Windows
Analysis Report
9HwMaWcccx.exe
Overview
General Information
Sample name: | 9HwMaWcccx.exerenamed because original name is a hash value |
Original sample name: | 3f766be1002f79cef2a8b0656f18ecb9.exe |
Analysis ID: | 1520466 |
MD5: | 3f766be1002f79cef2a8b0656f18ecb9 |
SHA1: | f2dfd38d36c8d938b5b64da74755a2b91a2a4fe6 |
SHA256: | 538657e0e69a3e37da94646672537f3c7764a81d0b0896c7305f06f799245d92 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 9HwMaWcccx.exe (PID: 7404 cmdline:
"C:\Users\ user\Deskt op\9HwMaWc ccx.exe" MD5: 3F766BE1002F79CEF2A8B0656F18ECB9) - conhost.exe (PID: 7412 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
KrBanker, BlackMoon | ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_blackmoon | Yara detected BlackMoon Ransomware | Joe Security | ||
MALWARE_Win_BlackMoon | Detects executables using BlackMoon RunTime | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_blackmoon | Yara detected BlackMoon Ransomware | Joe Security | ||
JoeSecurity_blackmoon | Yara detected BlackMoon Ransomware | Joe Security | ||
JoeSecurity_blackmoon | Yara detected BlackMoon Ransomware | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_blackmoon | Yara detected BlackMoon Ransomware | Joe Security | ||
MALWARE_Win_BlackMoon | Detects executables using BlackMoon RunTime | ditekSHen |
| |
JoeSecurity_blackmoon | Yara detected BlackMoon Ransomware | Joe Security | ||
MALWARE_Win_BlackMoon | Detects executables using BlackMoon RunTime | ditekSHen |
| |
JoeSecurity_blackmoon | Yara detected BlackMoon Ransomware | Joe Security | ||
Click to see the 15 entries |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_00007FF69C2F6F90 |
Source: | Code function: | 0_2_00007FF69C2F7100 |
Source: | Code function: | 0_2_00007FF69C2F6F90 |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00007FF69C309FB0 | |
Source: | Code function: | 0_2_00007FF69C329FD0 |
Source: | Code function: | 0_2_00007FF69C3097B0 |
Source: | Code function: | 0_2_00007FF69C2E696A | |
Source: | Code function: | 0_2_00007FF69C2E6D5E | |
Source: | Code function: | 0_2_00007FF69C2F85B0 | |
Source: | Code function: | 0_2_00007FF69C2E61DE | |
Source: | Code function: | 0_2_00007FF69C2E65BC | |
Source: | Code function: | 0_2_00007FF69C2E8230 | |
Source: | Code function: | 0_2_00007FF69C2FDE20 | |
Source: | Code function: | 0_2_00007FF69C305E20 | |
Source: | Code function: | 0_2_00007FF69C2E6E05 | |
Source: | Code function: | 0_2_00007FF69C300A70 | |
Source: | Code function: | 0_2_00007FF69C2E7245 | |
Source: | Code function: | 0_2_00007FF69C2E6A3F | |
Source: | Code function: | 0_2_00007FF69C303E40 | |
Source: | Code function: | 0_2_00007FF69C2E9AB0 | |
Source: | Code function: | 0_2_00007FF69C2FD2B0 | |
Source: | Code function: | 0_2_00007FF69C2FC690 | |
Source: | Code function: | 0_2_00007FF69C2E62F1 | |
Source: | Code function: | 0_2_00007FF69C2E66E7 | |
Source: | Code function: | 0_2_00007FF69C2FE320 | |
Source: | Code function: | 0_2_00007FF69C2FDB70 | |
Source: | Code function: | 0_2_00007FF69C2FAB50 | |
Source: | Code function: | 0_2_00007FF69C309FB0 | |
Source: | Code function: | 0_2_00007FF69C2E57A5 | |
Source: | Code function: | 0_2_00007FF69C2F2BA0 | |
Source: | Code function: | 0_2_00007FF69C2F139F | |
Source: | Code function: | 0_2_00007FF69C2E5F95 | |
Source: | Code function: | 0_2_00007FF69C303380 | |
Source: | Code function: | 0_2_00007FF69C31FC10 | |
Source: | Code function: | 0_2_00007FF69C2FFBD0 | |
Source: | Code function: | 0_2_00007FF69C3077C0 | |
Source: | Code function: | 0_2_00007FF69C308BC0 | |
Source: | Code function: | 0_2_00007FF69C2F5070 | |
Source: | Code function: | 0_2_00007FF69C2E585C | |
Source: | Code function: | 0_2_00007FF69C2E709B | |
Source: | Code function: | 0_2_00007FF69C2E5CD7 | |
Source: | Code function: | 0_2_00007FF69C3050D0 | |
Source: | Code function: | 0_2_00007FF69C3020C0 | |
Source: | Code function: | 0_2_00007FF69C2FCD30 | |
Source: | Code function: | 0_2_00007FF69C2E6124 | |
Source: | Code function: | 0_2_00007FF69C2F9910 | |
Source: | Code function: | 0_2_00007FF69C2E650B |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Classification label: |
Source: | Code function: | 0_2_00007FF69C31F770 |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF69C2E8140 |
Source: | Code function: | 0_2_00007FF69C3039BC |
Source: | Code function: | 0_2_00007FF69C309FB0 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Code function: | 0_2_00007FF69C32B410 |
Source: | Code function: | 0_2_00007FF69C32B410 |
Source: | Code function: | 0_2_00007FF69C309FB0 |
Source: | Code function: | 0_2_00007FF69C2E8140 |
Source: | Code function: | 0_2_00007FF69C3087A0 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF69C32A968 |
Source: | Code function: | 0_2_00007FF69C32B290 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 4 Security Software Discovery | Remote Desktop Protocol | 3 Clipboard Data | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
45% | ReversingLabs | |||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown | |||
false |
| unknown | ||
false | unknown | |||
false |
| unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1520466 |
Start date and time: | 2024-09-27 11:28:56 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 59s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 9HwMaWcccx.exerenamed because original name is a hash value |
Original Sample Name: | 3f766be1002f79cef2a8b0656f18ecb9.exe |
Detection: | MAL |
Classification: | mal68.rans.winEXE@2/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target 9HwMaWcccx.exe, PID 7404 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: 9HwMaWcccx.exe
File type: | |
Entropy (8bit): | 6.704912767605965 |
TrID: |
|
File name: | 9HwMaWcccx.exe |
File size: | 2'647'552 bytes |
MD5: | 3f766be1002f79cef2a8b0656f18ecb9 |
SHA1: | f2dfd38d36c8d938b5b64da74755a2b91a2a4fe6 |
SHA256: | 538657e0e69a3e37da94646672537f3c7764a81d0b0896c7305f06f799245d92 |
SHA512: | 6e2e722cfbffd3cc186e25be09906429f181c86f4210385f7e26e74ad1f8f7d3d066f7b3fd75aaa927c2cb569aaccd7f24e058c8ad06757ecac4798abc5c01e9 |
SSDEEP: | 49152:sevcjewG0HVzQOhOXjJCEKEQIvufRoGpfPACp:sdG0VcOhOzJzLYoGpfP5 |
TLSH: | E9C55C02B5DC9E69C81AD33D8951111ED2A9FD085FA10B8783D84C745FFB4BA0DA9BE3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................>.......................................P.............'.1.............2.......2.......2.R.....2.......Rich... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x14005ae64 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x663E6957 [Fri May 10 18:37:11 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 4e9653c358320c642fba6c227fa69d9f |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F10FC521B98h |
dec eax |
add esp, 28h |
jmp 00007F10FC5215E7h |
int3 |
int3 |
dec eax |
and dword ptr [ecx+10h], 00000000h |
dec eax |
lea eax, dword ptr [00003E54h] |
dec eax |
mov dword ptr [ecx+08h], eax |
dec eax |
lea eax, dword ptr [00003E39h] |
dec eax |
mov dword ptr [ecx], eax |
dec eax |
mov eax, ecx |
ret |
int3 |
int3 |
dec eax |
sub esp, 48h |
dec eax |
lea ecx, dword ptr [esp+20h] |
call 00007F10FC521747h |
dec eax |
lea edx, dword ptr [0022503Bh] |
dec eax |
lea ecx, dword ptr [esp+20h] |
call 00007F10FC521E3Eh |
int3 |
dec eax |
mov dword ptr [esp+10h], ebx |
dec eax |
mov dword ptr [esp+18h], esi |
push edi |
dec eax |
sub esp, 10h |
xor eax, eax |
xor ecx, ecx |
cpuid |
inc esp |
mov eax, ecx |
inc ebp |
xor ebx, ebx |
inc esp |
mov ecx, ebx |
inc ecx |
xor eax, 6C65746Eh |
inc ecx |
xor ecx, 756E6547h |
inc esp |
mov edx, edx |
mov esi, eax |
xor ecx, ecx |
inc ecx |
lea eax, dword ptr [ebx+01h] |
inc ebp |
or ecx, eax |
cpuid |
inc ecx |
xor edx, 49656E69h |
mov dword ptr [esp], eax |
inc ebp |
or ecx, edx |
mov dword ptr [esp+04h], ebx |
mov edi, ecx |
mov dword ptr [esp+08h], ecx |
mov dword ptr [esp+0Ch], edx |
jne 00007F10FC5217C2h |
dec eax |
or dword ptr [00229107h], FFFFFFFFh |
and eax, 0FFF3FF0h |
cmp eax, 000106C0h |
je 00007F10FC52179Ah |
cmp eax, 00020660h |
je 00007F10FC521793h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x280090 | 0x9b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x280a40 | 0x1cc | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x28a000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x286000 | 0x30c0 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x28b000 | 0x170 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x279960 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x279b80 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2799d0 | 0x138 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x5e000 | 0xac0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5c624 | 0x5c800 | d551b04880b31482051766135d771288 | False | 0.4805927998310811 | data | 6.316863334776826 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x5e000 | 0x225a54 | 0x225c00 | f31c0a268ccd4ace3910dcd8a5f690b5 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x284000 | 0x1a88 | 0x800 | 85dcc06e90c53b8d7d90996a9e538618 | False | 0.244140625 | DOS executable (block device driver \322f\324\377\3772) | 3.385291919763453 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x286000 | 0x30c0 | 0x3200 | 223aa9e06b50db4206497b5cbf1fce8e | False | 0.4678125 | data | 5.781812070528729 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x28a000 | 0x1e0 | 0x200 | 36134ee3ad78dcf3977297171cc7b586 | False | 0.53125 | data | 4.7176788329467545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x28b000 | 0x170 | 0x200 | 5feab6d22e7711133c8455f3705261b9 | False | 0.576171875 | data | 4.111487666917551 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x28a060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
d3d11.dll | D3D11CreateDeviceAndSwapChain |
D3DCOMPILER_43.dll | D3DCompile |
IMM32.dll | ImmSetCompositionWindow, ImmGetContext, ImmReleaseContext |
WINHTTP.dll | WinHttpOpenRequest, WinHttpOpen, WinHttpSendRequest, WinHttpConnect, WinHttpQueryDataAvailable, WinHttpReceiveResponse, WinHttpCloseHandle, WinHttpReadData |
KERNEL32.dll | UnhandledExceptionFilter, GetModuleHandleW, CreateEventW, WaitForSingleObjectEx, ResetEvent, LoadLibraryA, GetProcAddress, GetTickCount, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, QueryPerformanceFrequency, QueryPerformanceCounter, HeapFree, VirtualFree, DeviceIoControl, VirtualAlloc, InitializeCriticalSectionEx, CreateFileW, GetCurrentThreadId, GetModuleHandleA, HeapSize, GetLastError, HeapReAlloc, CloseHandle, RaiseException, HeapAlloc, HeapDestroy, DeleteCriticalSection, GetCurrentProcessId, IsProcessorFeaturePresent, ReadFile, IsDebuggerPresent, Process32First, SetConsoleTitleA, GetCurrentProcess, WriteFile, TerminateProcess, CreatePipe, GetTempPathW, WaitForSingleObject, OpenProcess, CreateToolhelp32Snapshot, MultiByteToWideChar, Sleep, GetTempPathA, K32GetModuleFileNameExA, LockResource, Process32Next, WritePrivateProfileStringA, FindResourceExW, LoadResource, FindResourceW, K32EnumProcesses, GetStartupInfoA, CreateProcessW, WideCharToMultiByte, GetConsoleWindow, lstrcmpiA, CreateProcessA, GetPrivateProfileIntA, GetPrivateProfileStringA, SetConsoleTitleW, SetEvent, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, InitOnceBeginInitialize, InitOnceComplete, OutputDebugStringW, SetUnhandledExceptionFilter, SizeofResource, GetSystemTimeAsFileTime, GetProcessHeap, InitializeSListHead |
USER32.dll | GetMessageA, DispatchMessageA, GetWindowRect, DestroyWindow, SetWindowPos, GetClassNameA, ShowWindow, GetAsyncKeyState, GetWindowTextA, MessageBoxA, MoveWindow, DefWindowProcA, SetLayeredWindowAttributes, TranslateMessage, LoadIconA, PeekMessageA, GetSystemMetrics, SetWindowLongPtrA, RegisterClassExA, GetKeyState, LoadCursorA, ScreenToClient, GetCapture, ClientToScreen, GetForegroundWindow, SetCapture, SetCursor, GetClientRect, ReleaseCapture, SetCursorPos, GetCursorPos, OpenClipboard, PostQuitMessage, GetWindowThreadProcessId, SetClipboardData, GetClipboardData, CloseClipboard, EmptyClipboard, EnumWindows |
ADVAPI32.dll | RegCreateKeyW, RegDeleteKeyW, RegCloseKey, RegSetKeyValueW, RegOpenKeyW |
MSVCP140.dll | ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, _Xtime_get_ticks, _Thrd_detach, _Query_perf_counter, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, _Cnd_do_broadcast_at_thread_exit, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Throw_C_error@std@@YAXH@Z, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Xinvalid_argument@std@@YAXPEBD@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Throw_Cpp_error@std@@YAXH@Z, _Query_perf_frequency, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@G@Z, _Thrd_sleep, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?_Xlength_error@std@@YAXPEBD@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?uncaught_exception@std@@YA_NXZ, ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A, ?id@?$ctype@_W@std@@2V0locale@2@A, ?_Xout_of_range@std@@YAXPEBD@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?widen@?$ctype@_W@std@@QEBA_WD@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z |
ntdll.dll | RtlVirtualUnwind, RtlInitUnicodeString, RtlCaptureContext, RtlLookupFunctionEntry, NtQuerySystemInformation |
WS2_32.dll | inet_addr, gethostbyname, recv, connect, socket, send, closesocket, WSACleanup, htons, WSAStartup |
VCRUNTIME140_1.dll | __CxxFrameHandler4 |
VCRUNTIME140.dll | memcmp, memchr, memcpy, memmove, memset, _CxxThrowException, __current_exception_context, __current_exception, __C_specific_handler, strstr, __std_exception_copy, __std_exception_destroy, __std_terminate |
api-ms-win-crt-runtime-l1-1-0.dll | _invalid_parameter_noinfo_noreturn, _errno, _register_thread_local_exe_atexit_callback, exit, terminate, abort, _c_exit, _invalid_parameter_noinfo, _beginthreadex, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, __p___argv, _get_initial_narrow_environment, _initterm, _initterm_e, _exit, __p___argc |
api-ms-win-crt-stdio-l1-1-0.dll | fopen, __acrt_iob_func, fflush, fclose, _get_stream_buffer_pointers, __p__commode, _fseeki64, _set_fmode, fseek, fsetpos, ungetc, __stdio_common_vfprintf, setvbuf, fgetpos, fgetc, fwrite, fputc, __stdio_common_vsscanf, fread, __stdio_common_vsprintf, _wfopen, ftell |
api-ms-win-crt-string-l1-1-0.dll | _stricmp, strncmp, isdigit, tolower, strcpy_s, isspace, strcmp |
api-ms-win-crt-utility-l1-1-0.dll | rand, srand, qsort |
api-ms-win-crt-heap-l1-1-0.dll | realloc, _callnewh, free, _set_new_mode, malloc |
api-ms-win-crt-convert-l1-1-0.dll | strtod, atoi, strtol |
api-ms-win-crt-filesystem-l1-1-0.dll | _lock_file, _unlock_file, _wremove |
api-ms-win-crt-time-l1-1-0.dll | _time64 |
api-ms-win-crt-math-l1-1-0.dll | fmod, sqrtf, sinf, sqrt, pow, _dclass, floorf, __setusermatherr, ceilf, cosf, sin, cos, fmodf |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
Name | Ordinal | Address |
---|---|---|
cJSON_AddArrayToObject | 1 | 0x140055d30 |
cJSON_AddBoolToObject | 2 | 0x140055920 |
cJSON_AddFalseToObject | 3 | 0x140055840 |
cJSON_AddItemReferenceToArray | 4 | 0x1400555b0 |
cJSON_AddItemReferenceToObject | 5 | 0x140055630 |
cJSON_AddItemToArray | 6 | 0x140055410 |
cJSON_AddItemToObject | 7 | 0x140055570 |
cJSON_AddItemToObjectCS | 8 | 0x140055590 |
cJSON_AddNullToObject | 9 | 0x140055680 |
cJSON_AddNumberToObject | 10 | 0x140055a10 |
cJSON_AddObjectToObject | 11 | 0x140055c50 |
cJSON_AddRawToObject | 12 | 0x140055b90 |
cJSON_AddStringToObject | 13 | 0x140055ad0 |
cJSON_AddTrueToObject | 14 | 0x140055760 |
cJSON_Compare | 15 | 0x1400572c0 |
cJSON_CreateArray | 16 | 0x140056970 |
cJSON_CreateArrayReference | 17 | 0x140056820 |
cJSON_CreateBool | 18 | 0x1400565a0 |
cJSON_CreateDoubleArray | 19 | 0x140056c70 |
cJSON_CreateFalse | 20 | 0x140056560 |
cJSON_CreateFloatArray | 21 | 0x140056b30 |
cJSON_CreateIntArray | 22 | 0x1400569f0 |
cJSON_CreateNull | 23 | 0x1400564e0 |
cJSON_CreateNumber | 24 | 0x1400565e0 |
cJSON_CreateObject | 25 | 0x1400569b0 |
cJSON_CreateObjectReference | 26 | 0x1400567d0 |
cJSON_CreateRaw | 27 | 0x140056870 |
cJSON_CreateString | 28 | 0x140056680 |
cJSON_CreateStringArray | 29 | 0x140056da0 |
cJSON_CreateStringReference | 30 | 0x140056780 |
cJSON_CreateTrue | 31 | 0x140056520 |
cJSON_Delete | 32 | 0x140053320 |
cJSON_DeleteItemFromArray | 33 | 0x140055f20 |
cJSON_DeleteItemFromObject | 34 | 0x1400560c0 |
cJSON_DeleteItemFromObjectCaseSensitive | 35 | 0x140056150 |
cJSON_DetachItemFromArray | 36 | 0x140055e80 |
cJSON_DetachItemFromObject | 37 | 0x140055fb0 |
cJSON_DetachItemFromObjectCaseSensitive | 38 | 0x140056030 |
cJSON_DetachItemViaPointer | 39 | 0x140055e10 |
cJSON_Duplicate | 40 | 0x140056ed0 |
cJSON_GetArrayItem | 41 | 0x140055210 |
cJSON_GetArraySize | 42 | 0x1400551f0 |
cJSON_GetErrorPtr | 43 | 0x1400531e0 |
cJSON_GetNumberValue | 44 | 0x140053210 |
cJSON_GetObjectItem | 45 | 0x140055360 |
cJSON_GetObjectItemCaseSensitive | 46 | 0x140055370 |
cJSON_GetStringValue | 47 | 0x1400531f0 |
cJSON_HasObjectItem | 48 | 0x140055380 |
cJSON_InitHooks | 49 | 0x140053280 |
cJSON_InsertItemInArray | 50 | 0x1400561e0 |
cJSON_IsArray | 51 | 0x140057290 |
cJSON_IsBool | 52 | 0x140057240 |
cJSON_IsFalse | 53 | 0x140057220 |
cJSON_IsInvalid | 54 | 0x140057210 |
cJSON_IsNull | 55 | 0x140057260 |
cJSON_IsNumber | 56 | 0x140057270 |
cJSON_IsObject | 57 | 0x1400572a0 |
cJSON_IsRaw | 58 | 0x1400572b0 |
cJSON_IsString | 59 | 0x140057280 |
cJSON_IsTrue | 60 | 0x140057230 |
cJSON_Minify | 61 | 0x1400570d0 |
cJSON_Parse | 62 | 0x1400541c0 |
cJSON_ParseWithLength | 63 | 0x1400541f0 |
cJSON_ParseWithLengthOpts | 64 | 0x140053f60 |
cJSON_ParseWithOpts | 65 | 0x140053f30 |
cJSON_Print | 66 | 0x140054340 |
cJSON_PrintBuffered | 67 | 0x140054360 |
cJSON_PrintPreallocated | 68 | 0x140054420 |
cJSON_PrintUnformatted | 69 | 0x140054350 |
cJSON_ReplaceItemInArray | 70 | 0x1400563a0 |
cJSON_ReplaceItemInObject | 71 | 0x1400564c0 |
cJSON_ReplaceItemInObjectCaseSensitive | 72 | 0x1400564d0 |
cJSON_ReplaceItemViaPointer | 73 | 0x140056290 |
cJSON_SetNumberHelper | 74 | 0x1400533a0 |
cJSON_SetValuestring | 75 | 0x1400533e0 |
cJSON_Version | 76 | 0x140053230 |
cJSON_free | 77 | 0x1400575e0 |
cJSON_malloc | 78 | 0x1400575d0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 05:29:49 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\Desktop\9HwMaWcccx.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff69c2d0000 |
File size: | 2'647'552 bytes |
MD5 hash: | 3F766BE1002F79CEF2A8B0656F18ECB9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 05:29:49 |
Start date: | 27/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Function 00007FF69C308BC0 Relevance: 82.8, APIs: 33, Strings: 14, Instructions: 509filethreadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C31FC10 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 255libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C309FB0 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 201nativememoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E8230 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C305E20 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 194COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E8140 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C329FD0 Relevance: 13.6, APIs: 9, Instructions: 140nativememoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2F6F90 Relevance: 12.1, APIs: 8, Instructions: 90clipboardCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2F7100 Relevance: 12.1, APIs: 8, Instructions: 82clipboardmemoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C300A70 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 419COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C32B410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C3077C0 Relevance: .4, Instructions: 416COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2F2BA0 Relevance: .3, Instructions: 297COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2F5070 Relevance: .2, Instructions: 228COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2FAB50 Relevance: .2, Instructions: 207COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2F85B0 Relevance: .2, Instructions: 180COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E7245 Relevance: .1, Instructions: 125COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C303E40 Relevance: .1, Instructions: 118COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E9AB0 Relevance: .1, Instructions: 106COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E696A Relevance: .1, Instructions: 57COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E5CD7 Relevance: .1, Instructions: 55COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E585C Relevance: .1, Instructions: 54COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E57A5 Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E650B Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E66E7 Relevance: .0, Instructions: 50COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E6124 Relevance: .0, Instructions: 50COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E65BC Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E6D5E Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E6E05 Relevance: .0, Instructions: 42COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E61DE Relevance: .0, Instructions: 41COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E62F1 Relevance: .0, Instructions: 39COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E709B Relevance: .0, Instructions: 38COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E6A3F Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E5F95 Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C322AE0 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 251registrylibraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C322F20 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 178registrylibraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C309B40 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 203COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C30A465 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 202COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C309460 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 172COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C3098F0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E77C0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E7AD0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E7490 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 73libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E76D0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 63libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E75E0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 58libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C320B00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C30AD50 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 98COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2F6880 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 157COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C30AED0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2F6D60 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 130stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C30A5A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C30A300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2F7230 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C306A20 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 425COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C2E7A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C30A8A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF69C30A83D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|