Edit tour
Windows
Analysis Report
file.dll
Overview
General Information
| Sample name: | file.dllrenamed because original name is a hash value |
| Original sample name: | file.exe |
| Analysis ID: | 1524403 |
| MD5: | 69d883f1a13a13d5f198b45a5df0ba97 |
| SHA1: | 940678df6cc3814046d7acac5bd0ab1b8664249d |
| SHA256: | 5749acfc3cb027699aa197427c06334c69fb7d36add21f32105cd4033f3a191b |
| Tags: | dllexesignedx64user-jstrosch |
| Infos: | |
 | |
Detection
| Score: | 9 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 40% |
Signatures
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Classification
- System is w10x64
loaddll64.exe (PID: 6236 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\fil e.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 5956 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 828 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\fil e.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 2192 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\file .dll",#1 MD5: EF3179D498793BF4234F708D3BE28633) - regsvr32.exe (PID: 2896 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\fi le.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - rundll32.exe (PID: 7044 cmdline:
rundll32.e xe C:\User s\user\Des ktop\file. dll,CheckM ozJavaPlug ins MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6496 cmdline:
rundll32.e xe C:\User s\user\Des ktop\file. dll,DllCan UnloadNow MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6664 cmdline:
rundll32.e xe C:\User s\user\Des ktop\file. dll,DllGet ClassObjec t MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 3756 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 6 664 -s 348 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 8_2_00007FFD9DF977C0 | |
| Source: | Code function: | 8_2_00007FFD9DF994A8 | |
| Source: | Code function: | 8_2_00007FFD9DFB81B4 | |
| Source: | DNS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 8_2_00007FFD9DF9D740 | |
| Source: | Code function: | 8_2_00007FFD9DF91F64 | |
| Source: | Code function: | 8_2_00007FFD9DF91520 | |
| Source: | Code function: | 8_2_00007FFD9DFB2660 | |
| Source: | Code function: | 8_2_00007FFD9DFB6690 | |
| Source: | Code function: | 8_2_00007FFD9DF9DE90 | |
| Source: | Code function: | 8_2_00007FFD9DF9475C | |
| Source: | Code function: | 8_2_00007FFD9DFB7FA8 | |
| Source: | Code function: | 8_2_00007FFD9DF957E0 | |
| Source: | Code function: | 8_2_00007FFD9DF99010 | |
| Source: | Code function: | 8_2_00007FFD9DFA5858 | |
| Source: | Code function: | 8_2_00007FFD9DF9DCA8 | |
| Source: | Code function: | 8_2_00007FFD9DF957E0 | |
| Source: | Code function: | 8_2_00007FFD9DFBA4F4 | |
| Source: | Code function: | 8_2_00007FFD9DFB4588 | |
| Source: | Code function: | 8_2_00007FFD9DFB1DC8 | |
| Source: | Code function: | 8_2_00007FFD9DFBD5E4 | |
| Source: | Code function: | 8_2_00007FFD9DFA8E14 | |
| Source: | Code function: | 8_2_00007FFD9DFA5ADC | |
| Source: | Code function: | 8_2_00007FFD9DFAE2EC | |
| Source: | Code function: | 8_2_00007FFD9DF92BCC | |
| Source: | Code function: | 8_2_00007FFD9DFC0BF8 | |
| Source: | Code function: | 8_2_00007FFD9DF953F0 | |
| Source: | Code function: | 8_2_00007FFD9DFAAC50 | |
| Source: | Code function: | 8_2_00007FFD9DFAF87C | |
| Source: | Code function: | 8_2_00007FFD9DFB6074 | |
| Source: | Code function: | 8_2_00007FFD9DFB4588 | |
| Source: | Code function: | 8_2_00007FFD9DFAE8C0 | |
| Source: | Code function: | 8_2_00007FFD9DFA8908 | |
| Source: | Code function: | 8_2_00007FFD9DF97988 | |
| Source: | Code function: | 8_2_00007FFD9DFB81B4 | |
| Source: | Code function: | 8_2_00007FFD9DFAB204 | |
| Source: | Code function: | 8_2_00007FFD9DFBCA2C | |
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Registry key queried: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 8_2_00007FFD9DF937D4 | |
| Source: | Code function: | 8_2_00007FFD9DF94418 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 8_2_00007FFD9DF96D4C | |
| Source: | Process created: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Code function: | 8_2_00007FFD9DF977C0 | |
| Source: | Code function: | 8_2_00007FFD9DF994A8 | |
| Source: | Code function: | 8_2_00007FFD9DFB81B4 | |
| Source: | Code function: | 8_2_00007FFD9DFA42A8 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 8_2_00007FFD9DFA3E7C | |
| Source: | Code function: | 8_2_00007FFD9DF9F3F4 | |
| Source: | Code function: | 8_2_00007FFD9DF96D4C | |
| Source: | Code function: | 8_2_00007FFD9DFB93A4 | |
| Source: | Code function: | 8_2_00007FFD9DFA3E7C | |
| Source: | Code function: | 8_2_00007FFD9DFA0398 | |
| Source: | Code function: | 8_2_00007FFD9DF9F94C | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 8_2_00007FFD9DFC0910 | |
| Source: | Code function: | 8_2_00007FFD9DFA06A8 | |
| Source: | Code function: | 8_2_00007FFD9DFB627C | |
| Source: | Code function: | 8_2_00007FFD9DF9A744 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 11 Process Injection | 21 Virtualization/Sandbox Evasion | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 51 Security Software Discovery | Remote Desktop Protocol | 1 Browser Session Hijacking | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Regsvr32 | LSA Secrets | 14 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Rundll32 | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| 15.164.165.52.in-addr.arpa | unknown | unknown | false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1524403 |
| Start date and time: | 2024-10-02 19:00:54 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 25s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 19 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.dllrenamed because original name is a hash value |
| Original Sample Name: | file.exe |
| Detection: | CLEAN |
| Classification: | clean9.winDLL@15/5@1/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: file.dll
⊘No simulations
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_4bdbc898aa41e69a58d6ca0b49de377bd76f77_d75f6fa5_76820721-d08e-48f8-b510-448c0ca67010\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7653006153516252 |
| Encrypted: | false |
| SSDEEP: | 192:s1jFiIy2o0x0Iv34jxMfzuiFbZ24lO8V:qhiF2mIv34jCzuiFbY4lO8V |
| MD5: | E37FE8F90B620436904234E816306935 |
| SHA1: | 04571A1955AA5D9BE5736A5893BC251687A3023C |
| SHA-256: | 8FC80780378733A37306B8F9FE5E53DA968ECC26F85C123F5785EE74261E5398 |
| SHA-512: | C70FEA52FA86116323B4B3B2F22C43406C8F60C7DDE4B409F6E8503B6F5B7D28A92AF8EA96DCEB6B0671D4E50A0872D7A481F069FC82666833AFF36EED326211 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 71122 |
| Entropy (8bit): | 1.2752295280738657 |
| Encrypted: | false |
| SSDEEP: | 192:wqb8QUhg/yOMxqMbb37Sge34eKMLdBSVwRYkf:DwfhWBMbb3w75BSVw+ |
| MD5: | C205B2E97C00A7B11EA9FE9EC7409253 |
| SHA1: | 1B324FB9932AE169272D96274EDB5FE3CEE13638 |
| SHA-256: | 842BB7B001B1174D410C8725735B61A8D48536F7F6F72DDE9D19AAABC795AE39 |
| SHA-512: | 846DAA70B4C99326129184FB1F16C7C0D7DB24E1AC3B751DD057734AA2C056AAECBA4548A4857BD3707D88BDFC448801AE82C8487C0C1018BFB07A1560B4A49B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8494 |
| Entropy (8bit): | 3.6952404666897354 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJPELPNROj6YoYogmfiL0p0prp89b0eGfWcm:R6lXJ8rzq6YfogmfGOH0Hfk |
| MD5: | 6346FF80190BCB261640AD3DF6AE29EF |
| SHA1: | F47CA672DEF24040C9CB995500A4C558995B5536 |
| SHA-256: | 9AF3FE91DA32A6445B8C17AB38341830AD866A953FC95C74C29C472E777A76FE |
| SHA-512: | 2F40AEBC96FF3C3BF1630CDB0BD55FE43527865FD35C6E26AD4A22926F608E62BFD27F70F23B6AFE523AC606633057F6C0F851223939D956FCBA363247371208 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4729 |
| Entropy (8bit): | 4.465403787700911 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs3Jg771I96//WpW8VYy0Ym8M4JCFCthaWEF4/Wyq85m1OWEkzptSTSxd:uIjfZI7f/u7VNJ3aWDWXOW1poOxd |
| MD5: | CB146CEFD0C9096599337FF486440D08 |
| SHA1: | 7524ECD5B9ACF434260CC20654264529D782DCE6 |
| SHA-256: | 0FD909FF2E0DAB64881208F605B4D21180AF25587B4ECE84C0B51F4146279751 |
| SHA-512: | 89EFA0927F6CC72B19A396CE11C73B7FDF9E85BE27804A96F74DBDDAD43984B452BB19F1278223C97BA9D71A662EAD91D6A20DAB6414EE7C787F681EC344C23F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.469520090410337 |
| Encrypted: | false |
| SSDEEP: | 6144:RzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNMjDH5S:JZHtYZWOKnMM6bFpaj4 |
| MD5: | 4663AE42DD9F11C4B79207B031368373 |
| SHA1: | 3B797D99246C4CCAFD2E7C393DCD04DCE0660BA3 |
| SHA-256: | 0C7CEFDF14C49816CA6FA71771BB3C5A79EB814AFD50471E27CC0610FA46ACFD |
| SHA-512: | 6D592F13E9A0AE15DD0372450F27A54D3E36EEE662759FF38A85EF3400BABB8DF020D5B5446E2030C0F67104FABCA8DC79276F6D322B18AB305D578746B57405 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.121355444788685 |
| TrID: |
|
| File name: | file.dll |
| File size: | 351'392 bytes |
| MD5: | 69d883f1a13a13d5f198b45a5df0ba97 |
| SHA1: | 940678df6cc3814046d7acac5bd0ab1b8664249d |
| SHA256: | 5749acfc3cb027699aa197427c06334c69fb7d36add21f32105cd4033f3a191b |
| SHA512: | e06613bef2add30c0f5f0c4b5249461c19d813499ace04d94fa42bab237b22efb34a4c1e23565d72593c2bfbd6ad055cf5208968f8ea2b528b66ba6b0140e675 |
| SSDEEP: | 6144:j2BK+kd25HU2gcv/Wa83jAqN1RiZNby0N:d+kKH9mT1N1RiL2C |
| TLSH: | 54744B5473E418B8F477DA3988A28502DA76BC511B61DE9F6394024A2F37BE1C63DF32 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t...'...'...'...&...'...&...'..3'...'...&...'...&...'...&...'...&...'...'\..'...&...'=..&...'=..&...'=..'...'=..&...'Rich... |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x1800101c4 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x180000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x63BBD69B [Mon Jan 9 08:55:55 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 313483b5898aa91865cd36a9f29acb2e |
| Signature Valid: | true |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 2876C1BECB51837D0E3DE50903D025B6 |
| Thumbprint SHA-1: | 940D69C0A34A1B4CFD8048488BA86F4CED60481A |
| Thumbprint SHA-256: | EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1 |
| Serial: | 068BE2F53452C882F18ED41A5DD4E7A3 |
| Instruction |
|---|
| dec eax |
| mov dword ptr [esp+08h], ebx |
| dec eax |
| mov dword ptr [esp+10h], esi |
| push edi |
| dec eax |
| sub esp, 20h |
| dec ecx |
| mov edi, eax |
| mov ebx, edx |
| dec eax |
| mov esi, ecx |
| cmp edx, 01h |
| jne 00007F225CB7EFE7h |
| call 00007F225CB7F4A8h |
| dec esp |
| mov eax, edi |
| mov edx, ebx |
| dec eax |
| mov ecx, esi |
| dec eax |
| mov ebx, dword ptr [esp+30h] |
| dec eax |
| mov esi, dword ptr [esp+38h] |
| dec eax |
| add esp, 20h |
| pop edi |
| jmp 00007F225CB7EE74h |
| int3 |
| int3 |
| int3 |
| retn 0000h |
| int3 |
| dec eax |
| mov dword ptr [esp+10h], ebx |
| dec eax |
| mov dword ptr [esp+18h], esi |
| push edi |
| dec eax |
| sub esp, 10h |
| xor eax, eax |
| mov dword ptr [0003FE31h], 00000002h |
| xor ecx, ecx |
| mov dword ptr [0003FE21h], 00000001h |
| cpuid |
| inc esp |
| mov eax, ecx |
| xor edi, edi |
| inc esp |
| mov ecx, ebx |
| inc ecx |
| xor eax, 6C65746Eh |
| inc ecx |
| xor ecx, 756E6547h |
| inc esp |
| mov edx, edx |
| mov esi, eax |
| xor ecx, ecx |
| lea eax, dword ptr [edi+01h] |
| inc ebp |
| or ecx, eax |
| cpuid |
| inc ecx |
| xor edx, 49656E69h |
| mov dword ptr [esp], eax |
| inc ebp |
| or ecx, edx |
| mov dword ptr [esp+04h], ebx |
| inc esp |
| mov ebx, ecx |
| mov dword ptr [esp+08h], ecx |
| mov dword ptr [esp+0Ch], edx |
| jne 00007F225CB7F032h |
| dec eax |
| or dword ptr [0003FDDCh], FFFFFFFFh |
| and eax, 0FFF3FF0h |
| cmp eax, 000106C0h |
| je 00007F225CB7F00Ah |
| cmp eax, 00020660h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x4e570 | 0x194 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4e704 | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x56000 | 0xb80 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x53000 | 0x2730 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x53400 | 0x28a0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x57000 | 0x74c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x4a050 | 0x54 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x49f50 | 0x100 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x33000 | 0x4e0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x4e110 | 0x80 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x31aae | 0x31c00 | 9d052583f25e65ed28a8bdc48d5c964c | False | 0.5521454930904522 | data | 6.456251822305383 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x33000 | 0x1c72a | 0x1c800 | 5bbea155b354be5c20dd7fd564ee20c7 | False | 0.2625925164473684 | data | 4.377975050235937 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x50000 | 0x23d4 | 0x1000 | 61115e6cb33832668f270ea02c86a3c4 | False | 0.1748046875 | data | 2.5568170519688955 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x53000 | 0x2730 | 0x2800 | d2b3d8772cf7fd699c092ee71934ce58 | False | 0.4873046875 | data | 5.4732851134488545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x56000 | 0xb80 | 0xc00 | f92da0697814ff37131ef7f68d89bf7e | False | 0.3017578125 | data | 4.274647443366615 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x57000 | 0x74c | 0x800 | 904ea74ba1a3d5338d75d70249523b89 | False | 0.57666015625 | data | 5.224582899824992 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| REGISTRY | 0x561b0 | 0x16d | ASCII text | English | United States | 0.5123287671232877 |
| REGISTRY | 0x56320 | 0x16d | ASCII text | English | United States | 0.5095890410958904 |
| REGISTRY | 0x56490 | 0x103 | ASCII text | English | United States | 0.4942084942084942 |
| REGISTRY | 0x56598 | 0x103 | ASCII text | English | United States | 0.4942084942084942 |
| REGISTRY | 0x566a0 | 0x107 | ASCII text | English | United States | 0.7072243346007605 |
| REGISTRY | 0x567a8 | 0x98 | ASCII text | English | United States | 0.8026315789473685 |
| RT_VERSION | 0x56840 | 0x340 | data | English | United States | 0.4651442307692308 |
| DLL | Import |
|---|---|
| KERNEL32.dll | DecodePointer, RaiseException, GetLastError, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, EncodePointer, CloseHandle, EnterCriticalSection, LeaveCriticalSection, ReleaseMutex, WaitForSingleObject, CreateMutexA, DisableThreadLibraryCalls, FreeLibrary, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, LoadLibraryExA, LoadResource, SizeofResource, lstrcmpiA, OpenMutexA, FindResourceA, MultiByteToWideChar, WideCharToMultiByte, IsDBCSLeadByte, DeleteFileA, FindClose, FindFirstFileA, FindNextFileA, LoadLibraryA, VerSetConditionMask, GetEnvironmentVariableA, CreateFileA, GetLongPathNameA, GetTempPathA, GetCurrentProcess, CreateProcessA, OpenProcess, GlobalMemoryStatusEx, GetLocalTime, GetSystemDirectoryA, GetWindowsDirectoryA, GetVersionExA, GetNativeSystemInfo, GlobalAlloc, GlobalFree, LocalAlloc, LocalFree, GetShortPathNameA, FormatMessageA, lstrlenA, VerifyVersionInfoA, WTSGetActiveConsoleSessionId, GetFileAttributesA, GetSystemWindowsDirectoryA, OutputDebugStringA, GetCurrentProcessId, GetCurrentThreadId, IsDebuggerPresent, OutputDebugStringW, WriteConsoleW, SetEndOfFile, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, FlushFileBuffers, WriteFile, SetFilePointerEx, GetFileSizeEx, GetStringTypeW, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, RtlUnwind, InterlockedFlushSList, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualQuery, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetTimeZoneInformation, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapFree, HeapAlloc, HeapSize, HeapReAlloc, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetStdHandle, GetCurrentDirectoryW, GetFullPathNameW, SetStdHandle, SetEnvironmentVariableW |
| USER32.dll | GetWindowThreadProcessId, GetShellWindow, CloseDesktop, OpenInputDesktop, CharNextA, wsprintfA |
| ole32.dll | CoTaskMemRealloc, CoTaskMemFree, CoUninitialize, CoInitialize, StringFromCLSID, CoCreateInstance, CoTaskMemAlloc |
| OLEAUT32.dll | SysAllocStringByteLen, SysStringLen, SysAllocString, VarUI4FromStr, SysFreeString, VariantClear |
| Name | Ordinal | Address |
|---|---|---|
| CheckMozJavaPlugins | 1 | 0x18000a028 |
| DllCanUnloadNow | 2 | 0x180001c74 |
| DllGetClassObject | 3 | 0x180001520 |
| DllRegisterServer | 4 | 0x180001c88 |
| DllUnregisterServer | 5 | 0x180001c94 |
| RedirectAllStaticVersionKeys | 6 | 0x180006504 |
| RedirectSelectedStaticVersionKeys | 7 | 0x1800065c4 |
| RegKeyBranchNeedsUpdating | 8 | 0x180006478 |
| RemoveAllMozillaJavaPlugins | 9 | 0x180007284 |
| RunBrokerProcess | 10 | 0x180007310 |
| UpdateTreatAsKey | 11 | 0x180006684 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 2, 2024 19:02:05.770172119 CEST | 53 | 60374 | 1.1.1.1 | 192.168.2.6 |
| Oct 2, 2024 19:02:19.362873077 CEST | 53 | 55826 | 162.159.36.2 | 192.168.2.6 |
| Oct 2, 2024 19:02:19.862385988 CEST | 62819 | 53 | 192.168.2.6 | 1.1.1.1 |
| Oct 2, 2024 19:02:19.871315002 CEST | 53 | 62819 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 2, 2024 19:02:19.862385988 CEST | 192.168.2.6 | 1.1.1.1 | 0xc5fe | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 2, 2024 19:02:19.871315002 CEST | 1.1.1.1 | 192.168.2.6 | 0xc5fe | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 13:01:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\loaddll64.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff74add0000 |
| File size: | 165'888 bytes |
| MD5 hash: | 763455F9DCB24DFEECC2B9D9F8D46D52 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 13:01:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 13:01:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6fe110000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 13:01:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\regsvr32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff67fef0000 |
| File size: | 25'088 bytes |
| MD5 hash: | B0C2FA35D14A9FAD919E99D9D75E1B9E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 13:01:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff746a50000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 13:01:45 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff746a50000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 13:01:48 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff746a50000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 13:01:51 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff746a50000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 13:01:52 |
| Start date: | 02/10/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff75fbc0000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 1.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 16% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 18 |
Graph
Function 00007FFD9DF91520 Relevance: 52.9, APIs: 10, Strings: 20, Instructions: 420synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF91F64 Relevance: 33.5, APIs: 5, Strings: 14, Instructions: 268threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9D740 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 158registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB308C Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF97988 Relevance: 88.8, APIs: 11, Strings: 39, Instructions: 1344COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFA8E14 Relevance: 40.4, APIs: 20, Strings: 2, Instructions: 1864COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF96D4C Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 114libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFBA4F4 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1207COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF957E0 Relevance: 21.7, APIs: 9, Strings: 3, Instructions: 733COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9475C Relevance: 18.5, APIs: 8, Strings: 4, Instructions: 483stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF99010 Relevance: 16.7, APIs: 4, Strings: 7, Instructions: 194COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9DE90 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 261COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF94418 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 231libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9DCA8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB6074 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 329timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFAE2EC Relevance: 9.2, APIs: 6, Instructions: 245COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFA3E7C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB627C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFBD5E4 Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9F3F4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB6690 Relevance: 5.5, APIs: 3, Instructions: 1031COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB1DC8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFAAC50 Relevance: 4.8, APIs: 3, Instructions: 317COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFAE8C0 Relevance: 4.6, APIs: 3, Instructions: 99timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB2660 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB7FA8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFC0BF8 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFA5858 Relevance: 1.5, Strings: 1, Instructions: 206COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFA5ADC Relevance: 1.4, Strings: 1, Instructions: 196COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFC0910 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF93B5C Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 247memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9C904 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 98threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9B990 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 103libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9BB00 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 99registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF99BE4 Relevance: 21.2, APIs: 3, Strings: 11, Instructions: 213COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF97310 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 121synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9AAA0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 104libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF91130 Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9EFB4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 118threadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF99A94 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 48stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9B0A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9988C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 139stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9B584 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 108COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF996F4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9B2E8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 76COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9127C Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFC0AA8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9BFE8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9B3E4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9AC9C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9D15C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68memorywindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF941FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48registrylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9EF0C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF94170 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFAEE24 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9AA50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFBDF30 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFC0710 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9CB80 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 37COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF910A0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB4F9C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9B774 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF91CAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF91E08 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9403C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF93640 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9B8E4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9CB0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9C874 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9CAB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF97928 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9BCCC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9BD1C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9BD6C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9BDBC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9B9FC Relevance: 6.1, APIs: 4, Instructions: 66synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF96FC8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 53COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB2214 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFBDCD4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF942B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9ADD8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9D028 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB32CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9C2B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9AEE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB0E7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB0A64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB0C6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB0D6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9C5FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFBC020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB0E18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DF9C0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFA3C7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFB0C18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9DFA0674 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|