Windows
Analysis Report
eVirFdGeXm.exe
Overview
General Information
Sample name: | eVirFdGeXm.exerenamed because original name is a hash value |
Original sample name: | 11e3134472c0035f17a22bfbd2f66416.exe |
Analysis ID: | 1537103 |
MD5: | 11e3134472c0035f17a22bfbd2f66416 |
SHA1: | 073a4f5698987a9e1d36beadbec29570f9906d46 |
SHA256: | ef2a8077afd8c42e52b49a2c4f7a1ca49f59f83ef9af4e508bf438b64bc36b11 |
Tags: | 64exe |
Infos: | |
Detection
Score: | 4 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
- eVirFdGeXm.exe (PID: 4668 cmdline:
"C:\Users\ user\Deskt op\eVirFdG eXm.exe" MD5: 11E3134472C0035F17A22BFBD2F66416)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00007FF6BC71EBC4 |
Source: | Code function: | 0_2_00007FF6BC711170 | |
Source: | Code function: | 0_2_00007FF6BC714120 | |
Source: | Code function: | 0_2_00007FF6BC71EBC4 | |
Source: | Code function: | 0_2_00007FF6BC712518 | |
Source: | Code function: | 0_2_00007FF6BC71892C | |
Source: | Code function: | 0_2_00007FF6BC71388C | |
Source: | Code function: | 0_2_00007FF6BC712E8C |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: | 0_2_00007FF6BC720478 |
Source: | Code function: | 0_2_00007FF6BC711780 |
Source: | Code function: | 0_2_00007FF6BC71E884 |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | API coverage: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF6BC71F7DC |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF6BC721010 | |
Source: | Code function: | 0_2_00007FF6BC720CE8 |
Source: | Code function: | 0_2_00007FF6BC7211E4 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Timestomp | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1537103 |
Start date and time: | 2024-10-18 15:12:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 13s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | eVirFdGeXm.exerenamed because original name is a hash value |
Original Sample Name: | 11e3134472c0035f17a22bfbd2f66416.exe |
Detection: | CLEAN |
Classification: | clean4.winEXE@1/0@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- VT rate limit hit for: eVirFdGeXm.exe
File type: | |
Entropy (8bit): | 5.943086016037392 |
TrID: |
|
File name: | eVirFdGeXm.exe |
File size: | 551'543 bytes |
MD5: | 11e3134472c0035f17a22bfbd2f66416 |
SHA1: | 073a4f5698987a9e1d36beadbec29570f9906d46 |
SHA256: | ef2a8077afd8c42e52b49a2c4f7a1ca49f59f83ef9af4e508bf438b64bc36b11 |
SHA512: | 806b4f3bfc0f012e79a43a08c5ef1dd8d480628d93a21b06241bac46ade1fb7255c5184fa31522681f812be4dc2eef2a74acccc565f0e8ae46ea778f86599602 |
SSDEEP: | 6144:FTC9J2tSpzsSTC9J2tSpzsnTC9J2tSpzsATC9J2tSpzsxTC9J2tSpzs:FTC3/pNTC3/pyTC3/plTC3/pcTC3/p |
TLSH: | 68C4B44A22B928C4D1BB937DB50E4106D771F0322B2557DF06E0C27AAF27AD1AD37B52 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%0dkaQ.8aQ.8aQ.8h).8cQ.8u:.9bQ.8u:.9uQ.8u:.9gQ.8u:.9xQ.8aQ.8.Q.8u:.9MQ.8u:.8`Q.8u:.9`Q.8RichaQ.8........PE..d...."............" |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x140010b60 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x9AF322B1 [Sat May 18 06:09:53 2052 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 10 |
OS Version Minor: | 0 |
File Version Major: | 10 |
File Version Minor: | 0 |
Subsystem Version Major: | 10 |
Subsystem Version Minor: | 0 |
Import Hash: | f9bc8bd9a4625c4e4d51d3742b03ca20 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007FB4AC9421B0h |
dec eax |
add esp, 28h |
jmp 00007FB4AC9418B3h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
nop word ptr [eax+eax+00000000h] |
dec eax |
cmp ecx, dword ptr [00008521h] |
jne 00007FB4AC941B42h |
dec eax |
rol ecx, 10h |
test cx, FFFFh |
jne 00007FB4AC941B33h |
ret |
dec eax |
ror ecx, 10h |
jmp 00007FB4AC941CB7h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
jmp dword ptr [000030EEh] |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
jmp dword ptr [000030DAh] |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
dec eax |
mov ebx, ecx |
dec eax |
mov eax, dword ptr [000090CCh] |
dec eax |
mov dword ptr [esp+38h], eax |
dec eax |
cmp eax, FFFFFFFFh |
jne 00007FB4AC941B45h |
dec eax |
mov eax, dword ptr [00002FF2h] |
call dword ptr [00003104h] |
dec eax |
add esp, 20h |
pop ebx |
ret |
mov ecx, 00000008h |
call 00007FB4AC94220Ah |
nop |
dec eax |
mov eax, dword ptr [0000909Ch] |
dec eax |
mov dword ptr [esp+38h], eax |
dec eax |
mov eax, dword ptr [00009088h] |
dec eax |
mov dword ptr [esp+40h], eax |
dec esp |
lea eax, dword ptr [esp+40h] |
dec eax |
lea edx, dword ptr [esp+38h] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x166e0 | 0x118 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1b000 | 0xad8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x1a000 | 0xca8 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1c000 | 0x520 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x159e0 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x13420 | 0x118 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x13538 | 0x7b8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x107de | 0x10800 | 8f020530bf64183b4598b3085a9f6b03 | False | 0.4820519649621212 | data | 5.991516424959198 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x12000 | 0x6164 | 0x6200 | 6cba640dbde64f8ce82d1a367478d73e | False | 0.33434311224489793 | data | 4.632881930147428 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x19000 | 0xd38 | 0x600 | f926aefd7b803ed4d6a71efdd0c17930 | False | 0.310546875 | data | 2.588992496206584 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x1a000 | 0xca8 | 0xe00 | 5ba08379ab3fd2d06a07780194ffa0ee | False | 0.4545200892857143 | PEX Binary Archive | 4.418455269512572 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x1b000 | 0xad8 | 0xc00 | bfe5089f87873e1649a803ed60174128 | False | 0.3961588541666667 | data | 4.42197713604801 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x1c000 | 0x520 | 0x600 | 5d61936ce61eecf3201ed8c0c5114361 | False | 0.541015625 | data | 5.122423379011978 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
MUI | 0x1b9d0 | 0x108 | data | English | United States | 0.5681818181818182 |
RT_VERSION | 0x1b640 | 0x390 | data | English | United States | 0.46271929824561403 |
RT_MANIFEST | 0x1b0f0 | 0x54f | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.41501103752759383 |
DLL | Import |
---|---|
ADVAPI32.dll | RegCloseKey, RegQueryInfoKeyW, RegEnumKeyExW, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, RegDeleteValueW, EventRegister, EventUnregister, EventWrite, RegQueryValueExW |
KERNEL32.dll | WaitForSingleObject, CreateMutexW, HeapSetInformation, InitializeCriticalSection, GetModuleFileNameW, FindResourceExW, LoadResource, ReleaseMutex, MultiByteToWideChar, lstrcmpiW, GetModuleHandleW, LoadLibraryExW, GetProcAddress, FreeLibrary, GetLastError, CloseHandle, CreateFileW, GetTickCount, LockResource, FindResourceW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, LocalFree, FormatMessageW, GetSystemDirectoryW, WriteFile, lstrlenW, WideCharToMultiByte, GetSystemTime, CopyFileW, SizeofResource, EnterCriticalSection, LeaveCriticalSection, RaiseException, DeleteCriticalSection, OutputDebugStringA, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, HeapFree, VirtualFree, GetCurrentProcess, VirtualAlloc, LoadLibraryExA, EncodePointer, HeapAlloc, DecodePointer, GetProcessHeap, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, Sleep, GetStartupInfoW, UnhandledExceptionFilter, GetSystemTimeAsFileTime |
GDI32.dll | StretchBlt, CreateCompatibleBitmap, SetStretchBltMode, SelectObject, CreateCompatibleDC, GetObjectW, GetTextExtentPoint32W, SetDeviceGammaRamp, GetDeviceGammaRamp, GetStockObject, SetBkMode, SetBkColor, SetTextColor, CreateSolidBrush, GetDeviceCaps, CreateDCW, DeleteDC, DeleteObject |
USER32.dll | LoadStringW, GetWindowLongW, GetWindow, ShowWindow, MessageBoxW, ReleaseDC, GetWindowTextW, GetWindowTextLengthW, GetDC, KillTimer, SetTimer, SetWindowTextW, PostMessageW, MapDialogRect, EnumChildWindows, DisplayConfigGetDeviceInfo, QueryDisplayConfig, GetDisplayConfigBufferSizes, EnumDisplayDevicesW, ShowCursor, LoadCursorW, SetCursor, GetMonitorInfoW, EnumDisplayMonitors, MonitorFromWindow, GetParent, InvalidateRect, MapWindowPoints, GetWindowRect, GetDlgItem, DefWindowProcW, SendMessageW, CallWindowProcW, SetWindowPos, SetForegroundWindow, OpenIcon, SetWindowLongPtrW, GetWindowLongPtrW, MonitorFromRect, SendMessageTimeoutW, AllowSetForegroundWindow, GetWindowThreadProcessId, FindWindowW, RegisterWindowMessageW, GetActiveWindow, GetSystemMetrics, CharNextW, DestroyWindow, UnregisterClassA, MoveWindow |
msvcrt.dll | iswupper, towlower, _vsnwprintf, memset, ?terminate@@YAXXZ, realloc, _errno, _onexit, __dllonexit, _unlock, _lock, _commode, _fmode, _wcmdln, _initterm, __setusermatherr, _cexit, _exit, exit, __set_app_type, __wgetmainargs, _amsg_exit, _XcptFilter, _callnewh, swscanf_s, wcsstr, _wcsupr, _purecall, memcpy_s, malloc, wcsncpy_s, free, __C_specific_handler, memcpy, powf |
ntdll.dll | RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind, WinSqmAddToStream |
dxva2.dll | GetNumberOfPhysicalMonitorsFromHMONITOR, GetPhysicalMonitorsFromHMONITOR, DestroyPhysicalMonitors, GetMonitorBrightness, SetMonitorBrightness, GetMonitorContrast, SetMonitorContrast, SetVCPFeature, GetVCPFeatureAndVCPFeatureReply |
mscms.dll | GetColorProfileFromHandle, DccwReleaseDisplayProfileAssociationList, WcsCreateIccProfile, InstallColorProfileW, SetColorProfileElement, CloseColorProfile, DccwSetDisplayProfileAssociationList, WcsGetUsePerUserProfiles, WcsGetDefaultColorProfile, WcsOpenColorProfileW, DccwGetGamutSize, DccwCreateDisplayProfileAssociationList, SetColorProfileElementSize, WcsGetCalibrationManagementState, WcsDisassociateColorProfileFromDevice, WcsSetDefaultColorProfile, UninstallColorProfileW, DccwGetDisplayProfileAssociationList, GetColorDirectoryW, WcsSetCalibrationManagementState |
SHELL32.dll | ShellExecuteW |
GDIPLUS.dll | GdipCreateHBITMAPFromBitmap, GdipDisposeImage, GdipCloneImage, GdipFree, GdipCreateLineBrushI, GdipFillRectangleI, GdipAlloc, GdipDeleteBrush, GdipCreateSolidFill, GdipDeleteGraphics, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromStream |
COMCTL32.dll | TaskDialogIndirect, DestroyPropertySheetPage, CreatePropertySheetPageW, PropertySheetW |
OLEAUT32.dll | SysFreeString, VarUI4FromStr, SysAllocString |
api-ms-win-core-com-l1-1-0.dll | CoCreateInstance, StringFromCLSID, CreateStreamOnHGlobal, CoTaskMemRealloc, CoTaskMemFree, CoTaskMemAlloc |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 09:13:13 |
Start date: | 18/10/2024 |
Path: | C:\Users\user\Desktop\eVirFdGeXm.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6bc710000 |
File size: | 551'543 bytes |
MD5 hash: | 11E3134472C0035F17A22BFBD2F66416 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 23.8% |
Total number of Nodes: | 1574 |
Total number of Limit Nodes: | 3 |
Graph
Function 00007FF6BC714120 Relevance: 40.9, APIs: 16, Strings: 7, Instructions: 603synchronizationwindowregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC711170 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 279memorythreadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71EF88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55registryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC712E8C Relevance: 58.4, APIs: 28, Strings: 5, Instructions: 669registrystringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71EBC4 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 242windowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71388C Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 344libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71E884 Relevance: 31.7, APIs: 21, Instructions: 219memorywindowCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71892C Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 238timeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC712518 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 322registrystringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC7211E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49timethreadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC721010 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC716390 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 236COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC7172B0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 181fileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71AF24 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 187COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC718EC4 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 240stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC711850 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 210COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC717FA4 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 106COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC712228 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 208memorystringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71A670 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 155COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC718658 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 118COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC715AF8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 153COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71D4CC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 151COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC717958 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 115COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC720610 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC712BAC Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 54libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71CDF0 Relevance: 15.2, APIs: 10, Instructions: 152windowtimeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71F340 Relevance: 15.1, APIs: 10, Instructions: 102windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71922C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 139COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71BAC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC718804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC719DE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC714CF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50synchronizationwindowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC715372 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71E600 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC717570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC712A48 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC718168 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 57COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC720524 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56commemoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC719628 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71FC04 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 44libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71FB3C Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 44libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71FD94 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 44libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71FCCC Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 44libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC72130C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC714B08 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71970C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC720B90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71E33C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71B3B4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC7136BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 125stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC717B38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71AE28 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71E50C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71E43C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71B874 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC7178C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71B6C0 Relevance: 6.1, APIs: 4, Instructions: 80windowtimeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC7120F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71CB40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71A3E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71B5A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC715920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC719A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6BC71C54C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|