Windows
Analysis Report
diCTAJuHTs.exe
Overview
General Information
Sample name: | diCTAJuHTs.exerenamed because original name is a hash value |
Original sample name: | 9ecab398729b9a2e9d1c843707c40054.exe |
Analysis ID: | 1580282 |
MD5: | 9ecab398729b9a2e9d1c843707c40054 |
SHA1: | 282b755423a18cf801f013694b9d4a4ff04a0d78 |
SHA256: | 68a7291a46870781bb9088ac64e7890087eb5ca851973c0d8d0b7566e650eabc |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- diCTAJuHTs.exe (PID: 7120 cmdline:
"C:\Users\ user\Deskt op\diCTAJu HTs.exe" MD5: 9ECAB398729B9A2E9D1C843707C40054)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF7DDF2C06C | |
Source: | Code function: | 0_2_00007FF7DDF21DAC | |
Source: | Code function: | 0_2_00007FF7DDF21DAC |
Source: | Code function: | 0_2_00007FF7DDF2FF2C | |
Source: | Code function: | 0_2_00007FF7DDF19760 | |
Source: | Code function: | 0_2_00007FF7DDF11B80 | |
Source: | Code function: | 0_2_00007FF7DDF17FCC | |
Source: | Code function: | 0_2_00007FF7DDF22BE0 | |
Source: | Code function: | 0_2_00007FF7DDF287F4 | |
Source: | Code function: | 0_2_00007FF7DDF1E80C | |
Source: | Code function: | 0_2_00007FF7DDF30010 | |
Source: | Code function: | 0_2_00007FF7DDF33C18 | |
Source: | Code function: | 0_2_00007FF7DDF2B13C | |
Source: | Code function: | 0_2_00007FF7DDF1A060 | |
Source: | Code function: | 0_2_00007FF7DDF2C06C | |
Source: | Code function: | 0_2_00007FF7DDF2E0C0 | |
Source: | Code function: | 0_2_00007FF7DDF2E4EC | |
Source: | Code function: | 0_2_00007FF7DDF1790D | |
Source: | Code function: | 0_2_00007FF7DDF2B13C | |
Source: | Code function: | 0_2_00007FF7DDF1E5A4 | |
Source: | Code function: | 0_2_00007FF7DDF21DAC | |
Source: | Code function: | 0_2_00007FF7DDF26DE0 | |
Source: | Code function: | 0_2_00007FF7DDF29200 | |
Source: | Code function: | 0_2_00007FF7DDF30A18 | |
Source: | Code function: | 0_2_00007FF7DDF24684 | |
Source: | Code function: | 0_2_00007FF7DDF17AA4 | |
Source: | Code function: | 0_2_00007FF7DDF302A4 | |
Source: | Code function: | 0_2_00007FF7DDF162D0 | |
Source: | Code function: | 0_2_00007FF7DDF182D8 | |
Source: | Code function: | 0_2_00007FF7DDF21DAC | |
Source: | Code function: | 0_2_00007FF7DDF20700 |
Source: | Code function: |
Source: | Classification label: |
Source: | Code function: | 0_2_00007FF7DDF16FA0 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF7DDF13C90 |
Source: | Check user administrative privileges: | graph_0-15779 |
Source: | API coverage: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF7DDF2C06C | |
Source: | Code function: | 0_2_00007FF7DDF21DAC | |
Source: | Code function: | 0_2_00007FF7DDF21DAC |
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00007FF7DDF25750 |
Source: | Code function: | 0_2_00007FF7DDF2DB48 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF7DDF25750 | |
Source: | Code function: | 0_2_00007FF7DDF1B0C4 | |
Source: | Code function: | 0_2_00007FF7DDF1A8DC | |
Source: | Code function: | 0_2_00007FF7DDF1AEE0 |
Source: | Code function: | 0_2_00007FF7DDF33A60 |
Source: | Code function: | 0_2_00007FF7DDF1ADC8 |
Source: | Code function: | 0_2_00007FF7DDF30010 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 13 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
38% | Virustotal | Browse | ||
42% | ReversingLabs | Win64.Trojan.Generic |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1580282 |
Start date and time: | 2024-12-24 08:45:58 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 18s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | diCTAJuHTs.exerenamed because original name is a hash value |
Original Sample Name: | 9ecab398729b9a2e9d1c843707c40054.exe |
Detection: | MAL |
Classification: | mal48.winEXE@1/0@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Report size getting too big, too many NtSetInformationFile calls found.
File type: | |
Entropy (8bit): | 7.9966455409097 |
TrID: |
|
File name: | diCTAJuHTs.exe |
File size: | 14'444'897 bytes |
MD5: | 9ecab398729b9a2e9d1c843707c40054 |
SHA1: | 282b755423a18cf801f013694b9d4a4ff04a0d78 |
SHA256: | 68a7291a46870781bb9088ac64e7890087eb5ca851973c0d8d0b7566e650eabc |
SHA512: | e99e4437c12d443f6458d337453ef829b209a0b68d0df64ba1fd3db26854552eae18fe1bf263c0b31c319fcc6ab766b3accb96b093b3000e89fb1e28a463e09c |
SSDEEP: | 393216:bSatY8L2Vmd6melh2pOc/e+7G99YP0BmRFN+MebJ:bSai8yVmdKQpOun0ApiJ |
TLSH: | ABE6334053A00BD8F46A883388779517EB76F4AA579BDB8F875186600FB32FB9D71390 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k............... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x14000a8c8 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6750E25E [Wed Dec 4 23:14:38 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 2 |
File Version Major: | 5 |
File Version Minor: | 2 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 2 |
Import Hash: | c5640c7a22008f949f9bc94a27623f95 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007FE8FC61AA6Ch |
dec eax |
add esp, 28h |
jmp 00007FE8FC61A3EFh |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
dec eax |
mov ebx, ecx |
xor ecx, ecx |
call dword ptr [0001A8D3h] |
dec eax |
mov ecx, ebx |
call dword ptr [0001A8C2h] |
call dword ptr [0001A83Ch] |
dec eax |
mov ecx, eax |
mov edx, C0000409h |
dec eax |
add esp, 20h |
pop ebx |
dec eax |
jmp dword ptr [0001A8B8h] |
dec eax |
mov dword ptr [esp+08h], ecx |
dec eax |
sub esp, 38h |
mov ecx, 00000017h |
call dword ptr [0001A8ACh] |
test eax, eax |
je 00007FE8FC61A579h |
mov ecx, 00000002h |
int 29h |
dec eax |
lea ecx, dword ptr [0003B6DAh] |
call 00007FE8FC61A73Eh |
dec eax |
mov eax, dword ptr [esp+38h] |
dec eax |
mov dword ptr [0003B7C1h], eax |
dec eax |
lea eax, dword ptr [esp+38h] |
dec eax |
add eax, 08h |
dec eax |
mov dword ptr [0003B751h], eax |
dec eax |
mov eax, dword ptr [0003B7AAh] |
dec eax |
mov dword ptr [0003B61Bh], eax |
dec eax |
mov eax, dword ptr [esp+40h] |
dec eax |
mov dword ptr [0003B71Fh], eax |
mov dword ptr [0003B5F5h], C0000409h |
mov dword ptr [0003B5EFh], 00000001h |
mov dword ptr [0003B5F9h], 00000001h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x35b18 | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4b000 | 0x5fc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x48000 | 0x1de8 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4c000 | 0x748 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x33920 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x33940 | 0x138 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x25000 | 0x3e8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x235d0 | 0x23600 | 050ad070d74c0ab2baca6ee9c3b61b5d | False | 0.5690426236749117 | data | 6.471510843579973 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x25000 | 0x11898 | 0x11a00 | 41b70ae4502758e24e137cafe311eeb7 | False | 0.4956504875886525 | PGP symmetric key encrypted data - Plaintext or unencrypted data | 5.711786264889031 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x37000 | 0x10398 | 0xc00 | b88590ca230f956ba7b5bffcbee69475 | False | 0.138671875 | data | 1.8589891596226968 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x48000 | 0x1de8 | 0x1e00 | 626ab1518bc3687e03dacd39bbfde649 | False | 0.4921875 | data | 5.392285019157171 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_RDATA | 0x4a000 | 0xf4 | 0x200 | 3fa4bb815d2865eb13ca6b140ccf210f | False | 0.302734375 | data | 1.9616758456060694 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x4b000 | 0x5fc | 0x600 | e9f38e874665b2f0eec96d08193b0b48 | False | 0.4609375 | data | 5.4060894423190256 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x4c000 | 0x748 | 0x800 | ab10229e6319ea5b4dde9f2a80ec60f0 | False | 0.55322265625 | data | 5.222259043944798 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x4b058 | 0x5a2 | XML 1.0 document, ASCII text, with CRLF line terminators | 0.45145631067961167 |
DLL | Import |
---|---|
USER32.dll | CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW |
COMCTL32.dll | |
KERNEL32.dll | GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, FlushFileBuffers, GetCurrentDirectoryW, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, GetProcAddress, GetEnvironmentStringsW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, GetCommandLineW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RaiseException, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindClose, FindFirstFileExW, FindNextFileW, SetStdHandle, SetConsoleCtrlHandler, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, CompareStringW, LCMapStringW |
ADVAPI32.dll | OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW |
GDI32.dll | SelectObject, DeleteObject, CreateFontIndirectW |
Target ID: | 0 |
Start time: | 02:46:48 |
Start date: | 24/12/2024 |
Path: | C:\Users\user\Desktop\diCTAJuHTs.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7ddf10000 |
File size: | 14'444'897 bytes |
MD5 hash: | 9ECAB398729B9A2E9D1C843707C40054 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 4.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 10.9% |
Total number of Nodes: | 2000 |
Total number of Limit Nodes: | 41 |
Graph
Function 00007FF7DDF117A0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF11000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF26408 Relevance: 10.8, APIs: 7, Instructions: 291COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF12760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF1C980 Relevance: 3.2, APIs: 2, Instructions: 175COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF26860 Relevance: 1.6, APIs: 1, Instructions: 104COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF262EC Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF1CC00 Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF29550 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF13C90 Relevance: 285.7, APIs: 54, Strings: 109, Instructions: 443libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF11B80 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF2E4EC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1209COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF16FA0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF162D0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 139COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF25750 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF2FF2C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF287F4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF29200 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF33C18 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF19760 Relevance: .2, Instructions: 197COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF20700 Relevance: .1, Instructions: 138COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF24684 Relevance: .1, Instructions: 126COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF33A60 Relevance: .0, Instructions: 32COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF1B0C4 Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF151F0 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF11440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF17300 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 90COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF12020 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF112B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF11050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF170F0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF16AC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93processsynchronizationCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF175A0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF17690 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF15FD0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF1C420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF17490 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF32280 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF12230 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF12610 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF243E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF33854 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF2A940 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF124C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF13A40 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF1DD10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF28C64 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF148D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF239A8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF274EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF29DD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF12870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF2982C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF29A98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF2A7E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF29A34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7DDF299E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|