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003730 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 204librarystringsleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005530 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 177libraryloadersleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000FC90 Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 130libraryloaderwindowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004360 Relevance: 43.9, APIs: 15, Strings: 10, Instructions: 123libraryloaderstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100057D0 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 200libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100039E0 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 147libraryloadersleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012C40 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 232registrylibraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006440 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 193libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001000 Relevance: 38.7, APIs: 7, Strings: 15, Instructions: 171libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000D6E0 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 147libraryloaderkeyboardCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E1F0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 236libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F000 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 199libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011EE0 Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 189libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010D40 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 103librarywindowloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000DC60 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E030 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 159libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10009760 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 293libraryloaderregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001600 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 151libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000D060 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 123libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10009F00 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 116libraryserviceloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007EE0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 172libraryloadernetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008CC0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 165stringlibraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000356A Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 152networksleeplibraryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B310 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 133libraryloadermemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F200 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 96libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BAE0 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 82libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000DB20 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 80libraryclipboardloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F2F0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 108libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010090 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100023C0 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 84libraryloadersleepCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BFF0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 219libraryregistryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100101D0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 121libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010410 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 79libraryloaderthreadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F830 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 65libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10008EE0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181libraryloadernetworkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A8A0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BE30 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 166libraryregistryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F6A0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 130libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004D10 Relevance: 22.9, APIs: 15, Instructions: 369COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001F50 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001890 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 89librarywindowloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005170 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 76libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100118F0 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 59libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E5D0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 175libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A2B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 140libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001E30 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 96librarysleeploaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007C20 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 55libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A4C0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 104libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011150 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 56libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F420 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10005720 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 70libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000FE10 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002E90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000CFA0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 65libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B740 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 59libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003053 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 48stringregistryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E840 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 176libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000D1B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007B40 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94librarystringloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10007A60 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 93librarystringloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000CF10 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001C80 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 58libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100096B0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100045F0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 47libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B490 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 45libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010500 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42librarythreadloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006770 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 80libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000C5E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 79libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100105D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78libraryloaderthreadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100114C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 65libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001D90 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012640 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61librarystringloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000D4E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100014E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B800 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 49libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011440 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 49libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012780 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49serviceCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010160 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F5E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000F640 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006C60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001D30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000B2C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100021B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BC90 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 29libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006D70 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001780 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 119libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10006300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010BF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderwindowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000EAB0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010E50 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34libraryloaderwindowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24serviceCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002BA0 Relevance: 9.1, APIs: 6, Instructions: 135COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100053D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 131librarysleeploaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001AC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10004700 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100112D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10003CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002F50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10010380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10011200 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012950 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10001A40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100128F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10012430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E9F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E5A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 10002830 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BBE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000BCE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000A470 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000CAD0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000CC30 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000C940 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100052D0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100066B0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 1000E470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|