Edit tour
Windows
Analysis Report
90m2xwxCOf.exe
Overview
General Information
| Sample name: | 90m2xwxCOf.exerenamed because original name is a hash value |
| Original sample name: | 3327701929db65a98836f1241b3218ff.exe |
| Analysis ID: | 1580927 |
| MD5: | 3327701929db65a98836f1241b3218ff |
| SHA1: | 43e1532366295da9e3729355fddb0c1be60065e0 |
| SHA256: | 77b74d8f3ad5c7058ac3742324341f17060d89a82b3545bbd357b191e9a2b5ef |
| Tags: | exeuser-abuse_ch |
| Infos: | |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Tries to detect virtualization through RDTSC time measurements
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Classification
- System is w10x64
90m2xwxCOf.exe (PID: 1384 cmdline: "C:\Users\ user\Deskt op\90m2xwx COf.exe" MD5: 3327701929DB65A98836F1241B3218FF)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_00007FF716211740 | |
| Source: | Code function: | 1_2_00007FF716229728 | |
| Source: | Code function: | 1_2_00007FF716218794 | |
| Source: | Code function: | 1_2_00007FF716211F60 | |
| Source: | Code function: | 1_2_00007FF716201000 | |
| Source: | Code function: | 1_2_00007FF716209800 | |
| Source: | Code function: | 1_2_00007FF716221874 | |
| Source: | Code function: | 1_2_00007FF7162208C8 | |
| Source: | Code function: | 1_2_00007FF7162240AC | |
| Source: | Code function: | 1_2_00007FF7162180E4 | |
| Source: | Code function: | 1_2_00007FF716211D54 | |
| Source: | Code function: | 1_2_00007FF716215D30 | |
| Source: | Code function: | 1_2_00007FF71621E570 | |
| Source: | Code function: | 1_2_00007FF716249D66 | |
| Source: | Code function: | 1_2_00007FF7162135A0 | |
| Source: | Code function: | 1_2_00007FF716225E7C | |
| Source: | Code function: | 1_2_00007FF716219EA0 | |
| Source: | Code function: | 1_2_00007FF71621DEF0 | |
| Source: | Code function: | 1_2_00007FF716211B50 | |
| Source: | Code function: | 1_2_00007FF716223C10 | |
| Source: | Code function: | 1_2_00007FF716212C10 | |
| Source: | Code function: | 1_2_00007FF716225C00 | |
| Source: | Code function: | 1_2_00007FF716226418 | |
| Source: | Code function: | 1_2_00007FF7162208C8 | |
| Source: | Code function: | 1_2_00007FF71620A47B | |
| Source: | Code function: | 1_2_00007FF71620ACAD | |
| Source: | Code function: | 1_2_00007FF716211944 | |
| Source: | Code function: | 1_2_00007FF716226964 | |
| Source: | Code function: | 1_2_00007FF716212164 | |
| Source: | Code function: | 1_2_00007FF7162139A4 | |
| Source: | Code function: | 1_2_00007FF7162089E0 | |
| Source: | Code function: | 1_2_00007FF71621DA5C | |
| Source: | Code function: | 1_2_00007FF71620A2DB | |
| Source: | Code function: | 1_2_000002A639ECFBD8 | |
| Source: | Code function: | 1_2_000002A639EC3AD8 | |
| Source: | Code function: | 1_2_000002A639ECD9AC | |
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Malware Analysis System Evasion | |
|---|
| Source: | RDTSC instruction interceptor: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 1_2_00007FF716229570 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 2 Software Packing | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 111 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 34% | ReversingLabs | |||
| 20% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0035.t-0009.t-msedge.net | 13.107.246.63 | true | false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1580927 |
| Start date and time: | 2024-12-26 13:15:19 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 18s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 2 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 90m2xwxCOf.exerenamed because original name is a hash value |
| Original Sample Name: | 3327701929db65a98836f1241b3218ff.exe |
| Detection: | MAL |
| Classification: | mal56.evad.winEXE@1/0@0/0 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
⊘No simulations
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0035.t-0009.t-msedge.net | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Iris Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.7226336070570945 |
| TrID: |
|
| File name: | 90m2xwxCOf.exe |
| File size: | 3'273'105 bytes |
| MD5: | 3327701929db65a98836f1241b3218ff |
| SHA1: | 43e1532366295da9e3729355fddb0c1be60065e0 |
| SHA256: | 77b74d8f3ad5c7058ac3742324341f17060d89a82b3545bbd357b191e9a2b5ef |
| SHA512: | 196f74c100bdfbe24554599c868f4eb0ff8681fec597bd50ad2c3e77b12d70709b4fa112ed9dd64f2287ea28a900271ecd83cc298d3a087bdbcf57c81f3861eb |
| SSDEEP: | 49152:QF1Vrv/5gYZ5rS1dexg5qJYaAQTG35GqgRZBtS6keBp4TfnPSjkU:QFrxgYZ5rEuvJJDIGfLkmSvajh |
| TLSH: | 99E5AEC931D51079C36EC3BE8D11356E7B203BD25228A74628D94E41BB336BEA93DB35 |
| File Content Preview: | MZ......................@...............SENS............................!..L.!This program cannot be run in DOS mode....$...........Zpc.Zpc.Zpc...`.]pc...f..pc...g.Ppc.....Ypc...`.Spc...g.Kpc...f.rpc...b.Qpc.Zpb..pc.O.g.Cpc.O.a.[pc.RichZpc.........PE..d.. |
 | |
| Icon Hash: | 0f3391d999f17117 |
| Entrypoint: | 0x140117898 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66C6DF60 [Thu Aug 22 06:49:04 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d21e351310836af6b870c53243cea736 |
| Instruction |
|---|
| jmp 00007F6424ABAE28h |
| push ebp |
| push ebx |
| jnle 00007F6424AFEF89h |
| xor bh, byte ptr [ecx-17h] |
| aas |
| les esi, esp |
| jmp far fword ptr [esi+20h] |
| push ebp |
| retn FAADh |
| push esp |
| call 00007F6424AE0278h |
| push ecx |
| dec eax |
| mov eax, 0003F6B4h |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| call 00007F6424B30C80h |
| call 00007F6424B05FBBh |
| or eax, BA3BBD16h |
| aaa |
| test eax, E54A30A3h |
| mov cl, A8h |
| inc edi |
| add dword ptr [esp+ecx], ebx |
| add byte ptr [esp], bl |
| or al, 00h |
| sbb al, 54h |
| or eax, dword ptr [eax] |
| sbb al, 34h |
| or al, byte ptr [eax] |
| sbb al, 32h |
| sbb al, dh |
| push ss |
| loopne 00007F6424AFEF26h |
| rcl byte ptr [edx], 1 |
| rcl byte ptr [eax], 00000070h |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| pushfd |
| pushfd |
| dec eax |
| add ebp, 13h |
| popfd |
| dec eax |
| lea ebp, dword ptr [ebp-13h] |
| call 00007F6424AFEF15h |
| push edx |
| dec eax |
| mov edx, dword ptr [esp+04h] |
| pop edx |
| dec eax |
| add dword ptr [esp+00h], FFFC32EDh |
| dec eax |
| xchg dword ptr [esp+00h], ebx |
| dec eax |
| mov eax, eax |
| dec eax |
| xchg dword ptr [esp+08h], ebx |
| push esi |
| dec eax |
| mov esi, dword ptr [esp+08h] |
| dec eax |
| lea esi, dword ptr [esi+7Dh] |
| dec eax |
| xchg dword ptr [esp+08h], esi |
| dec eax |
| mov dword ptr [esp+08h], esi |
| dec eax |
| mov esi, dword ptr [esp] |
| dec eax |
| lea esp, dword ptr [esp+08h] |
| dec eax |
| xchg dword ptr [esp+00h], ebx |
| pushfd |
| dec eax |
| add ebp, 1Dh |
| popfd |
| dec eax |
| lea ebp, dword ptr [ebp-1Dh] |
| popfd |
| push esi |
| dec eax |
| mov esi, ebx |
| pop esi |
| jmp 00007F6424AC21AEh |
| adc ecx, ebx |
| add byte ptr [eax], al |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1547a8 | 0x78 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x160000 | 0x10e34 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x44000 | 0x2250 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x15f000 | 0xd98 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x3a080 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x39f40 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2b000 | 0x4a0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x29f00 | 0x2a000 | 9b3176f739b33206e45a84d232c8adcd | False | 0.5520193917410714 | data | 6.499379146650062 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2b000 | 0x12a50 | 0x12c00 | 3f1a1721d605a8cee94b0556584d2fd9 | False | 0.5018489583333333 | data | 5.54333127102241 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3e000 | 0x53f8 | 0xe00 | dba0caeecab624a0ccc0d577241601d1 | False | 0.134765625 | data | 1.8392217063172436 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x44000 | 0x2250 | 0x2400 | 181312260a85d10a1454ba38901c499b | False | 0.4705946180555556 | data | 5.290347578351011 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x47000 | 0x11000 | 0x11000 | e033defec470b9ce6e057b3370ac2783 | False | 0.07585592830882353 | data | 3.3250246885737624 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .text | 0x58000 | 0xfc908 | 0xfca00 | feab23da9e95e73b1f452c540ba7a962 | False | 0.7092163146338446 | data | 7.308139118973473 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x155000 | 0x9a68 | 0x9c00 | 696954a151a7ad2d9ca86207ed0ed038 | False | 0.23337339743589744 | data | 4.037993337931208 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x15f000 | 0xd98 | 0xe00 | 13a7b84aa3f34bea42b74ed5c20291cd | False | 0.572265625 | data | 5.620738830469574 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x160000 | 0x10e34 | 0x11000 | f766e7fc8f58c288eb777d0451fc1d79 | False | 0.075927734375 | data | 3.261933371506805 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x160068 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | 0.06589376552703183 | ||
| RT_GROUP_ICON | 0x1708d0 | 0x14 | data | 1.15 | ||
| RT_MANIFEST | 0x170924 | 0x50d | XML 1.0 document, ASCII text | 0.4694508894044857 |
| DLL | Import |
|---|---|
| GDI32.dll | CreateFontIndirectW |
| ADVAPI32.dll | ConvertSidToStringSidW |
| KERNEL32.dll | FlsGetValue |
| COMCTL32.dll | |
| USER32.dll | SendMessageW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 26, 2024 13:16:08.164377928 CET | 1.1.1.1 | 192.168.2.9 | 0x8fbe | No error (0) | s-part-0035.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 26, 2024 13:16:08.164377928 CET | 1.1.1.1 | 192.168.2.9 | 0x8fbe | No error (0) | 13.107.246.63 | A (IP address) | IN (0x0001) | false |
| Target ID: | 1 |
| Start time: | 07:16:11 |
| Start date: | 26/12/2024 |
| Path: | C:\Users\user\Desktop\90m2xwxCOf.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff716200000 |
| File size: | 3'273'105 bytes |
| MD5 hash: | 3327701929DB65A98836F1241B3218FF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.6% |
| Dynamic/Decrypted Code Coverage: | 68.8% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 16 |
| Total number of Limit Nodes: | 1 |
Graph
Function 000002A639EC1000 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7162240AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002A639ECFBD8 Relevance: 1.8, APIs: 1, Instructions: 326COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716229728 Relevance: 1.7, APIs: 1, Instructions: 228COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002A639ECD9AC Relevance: .5, Instructions: 520COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7162208C8 Relevance: .5, Instructions: 462COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7162135A0 Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716209800 Relevance: .3, Instructions: 287COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716226964 Relevance: .3, Instructions: 285COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716212C10 Relevance: .2, Instructions: 241COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF71621E570 Relevance: .2, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716226418 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716249D66 Relevance: .2, Instructions: 156COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716211D54 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716211944 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716212164 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716211740 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716211F60 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716211B50 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716215D30 Relevance: .1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716219EA0 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7162180E4 Relevance: .1, Instructions: 98COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716229570 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716201950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716201600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716216290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 493COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716210FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716201050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716201470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF71620EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716201210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716229368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716215FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF71621FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000002A639EC363C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF71620F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF71620D648 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF71620EED8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF716225B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|