Edit tour
Windows
Analysis Report
AB5tAhygtM.dll
Overview
General Information
| Sample name: | AB5tAhygtM.dllrenamed because original name is a hash value |
| Original sample name: | 6655c5686b9b0292cf5121fc6346341bb888704b421a85a15011456a9a2c192a.dll |
| Analysis ID: | 1524368 |
| MD5: | 1e6c67456dd21d7fb2967364cf4735af |
| SHA1: | 42a3d252faa7d7457c7f708ec6f44f3c1afd843e |
| SHA256: | 6655c5686b9b0292cf5121fc6346341bb888704b421a85a15011456a9a2c192a |
| Tags: | CeranaKeeperdlluser-JAMESWT_MHT |
| Infos: | |
 | |
Detection
| Score: | 60 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
loaddll32.exe (PID: 6764 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\AB5 tAhygtM.dl l" MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 6788 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6932 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\AB5 tAhygtM.dl l",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 7004 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\AB5t AhygtM.dll ",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6956 cmdline:
rundll32.e xe C:\User s\user\Des ktop\AB5tA hygtM.dll, ModuleMain MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7116 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\AB5t AhygtM.dll ",ModuleMa in MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_6CDF0C06 | |
| Source: | Code function: | 3_2_6CDC2A10 | |
| Source: | Code function: | 3_2_6CDC3420 | |
| Source: | Code function: | 3_2_6CDC30F0 | |
| Source: | Code function: | 5_2_6D080C06 | |
| Source: | Code function: | 5_2_6D052A10 | |
| Source: | Code function: | 5_2_6D053420 | |
| Source: | Code function: | 5_2_6D0530F0 | |
| Source: | Code function: | 3_2_6CDC1200 | |
| Source: | Code function: | 3_2_6CDE6D29 | |
| Source: | Code function: | 3_2_6CDDAFD0 | |
| Source: | Code function: | 3_2_6CDF38D4 | |
| Source: | Code function: | 3_2_6CDCB8B0 | |
| Source: | Code function: | 3_2_6CDE6B00 | |
| Source: | Code function: | 3_2_6CDEE7E0 | |
| Source: | Code function: | 3_2_6CDDB760 | |
| Source: | Code function: | 3_2_6CDDB01E | |
| Source: | Code function: | 3_2_6CDDB230 | |
| Source: | Code function: | 3_2_6CDF2226 | |
| Source: | Code function: | 3_2_6CDF2352 | |
| Source: | Code function: | 5_2_6D076D29 | |
| Source: | Code function: | 5_2_6D06AFD0 | |
| Source: | Code function: | 5_2_6D05B8B0 | |
| Source: | Code function: | 5_2_6D0838D4 | |
| Source: | Code function: | 5_2_6D076B00 | |
| Source: | Code function: | 5_2_6D06B760 | |
| Source: | Code function: | 5_2_6D07E7E0 | |
| Source: | Code function: | 5_2_6D06B01E | |
| Source: | Code function: | 5_2_6D082352 | |
| Source: | Code function: | 5_2_6D082226 | |
| Source: | Code function: | 5_2_6D06B230 | |
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_6CDC1200 | |
| Source: | Code function: | 3_2_6CDC66B0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | ReversingLabs: | ||
| Source: | Evasive API call chain: | graph_5-19696 | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_6CDCCF60 | |
| Source: | Code function: | 3_2_6CDE2CD9 | |
| Source: | Code function: | 3_2_6CDF4166 | |
| Source: | Code function: | 5_2_6D072CD9 | |
| Source: | Code function: | 5_2_6D084166 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Last function: | ||
| Source: | Code function: | 3_2_6CDF0C06 | |
| Source: | Code function: | 3_2_6CDC2A10 | |
| Source: | Code function: | 3_2_6CDC3420 | |
| Source: | Code function: | 3_2_6CDC30F0 | |
| Source: | Code function: | 5_2_6D080C06 | |
| Source: | Code function: | 5_2_6D052A10 | |
| Source: | Code function: | 5_2_6D053420 | |
| Source: | Code function: | 5_2_6D0530F0 | |
| Source: | Code function: | 3_2_6CDC1200 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Code function: | 3_2_6CDE5874 | |
| Source: | Code function: | 3_2_6CDCCF60 | |
| Source: | Code function: | 3_2_6CDEBD10 | |
| Source: | Code function: | 3_2_6CDE8899 | |
| Source: | Code function: | 5_2_6D07BD10 | |
| Source: | Code function: | 5_2_6D078899 | |
| Source: | Code function: | 3_2_6CDECD0A | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 3_2_6CDE5874 | |
| Source: | Code function: | 3_2_6CDE2B02 | |
| Source: | Code function: | 3_2_6CDDA450 | |
| Source: | Code function: | 3_2_6CDE2157 | |
| Source: | Code function: | 5_2_6D075874 | |
| Source: | Code function: | 5_2_6D072B02 | |
| Source: | Code function: | 5_2_6D06A450 | |
| Source: | Code function: | 5_2_6D072157 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 3_2_6CDE2CDC | |
| Source: | Code function: | 3_2_6CDC7FA0 | |
| Source: | Code function: | 3_2_6CDE2733 | |
| Source: | Code function: | 3_2_6CDC5F20 | |
| Source: | Code function: | 5_2_6D055F20 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Command and Scripting Interpreter | 1 DLL Side-Loading | 12 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 11 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 12 Process Injection | LSASS Memory | 2 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Rundll32 | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 32% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Avira | TR/Agent.ajqud |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1524368 |
| Start date and time: | 2024-10-02 18:15:30 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 19s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | AB5tAhygtM.dllrenamed because original name is a hash value |
| Original Sample Name: | 6655c5686b9b0292cf5121fc6346341bb888704b421a85a15011456a9a2c192a.dll |
| Detection: | MAL |
| Classification: | mal60.winDLL@10/0@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: AB5tAhygtM.dll
| Time | Type | Description |
|---|---|---|
| 12:16:22 | API Interceptor |
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.480361478505443 |
| TrID: |
|
| File name: | AB5tAhygtM.dll |
| File size: | 280'576 bytes |
| MD5: | 1e6c67456dd21d7fb2967364cf4735af |
| SHA1: | 42a3d252faa7d7457c7f708ec6f44f3c1afd843e |
| SHA256: | 6655c5686b9b0292cf5121fc6346341bb888704b421a85a15011456a9a2c192a |
| SHA512: | b155f06c3688e87093c9099cb54ecfee28f266ae193cb421afea690ed5ff5670008ec10f16d8cfd950a426f3bba591e42a454dbe4346918b296a1b4132ca42cc |
| SSDEEP: | 6144:zz11tl29svfzBgdhAZihii86QP+KTBk2NhVGU:f1t/vfzBgdhRu6QP/Te2NhVb |
| TLSH: | CD548D10F141C136E8FB047B8EFA99BE956CBB21039490C793CC2A6E5F264F17A3155B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bJ5..$f..$f..$f.g'g..$f.g!g;.$f.g g..$f.k g..$f.k'g..$f.k!g..$f.g%g..$f..%f..$f.j-g..$f.j$g..$f.j&g..$fRich..$f............... |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x1002269e |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x64181471 [Mon Mar 20 08:08:17 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 373fbafe0063f9900a2de867dbe96fa1 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+0Ch], 01h |
| jne 00007FC930CD0367h |
| call 00007FC930CD0439h |
| push dword ptr [ebp+10h] |
| push dword ptr [ebp+0Ch] |
| push dword ptr [ebp+08h] |
| call 00007FC930CD0218h |
| add esp, 0Ch |
| pop ebp |
| retn 000Ch |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007FC930CCFC78h |
| mov dword ptr [esi], 1003636Ch |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 10036374h |
| mov dword ptr [ecx], 1003636Ch |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| lea ecx, dword ptr [ebp-0Ch] |
| call 00007FC930CCFC2Dh |
| push 10041534h |
| lea eax, dword ptr [ebp-0Ch] |
| push eax |
| call 00007FC930CD1073h |
| int3 |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| lea ecx, dword ptr [ebp-0Ch] |
| call 00007FC930CD0322h |
| push 1004163Ch |
| lea eax, dword ptr [ebp-0Ch] |
| push eax |
| call 00007FC930CD1056h |
| int3 |
| jmp 00007FC930CD5641h |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| and dword ptr [ebp-0Ch], 00000000h |
| lea eax, dword ptr [ebp-0Ch] |
| and dword ptr [ebp-08h], 00000000h |
| push eax |
| call dword ptr [100361E8h] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [1003612Ch] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [10036130h] |
| xor dword ptr [ebp-04h], eax |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x41b60 | 0x48 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x41ba8 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x46000 | 0x1fd4 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x3f9e0 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x3fab8 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x3fa18 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x36000 | 0x2b4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x34b80 | 0x34c00 | f06874a8f9fd5c51cf7714bb8d25f642 | False | 0.46019697867298576 | data | 6.349757647880202 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x36000 | 0xcb12 | 0xcc00 | 06b08a20aacf8437cbb8b274307b965d | False | 0.5280522365196079 | data | 5.891693036481658 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x43000 | 0x255c | 0xc00 | 54fedaa6507a806ffee94ebd0affafc9 | False | 0.2431640625 | data | 3.223015662132781 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x46000 | 0x1fd4 | 0x2000 | bdafd52ce01017805fd7a22199c3f91e | False | 0.79296875 | data | 6.631484854475961 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | FindClose, GetFileAttributesW, SetFileAttributesW, GetLastError, lstrcatW, DeleteFileW, CreateThread, CreateProcessW, CopyFileW, lstrcpyW, lstrcmpW, MoveFileW, ReadFile, WriteFile, WaitForSingleObject, Sleep, SetFilePointerEx, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, SetFilePointer, lstrcatA, CreateFileA, CreatePipe, PeekNamedPipe, SetEvent, GetStartupInfoA, DeleteCriticalSection, CreateProcessA, CreateEventA, Process32First, TerminateProcess, OpenProcess, CreateToolhelp32Snapshot, LoadLibraryA, SetFileTime, GetProcAddress, FormatMessageA, GetEnvironmentVariableW, TerminateThread, GetTickCount, CreateNamedPipeA, lstrcpyA, ConnectNamedPipe, ReleaseSemaphore, WaitForMultipleObjects, CreateSemaphoreA, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, SetEndOfFile, UnmapViewOfFile, CreateFileMappingA, GetFileSize, MapViewOfFile, ResetEvent, GetCommandLineW, ExitProcess, WideCharToMultiByte, SetUnhandledExceptionFilter, GetCurrentProcess, GetCurrentThreadId, GetCurrentProcessId, GetModuleFileNameW, LocalAlloc, LocalFree, WriteConsoleW, HeapReAlloc, HeapSize, GetStringTypeW, SetStdHandle, GetConsoleMode, RemoveDirectoryW, lstrlenW, FindNextFileW, FindFirstFileW, GetStartupInfoW, CreateDirectoryW, GetDriveTypeW, CloseHandle, GetDiskFreeSpaceExW, GetLogicalDriveStringsW, CreateFileW, Process32Next, GetConsoleCP, FlushFileBuffers, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, MultiByteToWideChar, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, GetFileType, GetStdHandle, LCMapStringW, HeapFree, HeapAlloc, GetModuleHandleExW, LoadLibraryExW, FreeLibrary, TlsFree, UnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwind, RaiseException, InterlockedFlushSList, SetLastError, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, DecodePointer |
| USER32.dll | wsprintfA, GetDC, EnumDisplaySettingsA, ReleaseDC |
| GDI32.dll | DeleteDC, BitBlt, SelectObject, CreateCompatibleDC, RealizePalette, GetStockObject, GetDIBits, GetDeviceCaps, SelectPalette, DeleteObject, CreateDCA, GetObjectA |
| SHELL32.dll | CommandLineToArgvW |
| ole32.dll | StgCreateDocfile, CreateStreamOnHGlobal |
| gdiplus.dll | GdipSetWorldTransform, GdipCloneBitmapArea, GdipLoadImageFromStreamICM, GdipFree, GdipTranslateMatrix, GdipCreateBitmapFromGraphics, GdipGetImageGraphicsContext, GdipDisposeImage, GdipGetImageEncodersSize, GdipDeleteGraphics, GdipGetImageWidth, GdipSaveImageToStream, GdipDeleteMatrix, GdipLoadImageFromStream, GdiplusStartup, GdiplusShutdown, GdipGetImageHeight, GdipCreateMatrix, GdipAlloc, GdipCloneImage, GdipTransformMatrixPoints, GdipGetImageEncoders, GdipDrawImage |
| dbghelp.dll | MiniDumpWriteDump |
| Name | Ordinal | Address |
|---|---|---|
| ModuleMain | 1 | 0x1001a720 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:16:19 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xad0000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 12:16:19 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 12:16:19 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 12:16:19 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x190000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 12:16:19 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x190000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 12:16:22 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x190000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 5.3% |
| Total number of Nodes: | 1740 |
| Total number of Limit Nodes: | 27 |
Graph
Function 6CDDA720 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDEE098 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDE994C Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC30F0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 193stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDCCF60 Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 370libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC5F20 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 285stringprocesspipeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC7FA0 Relevance: 9.1, APIs: 6, Instructions: 104pipeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC66B0 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC1200 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDEE7E0 Relevance: 3.5, APIs: 2, Instructions: 457COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDF0C06 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDDA450 Relevance: 1.7, APIs: 1, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDDB760 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDDB230 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDECD0A Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDDAFD0 Relevance: .2, Instructions: 175COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDDB01E Relevance: .1, Instructions: 114COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDF2352 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDF2226 Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDEBD10 Relevance: .0, Instructions: 23COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD9D70 Relevance: 34.7, APIs: 23, Instructions: 237synchronizationsleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDCC280 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 239windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC7040 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 247pipeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDCCC50 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 227windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDED1F3 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC8230 Relevance: 24.1, APIs: 16, Instructions: 131synchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD9740 Relevance: 18.1, APIs: 12, Instructions: 142COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD9B70 Relevance: 15.1, APIs: 10, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDE95C2 Relevance: 15.1, APIs: 10, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD0640 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 267stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD1FE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 188fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD2230 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 188fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC6460 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 113libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDCB4A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC2D00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73stringprocessCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC80E0 Relevance: 12.1, APIs: 8, Instructions: 98threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD95F0 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC78A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDE9A17 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD1F40 Relevance: 10.6, APIs: 7, Instructions: 58fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC9550 Relevance: 9.2, APIs: 6, Instructions: 222COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC7C10 Relevance: 9.1, APIs: 6, Instructions: 122pipeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC2F40 Relevance: 9.0, APIs: 6, Instructions: 43fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC2EC0 Relevance: 9.0, APIs: 6, Instructions: 41fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC3070 Relevance: 9.0, APIs: 6, Instructions: 37fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDE891F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD4E50 Relevance: 7.6, APIs: 5, Instructions: 117memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD4C70 Relevance: 7.6, APIs: 5, Instructions: 115memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD54C0 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD55B0 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC6600 Relevance: 7.5, APIs: 5, Instructions: 49processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDCD5E0 Relevance: 6.4, APIs: 5, Instructions: 145sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC54A0 Relevance: 6.1, APIs: 4, Instructions: 119fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC52A0 Relevance: 6.1, APIs: 4, Instructions: 89fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDEC211 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD1ED0 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDE9146 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDEB6B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDE2103 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDD7D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDC20A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDCD8A0 Relevance: 5.2, APIs: 4, Instructions: 176sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDCE590 Relevance: 5.0, APIs: 4, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CDCDE50 Relevance: 5.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 0.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 1623 |
| Total number of Limit Nodes: | 23 |
Graph
Function 6D06A720 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07E098 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07994C Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0530F0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 193stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D055F20 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 285stringprocesspipeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D069D70 Relevance: 34.7, APIs: 23, Instructions: 237synchronizationsleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05C280 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 239windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D057040 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 247pipeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05CC50 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 227windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07D1F3 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D058230 Relevance: 24.1, APIs: 16, Instructions: 131synchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05CF60 Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 370libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D069740 Relevance: 18.1, APIs: 12, Instructions: 142COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D069B70 Relevance: 15.1, APIs: 10, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0795C2 Relevance: 15.1, APIs: 10, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D060640 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 267stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D061FE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 188fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D062230 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 188fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D056460 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 113libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05B4A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D052D00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73stringprocessCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0580E0 Relevance: 12.1, APIs: 8, Instructions: 98threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0695F0 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0578A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D079A17 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D061F40 Relevance: 10.6, APIs: 7, Instructions: 58fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D059550 Relevance: 9.2, APIs: 6, Instructions: 222COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D057C10 Relevance: 9.1, APIs: 6, Instructions: 122pipeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D057FA0 Relevance: 9.1, APIs: 6, Instructions: 104pipeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0566B0 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D052F40 Relevance: 9.0, APIs: 6, Instructions: 43fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D052EC0 Relevance: 9.0, APIs: 6, Instructions: 41fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D053070 Relevance: 9.0, APIs: 6, Instructions: 37fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07891F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D064E50 Relevance: 7.6, APIs: 5, Instructions: 117memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D064C70 Relevance: 7.6, APIs: 5, Instructions: 115memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0655B0 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0654C0 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D056600 Relevance: 7.5, APIs: 5, Instructions: 49processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05D5E0 Relevance: 6.4, APIs: 5, Instructions: 145sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0554A0 Relevance: 6.1, APIs: 4, Instructions: 119fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0552A0 Relevance: 6.1, APIs: 4, Instructions: 89fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07C211 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D061ED0 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D079146 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D07B6B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D072103 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D067D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D0520A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05D8A0 Relevance: 5.2, APIs: 4, Instructions: 176sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05E590 Relevance: 5.0, APIs: 4, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6D05DE50 Relevance: 5.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|