Edit tour
Windows
Analysis Report
J1un7vGf29.exe
Overview
General Information
| Sample name: | J1un7vGf29.exerenamed because original name is a hash value |
| Original sample name: | 40f68d8b1be0f31f4aaf28dccf2f94cb.exe |
| Analysis ID: | 1538242 |
| MD5: | 40f68d8b1be0f31f4aaf28dccf2f94cb |
| SHA1: | f5fbda24294289b81a77c12573ee33cea52ac408 |
| SHA256: | 98373f6033f41eff577963ce2a8cde8f09394e63de31c866ef5d265b714a9ed9 |
| Tags: | 64exetrojan |
| Infos: | |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Uses taskkill to terminate processes
Classification
- System is w10x64
J1un7vGf29.exe (PID: 1080 cmdline: "C:\Users\ user\Deskt op\J1un7vG f29.exe" MD5: 40F68D8B1BE0F31F4AAF28DCCF2F94CB) 
conhost.exe (PID: 2000 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1576 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq fi ddler*" /I M * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 1784 cmdline:
taskkill / FI "IMAGEN AME eq fid dler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 1088 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq wi reshark*" /IM * /F / T >nul 2>& 1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 6660 cmdline:
taskkill / FI "IMAGEN AME eq wir eshark*" / IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 4464 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq ht tpdebugger *" /IM * / F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 6580 cmdline:
taskkill / FI "IMAGEN AME eq htt pdebugger* " /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 5760 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 2884 cmdline:
sc stop HT TPDebugger Pro MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 1480 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rProSdk >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 2944 cmdline:
sc stop HT TPDebugger ProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 5972 cmdline:
C:\Windows \system32\ cmd.exe /c @RD /S /Q "C:\Users \%username %\AppData\ Local\Micr osoft\Wind ows\INetCa che\IE" >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 3528 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq fi ddler*" /I M * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 4996 cmdline:
taskkill / FI "IMAGEN AME eq fid dler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 7096 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq wi reshark*" /IM * /F / T >nul 2>& 1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 5552 cmdline:
taskkill / FI "IMAGEN AME eq wir eshark*" / IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 7108 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq ht tpdebugger *" /IM * / F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 1264 cmdline:
taskkill / FI "IMAGEN AME eq htt pdebugger* " /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) 
WerFault.exe (PID: 5428 cmdline: C:\Windows \system32\ WerFault.e xe -pss -s 476 -p 10 80 -ip 108 0 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - cmd.exe (PID: 528 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 432 cmdline:
sc stop HT TPDebugger Pro MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 1216 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rProSdk >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 6468 cmdline:
sc stop HT TPDebugger ProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 6604 cmdline:
C:\Windows \system32\ cmd.exe /c @RD /S /Q "C:\Users \%username %\AppData\ Local\Micr osoft\Wind ows\INetCa che\IE" >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 4768 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq fi ddler*" /I M * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 5760 cmdline:
taskkill / FI "IMAGEN AME eq fid dler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 6276 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq wi reshark*" /IM * /F / T >nul 2>& 1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 2860 cmdline:
taskkill / FI "IMAGEN AME eq wir eshark*" / IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 6780 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq ht tpdebugger *" /IM * / F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 3496 cmdline:
taskkill / FI "IMAGEN AME eq htt pdebugger* " /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 3652 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 1396 cmdline:
sc stop HT TPDebugger Pro MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 5720 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rProSdk >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 1784 cmdline:
sc stop HT TPDebugger ProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 1264 cmdline:
C:\Windows \system32\ cmd.exe /c @RD /S /Q "C:\Users \%username %\AppData\ Local\Micr osoft\Wind ows\INetCa che\IE" >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - WerFault.exe (PID: 5960 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 1 080 -s 996 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_00007FF63D909F3D | |
| Source: | Code function: | 0_2_00007FF63D92EF30 | |
| Source: | Code function: | 0_2_00007FF63D92CE40 | |
| Source: | Code function: | 0_2_00007FF63D925AD0 | |
| Source: | Code function: | 0_2_00007FF63D909300 | |
| Source: | Code function: | 0_2_00007FF63D90C1C0 | |
| Source: | Code function: | 0_2_00007FF63D90C220 | |
| Source: | Code function: | 0_2_00007FF63D909230 | |
| Source: | Code function: | 0_2_00007FF63D90C210 | |
| Source: | Code function: | 0_2_00007FF63D9263F0 | |
| Source: | Code function: | 0_2_00007FF63D8EF0E0 | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF63D918B00 | |
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00007FF63D8F5ED0 | |
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00007FF63D92CE40 | |
| Source: | Code function: | 0_2_00007FF63D909F3D | |
| Source: | Code function: | 0_2_00007FF63D8F6980 | |
| Source: | Code function: | 0_2_00007FF63D8F8980 | |
| Source: | Code function: | 0_2_00007FF63D8F7CC0 | |
| Source: | Code function: | 0_2_00007FF63D8FF590 | |
| Source: | Code function: | 0_2_00007FF63D8E1530 | |
| Source: | Code function: | 0_2_00007FF63D92EEC0 | |
| Source: | Code function: | 0_2_00007FF63D92CE40 | |
| Source: | Code function: | 0_2_00007FF63D8DDDE0 | |
| Source: | Code function: | 0_2_00007FF63D8D1000 | |
| Source: | Code function: | 0_2_00007FF63D909FFC | |
| Source: | Code function: | 0_2_00007FF63D90A005 | |
| Source: | Code function: | 0_2_00007FF63D925AD0 | |
| Source: | Code function: | 0_2_00007FF63D9149F0 | |
| Source: | Code function: | 0_2_00007FF63D8E8990 | |
| Source: | Code function: | 0_2_00007FF63D907CC0 | |
| Source: | Code function: | 0_2_00007FF63D8DABFD | |
| Source: | Code function: | 0_2_00007FF63D8DEB70 | |
| Source: | Code function: | 0_2_00007FF63D90C5D0 | |
| Source: | Code function: | 0_2_00007FF63D8F0600 | |
| Source: | Code function: | 0_2_00007FF63D8D955D | |
| Source: | Code function: | 0_2_00007FF63D9215B0 | |
| Source: | Code function: | 0_2_00007FF63D920580 | |
| Source: | Code function: | 0_2_00007FF63D8F9840 | |
| Source: | Code function: | 0_2_00007FF63D902890 | |
| Source: | Code function: | 0_2_00007FF63D8D973B | |
| Source: | Code function: | 0_2_00007FF63D8F3330 | |
| Source: | Code function: | 0_2_00007FF63D8DD250 | |
| Source: | Code function: | 0_2_00007FF63D91D220 | |
| Source: | Code function: | 0_2_00007FF63D919520 | |
| Source: | Code function: | 0_2_00007FF63D9053E0 | |
| Source: | Process created: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00007FF63D8E1E4E | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF63D8F8980 | |
| Source: | Process created: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF63D92FD4C | |
| Source: | Code function: | 0_2_00007FF63D9300E8 | |
| Source: | Code function: | 0_2_00007FF63D8F8980 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF63D92FEF4 | |
| Source: | Code function: | 0_2_00007FF63D92FD4C | |
| Source: | Code function: | 0_2_00007FF63D92F9F4 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF63D92FF64 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF63D904A60 | |
| Source: | Code function: | 0_2_00007FF63D9149F0 | |
| Source: | Code function: | 0_2_00007FF63D8F7630 | |
| Source: | Code function: | 0_2_00007FF63D91B750 | |
| Source: | Code function: | 0_2_00007FF63D91B4F1 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 21 Windows Management Instrumentation | 1 Windows Service | 1 Windows Service | 1 Disable or Modify Tools | OS Credential Dumping | 1 System Time Discovery | 1 Exploitation of Remote Services | 12 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | 1 Data Encrypted for Impact |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 11 Process Injection | 2 Virtualization/Sandbox Evasion | LSASS Memory | 51 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 Service Execution | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 2 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | 1 Native API | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 23 System Information Discovery | Distributed Component Object Model | Input Capture | 3 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 39% | ReversingLabs | Win64.Trojan.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| keyauth.win | 104.26.0.5 | true | false | unknown | |
| 241.42.69.40.in-addr.arpa | unknown | unknown | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.26.0.5 | keyauth.win | United States | 13335 | CLOUDFLARENETUS | false |
| IP |
|---|
| 127.0.0.1 |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1538242 |
| Start date and time: | 2024-10-20 21:20:09 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 53s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 42 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | J1un7vGf29.exerenamed because original name is a hash value |
| Original Sample Name: | 40f68d8b1be0f31f4aaf28dccf2f94cb.exe |
| Detection: | MAL |
| Classification: | mal56.evad.winEXE@71/22@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.12.23.50, 52.168.117.173, 13.85.23.206, 20.242.39.171, 20.189.173.21
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- VT rate limit hit for: J1un7vGf29.exe
| Time | Type | Description |
|---|---|---|
| 15:21:25 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.26.0.5 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| keyauth.win | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
|
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_J1un7vGf29.exe_5cd87136c5f8c6d2a2edad2aab90e620989ace30_5a213bd4_6075f31e-8a75-4958-baa0-25eb9dc96c5d\Report.wer 
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9985976635316371 |
| Encrypted: | false |
| SSDEEP: | 96:ZiFVKm6JsmhL1c7L4faQXIDcQlc6bcEocw3M+HbHg/8BRTf3o8Fa9KUNsPQHdfmO:Y/d6Jz0bfy5jvVmczuiFVZ24lO8L0 |
| MD5: | 1E8E7D8D6D6538850E095ED57EA165A6 |
| SHA1: | 9EA5007283243809310C8AD874F297A3C3DCD82B |
| SHA-256: | 0F0DDB8B0954E86C6A461085753F49D22509E9A63EAB4442EB55F39BE2637149 |
| SHA-512: | 6A704EF475E0E060EDD4B95C36836176112D0ADD7AED91FAA02229A131B348FC7788A1C994F086C093E0B8D56A3B063C86110F0C59EC920E86704D2422B15F80 |
| Malicious: | true |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 102636 |
| Entropy (8bit): | 1.653538048175926 |
| Encrypted: | false |
| SSDEEP: | 384:F6JCtgaH20g/fBRuKMsTdpCkOOdiK7ckYjTB5mUuxgF:FPt20KfBRuKMsTdskOOdiNkYJ3 |
| MD5: | 881CEA93A0A608DB18D8DB0157112E82 |
| SHA1: | 0399DCB9182F46AB2B63E6966F80C77D1FBC45B3 |
| SHA-256: | 15BD528A05548B90164CAFE9D41E136B48B36ECDF2A23A087C7780B0D90BA3E4 |
| SHA-512: | C6E77F98D373D8B114FB79A8259849723FF16699243F6DFCC6537732D53C4D4BD7D9F19D14489F5F0CF9101E9E185B907CEF54240EB1A685924400FA7913350D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 10136 |
| Entropy (8bit): | 3.71624672543535 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJMyqt6YEIBiMEODgmfJeprH89bCvVLfCQ/m:R6lXJMHt6YEeDEODgmfJTq5fS |
| MD5: | 7AB169485CB65513706652EC64C711E0 |
| SHA1: | C2C97F5854F080103A0E0F629296D2D8970A8332 |
| SHA-256: | 37158833005BC87B876012EDE47369F79924C9E5D3333D6EE303E8E6523CB346 |
| SHA-512: | 5E37D81770B67A2AB0CEA77A2BEAFCD57B1C9E6D52E8887F818CA1D5954D60066FC290B74F3AF2D43276EFA4F2EC4BD071789DD51D71BEBFA6E76EC219273D4D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4645 |
| Entropy (8bit): | 4.463614685231288 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zskJg771I9B/KWpW8VYFYm8M4J1u3A0FwQyq85BcApbCPXtSbFSbSeBd:uIjfiI7c/r7VVJ1uwwKcQiXtSRoSMd |
| MD5: | 13BD4C9BFF4503371342F382AB1CF18B |
| SHA1: | 29DC6BA814E3FFEA443C66D3A01BE4E94679BEF9 |
| SHA-256: | 7348F61128AC9AD0DB778C42A7F5626EBBDCA74BB425B798A948D13DD1C6A3ED |
| SHA-512: | 9399456CC65BD724A68F87C88343289476C93E95ED3634F79E9420CE61226CEE872957306E841F51A3710E99B9104E2DFCD18ABCB66C1C4C1A636975D743F3DA |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.421643162156298 |
| Encrypted: | false |
| SSDEEP: | 6144:ESvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN/0uhiTw:PvloTMW+EZMM6DFyt03w |
| MD5: | 0B6AA841D7B4F51C2AE43CAFFBBD0F4B |
| SHA1: | 0C6B6AC2FA3C80B3337420D3106427BCEDEEDBCB |
| SHA-256: | 354F2C8197EE1FE6C2C19A022596CAC0C97A61C23965D8964927D3A8B46D8958 |
| SHA-512: | 3D3D4DDF6662596E98EC04CF09D67C3E2AE9554BED98675AB556837D1DE0A341D9C2A2D43F0737CE5A72AC2D8279F6726F4DE6093BE7AA0565AF73333D2131CB |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44 |
| Entropy (8bit): | 4.003997527334849 |
| Encrypted: | false |
| SSDEEP: | 3:HnRthLK5a6eCMABe:HRoJPO |
| MD5: | DF5DC1ABC0D52F3C9E931E26A7C0065C |
| SHA1: | EE84123D3B3BC440C63DFE65FF5616BE2B0904D5 |
| SHA-256: | F7167A2FACDE50428D8D2697A1CDFF075DE809323DD16D62B65CDD103B2A9A6D |
| SHA-512: | 9B2253CE41880D22A2DDF4F886BB6CB22FF0C981400CD9D03A1FCA81DE5FAEB86C26B85B66ECEC960816D7BBE9740843890F2FCCD334B6D274295A32A8E6A4E9 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.423311038978997 |
| TrID: |
|
| File name: | J1un7vGf29.exe |
| File size: | 506'368 bytes |
| MD5: | 40f68d8b1be0f31f4aaf28dccf2f94cb |
| SHA1: | f5fbda24294289b81a77c12573ee33cea52ac408 |
| SHA256: | 98373f6033f41eff577963ce2a8cde8f09394e63de31c866ef5d265b714a9ed9 |
| SHA512: | 1205819096ac09cd4b72071bf263281801810be3384ddea79e1290c572d09aeb44c9975441fe86c2a7c0a99d69381436909c3cd2056ecdaad9bf7860bacee614 |
| SSDEEP: | 6144:Fi8fZ/nLeOlMAiyTI+BS6oIC2Dbe/MZWdLpID+RMcA2dHDad2m2+yFMCPaf1:FTfFOf8IyS4LDb6dlIDuzAIOboMCif1 |
| TLSH: | C8B46D56A7A807E9D1A7D03CC547C603E7B6B4991311DBDB43A0CA791F63BE12E3A720 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V..._.+.B...PHE.^...PH..v...PH..\...PH..R...PH..P.......A...V...s.......?...9H..T...9H..W...9HG.W...9H..W...RichV.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x14005f9d8 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x670FDA3D [Wed Oct 16 15:22:37 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 3dd1b7e6418973ac2798d88d33677d96 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F58FCB87EE8h |
| dec eax |
| add esp, 28h |
| jmp 00007F58FCB877D7h |
| int3 |
| int3 |
| jmp 00007F58FCB88198h |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov ebx, ecx |
| xor ecx, ecx |
| call dword ptr [0000178Bh] |
| dec eax |
| mov ecx, ebx |
| call dword ptr [000016F2h] |
| call dword ptr [00001774h] |
| dec eax |
| mov ecx, eax |
| mov edx, C0000409h |
| dec eax |
| add esp, 20h |
| pop ebx |
| dec eax |
| jmp dword ptr [00001770h] |
| dec eax |
| mov dword ptr [esp+08h], ecx |
| dec eax |
| sub esp, 38h |
| mov ecx, 00000017h |
| call dword ptr [00001764h] |
| test eax, eax |
| je 00007F58FCB87969h |
| mov ecx, 00000002h |
| int 29h |
| dec eax |
| lea ecx, dword ptr [00018E12h] |
| call 00007F58FCB87B2Eh |
| dec eax |
| mov eax, dword ptr [esp+38h] |
| dec eax |
| mov dword ptr [00018EF9h], eax |
| dec eax |
| lea eax, dword ptr [esp+38h] |
| dec eax |
| add eax, 08h |
| dec eax |
| mov dword ptr [00018E89h], eax |
| dec eax |
| mov eax, dword ptr [00018EE2h] |
| dec eax |
| mov dword ptr [00018D53h], eax |
| dec eax |
| mov eax, dword ptr [esp+40h] |
| dec eax |
| mov dword ptr [00018E57h], eax |
| mov dword ptr [00018D2Dh], C0000409h |
| mov dword ptr [00018D27h], 00000001h |
| mov dword ptr [00000031h], 00000000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x760f0 | 0x1cc | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7d000 | 0x1e8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x79000 | 0x3f84 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7e000 | 0x4e4 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6ffd0 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x70080 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x6fe90 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x61000 | 0x818 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5fda8 | 0x5fe00 | e35c1164add83fd7293b483158519475 | False | 0.5326963820078227 | data | 6.336155931731169 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x61000 | 0x16b92 | 0x16c00 | 7f349d336d6f386b2fdcc2d10122a56b | False | 0.3797862293956044 | data | 5.57889875441676 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x78000 | 0xdf8 | 0x400 | 3cfa1d3706d13e34002335316e18545c | False | 0.212890625 | data | 2.4386708342051575 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x79000 | 0x3f84 | 0x4000 | 50e902fb009b515c9924ff6238b5e51d | False | 0.48175048828125 | data | 5.776998787420237 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x7d000 | 0x1e8 | 0x200 | 7d03a0f9d3c3a10dec18b513161e66d8 | False | 0.54296875 | data | 4.772037401703051 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x7e000 | 0x4e4 | 0x600 | 0fffa779ce3f96440fc92f1aa0c636a8 | False | 0.5123697916666666 | data | 4.824092949506385 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x7d060 | 0x188 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5892857142857143 |
| DLL | Import |
|---|---|
| KERNEL32.dll | WideCharToMultiByte, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, GetTickCount, QueryPerformanceCounter, VerifyVersionInfoA, LoadLibraryA, GetProcAddress, GetModuleHandleA, FreeLibrary, GetSystemDirectoryA, CreateFileA, VerSetConditionMask, SleepEx, LeaveCriticalSection, EnterCriticalSection, FormatMessageA, SetLastError, CloseHandle, GetCurrentProcess, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetModuleHandleW, GetCurrentProcessId, GetCurrentThreadId, GetFileSizeEx, WaitForMultipleObjects, PeekNamedPipe, ReadFile, GetFileType, GetEnvironmentVariableA, MultiByteToWideChar, WaitForSingleObjectEx, QueryPerformanceFrequency, GetSystemTimeAsFileTime, MoveFileExA, DeleteCriticalSection, GetLastError, InitializeCriticalSectionEx, OutputDebugStringW, InitializeSListHead, GetConsoleWindow, SetConsoleTitleA, SetConsoleTextAttribute, Sleep, GetStdHandle |
| USER32.dll | GetWindowLongPtrA, SetWindowLongPtrA, MessageBoxA, SetLayeredWindowAttributes |
| ADVAPI32.dll | CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptGenRandom, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey, CryptEncrypt |
| SHELL32.dll | ShellExecuteA |
| MSVCP140.dll | ?_Xlength_error@std@@YAXPEBD@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?_Xbad_function_call@std@@YAXXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z |
| urlmon.dll | URLDownloadToFileA |
| Normaliz.dll | IdnToAscii |
| WLDAP32.dll | |
| CRYPT32.dll | CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CertFreeCertificateChain, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore, CryptDecodeObjectEx |
| WS2_32.dll | gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, select, ioctlsocket, listen, htonl, accept, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, socket, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername, connect, bind, WSAGetLastError, send, recv, closesocket, ntohl, __WSAFDIsSet |
| VCRUNTIME140.dll | __std_exception_copy, __std_exception_destroy, _CxxThrowException, memcpy, memset, __std_terminate, __C_specific_handler, __current_exception_context, __current_exception, memchr, memcmp, strchr, strstr, memmove, strrchr |
| VCRUNTIME140_1.dll | __CxxFrameHandler4 |
| api-ms-win-crt-runtime-l1-1-0.dll | _invalid_parameter_noinfo_noreturn, _beginthreadex, _errno, __sys_nerr, _getpid, exit, system, terminate, _register_thread_local_exe_atexit_callback, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, strerror, _c_exit, _initterm, _initterm_e, _exit, __p___argv, __p___argc, _get_initial_narrow_environment |
| api-ms-win-crt-heap-l1-1-0.dll | realloc, _callnewh, free, calloc, _set_new_mode, malloc |
| api-ms-win-crt-utility-l1-1-0.dll | rand, qsort |
| api-ms-win-crt-stdio-l1-1-0.dll | __stdio_common_vfprintf, fseek, feof, __p__commode, __acrt_iob_func, ftell, fputc, _lseeki64, _read, _write, _close, _open, fflush, __stdio_common_vsscanf, __stdio_common_vsprintf, fread, fputs, fopen, fwrite, fgets, fclose, _set_fmode |
| api-ms-win-crt-convert-l1-1-0.dll | strtod, atoi, strtoul, strtoull, strtol, strtoll |
| api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale, localeconv |
| api-ms-win-crt-time-l1-1-0.dll | _time64, _gmtime64 |
| api-ms-win-crt-string-l1-1-0.dll | strcmp, strncmp, isupper, strcspn, strspn, _strdup, strncpy, tolower, strpbrk |
| api-ms-win-crt-filesystem-l1-1-0.dll | _stat64, _unlink, _access, _fstat64 |
| api-ms-win-crt-math-l1-1-0.dll | __setusermatherr, _dclass |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 20, 2024 21:21:11.296596050 CEST | 49710 | 443 | 192.168.2.5 | 104.26.0.5 |
| Oct 20, 2024 21:21:11.296649933 CEST | 443 | 49710 | 104.26.0.5 | 192.168.2.5 |
| Oct 20, 2024 21:21:11.296747923 CEST | 49710 | 443 | 192.168.2.5 | 104.26.0.5 |
| Oct 20, 2024 21:21:11.332803011 CEST | 49710 | 443 | 192.168.2.5 | 104.26.0.5 |
| Oct 20, 2024 21:21:11.332844019 CEST | 443 | 49710 | 104.26.0.5 | 192.168.2.5 |
| Oct 20, 2024 21:21:12.112807989 CEST | 443 | 49710 | 104.26.0.5 | 192.168.2.5 |
| Oct 20, 2024 21:21:12.112900972 CEST | 49710 | 443 | 192.168.2.5 | 104.26.0.5 |
| Oct 20, 2024 21:21:12.117033005 CEST | 49710 | 443 | 192.168.2.5 | 104.26.0.5 |
| Oct 20, 2024 21:21:12.117046118 CEST | 443 | 49710 | 104.26.0.5 | 192.168.2.5 |
| Oct 20, 2024 21:21:12.117392063 CEST | 443 | 49710 | 104.26.0.5 | 192.168.2.5 |
| Oct 20, 2024 21:21:12.124320030 CEST | 49710 | 443 | 192.168.2.5 | 104.26.0.5 |
| Oct 20, 2024 21:21:12.171403885 CEST | 443 | 49710 | 104.26.0.5 | 192.168.2.5 |
| Oct 20, 2024 21:21:12.312694073 CEST | 443 | 49710 | 104.26.0.5 | 192.168.2.5 |
| Oct 20, 2024 21:21:12.312757015 CEST | 443 | 49710 | 104.26.0.5 | 192.168.2.5 |
| Oct 20, 2024 21:21:12.312839985 CEST | 49710 | 443 | 192.168.2.5 | 104.26.0.5 |
| Oct 20, 2024 21:21:26.396496058 CEST | 49710 | 443 | 192.168.2.5 | 104.26.0.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 20, 2024 21:21:11.266422033 CEST | 63535 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 20, 2024 21:21:11.280337095 CEST | 53 | 63535 | 1.1.1.1 | 192.168.2.5 |
| Oct 20, 2024 21:21:40.517637014 CEST | 53 | 61325 | 162.159.36.2 | 192.168.2.5 |
| Oct 20, 2024 21:21:41.290982008 CEST | 53595 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 20, 2024 21:21:41.298002958 CEST | 53 | 53595 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 20, 2024 21:21:11.266422033 CEST | 192.168.2.5 | 1.1.1.1 | 0xd514 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 20, 2024 21:21:41.290982008 CEST | 192.168.2.5 | 1.1.1.1 | 0x8865 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 20, 2024 21:21:11.280337095 CEST | 1.1.1.1 | 192.168.2.5 | 0xd514 | No error (0) | 104.26.0.5 | A (IP address) | IN (0x0001) | false | ||
| Oct 20, 2024 21:21:11.280337095 CEST | 1.1.1.1 | 192.168.2.5 | 0xd514 | No error (0) | 104.26.1.5 | A (IP address) | IN (0x0001) | false | ||
| Oct 20, 2024 21:21:11.280337095 CEST | 1.1.1.1 | 192.168.2.5 | 0xd514 | No error (0) | 172.67.72.57 | A (IP address) | IN (0x0001) | false | ||
| Oct 20, 2024 21:21:41.298002958 CEST | 1.1.1.1 | 192.168.2.5 | 0x8865 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49710 | 104.26.0.5 | 443 | 1080 | C:\Users\user\Desktop\J1un7vGf29.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-20 19:21:12 UTC | 128 | OUT | |
| 2024-10-20 19:21:12 UTC | 58 | OUT |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Users\user\Desktop\J1un7vGf29.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff63d8d0000 |
| File size: | 506'368 bytes |
| MD5 hash: | 40F68D8B1BE0F31F4AAF28DCCF2F94CB |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7427d0000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7427d0000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7427d0000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff726570000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff726570000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7427d0000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 15:21:09 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7427d0000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 15:21:09 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 15:21:09 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7427d0000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 15:21:09 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 15:21:10 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff726570000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 22 |
| Start time: | 15:21:10 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 23 |
| Start time: | 15:21:10 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff726570000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 24 |
| Start time: | 15:21:10 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 25 |
| Start time: | 15:21:13 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 26 |
| Start time: | 15:21:13 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7427d0000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 27 |
| Start time: | 15:21:13 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 28 |
| Start time: | 15:21:13 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7427d0000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 29 |
| Start time: | 15:21:13 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 30 |
| Start time: | 15:21:13 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7427d0000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 31 |
| Start time: | 15:21:13 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 32 |
| Start time: | 15:21:13 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff726570000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 33 |
| Start time: | 15:21:14 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 34 |
| Start time: | 15:21:14 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff726570000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 35 |
| Start time: | 15:21:14 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6b2150000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 37 |
| Start time: | 15:21:14 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff73b510000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 38 |
| Start time: | 15:21:14 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff73b510000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 23.4% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 90 |
Graph
Function 00007FF63D8FF590 Relevance: 178.5, APIs: 31, Strings: 70, Instructions: 1702stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D909F3D Relevance: 116.1, APIs: 43, Strings: 23, Instructions: 552stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E1530 Relevance: 114.1, APIs: 51, Strings: 14, Instructions: 304processsleepfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F8980 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 191libraryloadernetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F7CC0 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D904A60 Relevance: 24.1, APIs: 16, Instructions: 127networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F6980 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F5ED0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8D2AA0 Relevance: 40.7, APIs: 16, Strings: 7, Instructions: 402sleepwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90B5C0 Relevance: 38.9, APIs: 6, Strings: 16, Instructions: 385COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90AA50 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D909C70 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F2920 Relevance: 28.6, APIs: 6, Strings: 10, Instructions: 557COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F18B0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 153COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F8660 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128librarystringloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F7300 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 161networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9086D0 Relevance: 19.6, APIs: 13, Instructions: 128networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D905FE0 Relevance: 16.7, APIs: 11, Instructions: 241sleepnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F4EF0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8D2840 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 121processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D905C40 Relevance: 10.7, APIs: 7, Instructions: 242sleepnetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90BC90 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E6D00 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 193COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F1190 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D901710 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E7DF8 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8D3550 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 156windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D922480 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E792B Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 246COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9012D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D909A80 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F1E90 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 106COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D902890 Relevance: 127.2, APIs: 25, Strings: 47, Instructions: 1229stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E8990 Relevance: 105.7, APIs: 41, Strings: 19, Instructions: 738stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8D955D Relevance: 78.0, APIs: 39, Strings: 5, Instructions: 978COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8DABFD Relevance: 74.4, APIs: 37, Strings: 5, Instructions: 930COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D925AD0 Relevance: 72.3, APIs: 17, Strings: 24, Instructions: 549encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9149F0 Relevance: 67.0, APIs: 25, Strings: 13, Instructions: 515networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8EF0E0 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 254stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9215B0 Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 425COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F7630 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 317stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D909FFC Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 203stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8D973B Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 509COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90A005 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D920580 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 252fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D907CC0 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 422stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E1E4E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92EF30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92CE40 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90C5D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 223COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9300E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92FF64 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92EEC0 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92FEF4 Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F4A50 Relevance: 52.7, APIs: 34, Strings: 1, Instructions: 215COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D916E90 Relevance: 49.9, APIs: 6, Strings: 27, Instructions: 385COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D910930 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 297stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92DE10 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 250COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8DAE0F Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 459COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D922BB0 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 312networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8D98E8 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 423COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91DB10 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 257stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91BCE0 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 175stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8EBE00 Relevance: 34.9, APIs: 6, Strings: 17, Instructions: 352COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E9A20 Relevance: 31.8, APIs: 21, Instructions: 269stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8FE5D0 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 310stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9139B0 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 284stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D912E60 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 208stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E1D10 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D901A00 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 218stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92D000 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 179COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927C01 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 165COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D921C70 Relevance: 24.2, APIs: 14, Strings: 2, Instructions: 227COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9289C0 Relevance: 24.2, APIs: 1, Strings: 15, Instructions: 179COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91ED9C Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 252COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90D080 Relevance: 22.8, APIs: 1, Strings: 14, Instructions: 321COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9119D0 Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 279COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8DC031 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 217COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8EA010 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 161fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D924930 Relevance: 19.8, APIs: 8, Strings: 5, Instructions: 266COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926810 Relevance: 19.7, APIs: 5, Strings: 8, Instructions: 165COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D919D20 Relevance: 19.7, APIs: 4, Strings: 9, Instructions: 151stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91C5A3 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 290COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91CE20 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 222networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91A850 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 180networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F3DF0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 151stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E9E00 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 143fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8FB9D0 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90D9E0 Relevance: 18.2, APIs: 4, Strings: 8, Instructions: 207COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F4590 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 280stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8D1FB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 241COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8FBDD0 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 162COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92B680 Relevance: 16.8, APIs: 2, Strings: 9, Instructions: 279COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90D6B0 Relevance: 16.7, APIs: 5, Strings: 6, Instructions: 223COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8EC930 Relevance: 16.6, APIs: 11, Instructions: 119stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F1C60 Relevance: 16.4, APIs: 13, Instructions: 164stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F3B80 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F3B29 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D914590 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9275CE Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E2640 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E1E42 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E1E72 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E1E66 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E1E5A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E1E8A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E1E7E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E1D8E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F3FF0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9106A0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 135stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E4067 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 109COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926A9C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91E8E0 Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 223COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92794C Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 174COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926DD6 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 169COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D920E80 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 148COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D917B10 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 111stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92BC20 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 252stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91DEF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8DAB70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D916BC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91EE30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91EE06 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91A6A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9276BE Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926B6E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9277BD Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 173COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926C5D Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 165COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927F55 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9276F4 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 130COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926B97 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 123COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927954 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9157B6 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9236A0 Relevance: 10.9, APIs: 5, Strings: 2, Instructions: 424stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F8FE0 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 217stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D908EB0 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 184COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D907900 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92962A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 154COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927DCB Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 145COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91BFB0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D920B30 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91EE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91EE77 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91EDDC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91EDEA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91EE22 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91EDF8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91EEAD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D903F90 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 109stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91CB00 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927610 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 106COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927D0E Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 102COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926AD1 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90FE10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926DDE Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9297BD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927F5D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90E936 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927068 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927CE5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F5640 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92790F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 98COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926D9F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 91COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92D850 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 91COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927685 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90F931 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 85stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9276D6 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9276A3 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927C40 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926B41 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 80COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926B7F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 76COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D926B59 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 75COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D915963 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8D2610 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91F580 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D929568 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8FEF50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E0680 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D916A10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F5D80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8FC810 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D910DD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D928D00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D911A3B Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D929D35 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 133COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92D5E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 129stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8FB6D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 127COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D929049 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 125COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927F1E Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D911F90 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927CB8 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927CF6 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 56COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D927CD0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8E2C40 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9299F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91BA40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F5AF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D912590 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D904130 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90DEE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D929BAF Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D928EC0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92A830 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D92AC70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D929AF5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 90COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D928E05 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 78COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D929D3D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D929051 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D9270AA Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D901960 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D90CEE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D91E75F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8FA680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F8CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D8F7010 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D929AC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF63D928DD8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|