Edit tour
Windows
Analysis Report
flX5YA1C09.exe
Overview
General Information
| Sample name: | flX5YA1C09.exerenamed because original name is a hash value |
| Original sample name: | 2ab72b91ce16dd1252e5a054ac75752e.exe |
| Analysis ID: | 1538243 |
| MD5: | 2ab72b91ce16dd1252e5a054ac75752e |
| SHA1: | a9b72d4e2e3ced63e58d36e11d0bf5e8a3132f0f |
| SHA256: | ef1550c124e6a450ffce5f4ffe0313962c73e2169b7f6e4b289bafa386912400 |
| Tags: | 64exe |
| Infos: | |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Classification
- System is w10x64
flX5YA1C09.exe (PID: 1468 cmdline: "C:\Users\ user\Deskt op\flX5YA1 C09.exe" MD5: 2AB72B91CE16DD1252E5A054AC75752E) 
conhost.exe (PID: 5100 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6288 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq fi ddler*" /I M * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 2096 cmdline:
taskkill / FI "IMAGEN AME eq fid dler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 5332 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq wi reshark*" /IM * /F / T >nul 2>& 1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 6684 cmdline:
taskkill / FI "IMAGEN AME eq wir eshark*" / IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 6048 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq ht tpdebugger *" /IM * / F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 5156 cmdline:
taskkill / FI "IMAGEN AME eq htt pdebugger* " /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 368 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 5956 cmdline:
sc stop HT TPDebugger Pro MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 4416 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rProSdk >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 2760 cmdline:
sc stop HT TPDebugger ProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 5260 cmdline:
C:\Windows \system32\ cmd.exe /c @RD /S /Q "C:\Users \%username %\AppData\ Local\Micr osoft\Wind ows\INetCa che\IE" >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 4080 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq fi ddler*" /I M * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 3552 cmdline:
taskkill / FI "IMAGEN AME eq fid dler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 3200 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq wi reshark*" /IM * /F / T >nul 2>& 1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 6436 cmdline:
taskkill / FI "IMAGEN AME eq wir eshark*" / IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 5828 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq ht tpdebugger *" /IM * / F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 1924 cmdline:
taskkill / FI "IMAGEN AME eq htt pdebugger* " /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 2096 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 6288 cmdline:
sc stop HT TPDebugger Pro MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 5732 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rProSdk >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 5160 cmdline:
sc stop HT TPDebugger ProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 5256 cmdline:
C:\Windows \system32\ cmd.exe /c @RD /S /Q "C:\Users \%username %\AppData\ Local\Micr osoft\Wind ows\INetCa che\IE" >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 5936 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq fi ddler*" /I M * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 368 cmdline:
taskkill / FI "IMAGEN AME eq fid dler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 2760 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq wi reshark*" /IM * /F / T >nul 2>& 1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 4416 cmdline:
taskkill / FI "IMAGEN AME eq wir eshark*" / IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 672 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /FI "IMAGE NAME eq ht tpdebugger *" /IM * / F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 3552 cmdline:
taskkill / FI "IMAGEN AME eq htt pdebugger* " /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 3416 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 6436 cmdline:
sc stop HT TPDebugger Pro MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 3200 cmdline:
C:\Windows \system32\ cmd.exe /c sc stop H TTPDebugge rProSdk >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - sc.exe (PID: 5328 cmdline:
sc stop HT TPDebugger ProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - cmd.exe (PID: 5756 cmdline:
C:\Windows \system32\ cmd.exe /c @RD /S /Q "C:\Users \%username %\AppData\ Local\Micr osoft\Wind ows\INetCa che\IE" >n ul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
WerFault.exe (PID: 3984 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 1 468 -s 101 2 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_00007FF791569F8D | |
| Source: | Code function: | 0_2_00007FF791569280 | |
| Source: | Code function: | 0_2_00007FF79156C260 | |
| Source: | Code function: | 0_2_00007FF79156C270 | |
| Source: | Code function: | 0_2_00007FF79156C210 | |
| Source: | Code function: | 0_2_00007FF791586440 | |
| Source: | Code function: | 0_2_00007FF791569350 | |
| Source: | Code function: | 0_2_00007FF791585B20 | |
| Source: | Code function: | 0_2_00007FF79158CE90 | |
| Source: | Code function: | 0_2_00007FF79158EF80 | |
| Source: | Code function: | 0_2_00007FF79154F130 | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF791578B50 | |
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00007FF791541580 | |
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00007FF79158CE90 | |
| Source: | Code function: | 0_2_00007FF791541580 | |
| Source: | Code function: | 0_2_00007FF79155F5E0 | |
| Source: | Code function: | 0_2_00007FF7915589D0 | |
| Source: | Code function: | 0_2_00007FF7915569D0 | |
| Source: | Code function: | 0_2_00007FF791557D10 | |
| Source: | Code function: | 0_2_00007FF791569F8D | |
| Source: | Code function: | 0_2_00007FF79157D270 | |
| Source: | Code function: | 0_2_00007FF79153D2A0 | |
| Source: | Code function: | 0_2_00007FF791565430 | |
| Source: | Code function: | 0_2_00007FF791553380 | |
| Source: | Code function: | 0_2_00007FF791550650 | |
| Source: | Code function: | 0_2_00007FF79156C620 | |
| Source: | Code function: | 0_2_00007FF791579570 | |
| Source: | Code function: | 0_2_00007FF791581600 | |
| Source: | Code function: | 0_2_00007FF7915805D0 | |
| Source: | Code function: | 0_2_00007FF7915395AD | |
| Source: | Code function: | 0_2_00007FF791559890 | |
| Source: | Code function: | 0_2_00007FF7915628E0 | |
| Source: | Code function: | 0_2_00007FF79153978B | |
| Source: | Code function: | 0_2_00007FF791574A40 | |
| Source: | Code function: | 0_2_00007FF7915489E0 | |
| Source: | Code function: | 0_2_00007FF79153AC4D | |
| Source: | Code function: | 0_2_00007FF791567D10 | |
| Source: | Code function: | 0_2_00007FF791585B20 | |
| Source: | Code function: | 0_2_00007FF79153EBC0 | |
| Source: | Code function: | 0_2_00007FF79158CE90 | |
| Source: | Code function: | 0_2_00007FF79153DE30 | |
| Source: | Code function: | 0_2_00007FF79158EF10 | |
| Source: | Code function: | 0_2_00007FF79156A04C | |
| Source: | Code function: | 0_2_00007FF79156A055 | |
| Source: | Code function: | 0_2_00007FF791531000 | |
| Source: | Process created: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00007FF791542690 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF7915586B0 | |
| Source: | Code function: | 0_2_00007FF79154C3F5 | |
| Source: | Process created: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Decision node followed by non-executed suspicious API: | ||
| Source: | API coverage: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF791590138 | |
| Source: | Code function: | 0_2_00007FF791590138 | |
| Source: | Code function: | 0_2_00007FF7915586B0 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF79158FA44 | |
| Source: | Code function: | 0_2_00007FF79158FD9C | |
| Source: | Code function: | 0_2_00007FF79158FF44 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Code function: | 0_2_00007FF79158FFB4 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF791564AB0 | |
| Source: | Code function: | 0_2_00007FF791557680 | |
| Source: | Code function: | 0_2_00007FF79157B54D | |
| Source: | Code function: | 0_2_00007FF79157B7A0 | |
| Source: | Code function: | 0_2_00007FF791574A40 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 Windows Service | 1 Windows Service | 1 Disable or Modify Tools | OS Credential Dumping | 1 System Time Discovery | 1 Exploitation of Remote Services | 12 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | 1 Data Encrypted for Impact |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 11 Process Injection | 1 Virtualization/Sandbox Evasion | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 Service Execution | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | 1 Native API | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 3 System Information Discovery | Distributed Component Object Model | Input Capture | 3 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 26% | ReversingLabs | Win64.Trojan.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.214.172 | true | false | unknown | |
| keyauth.win | 172.67.72.57 | true | false | unknown | |
| fp2e7a.wpc.phicdn.net | 192.229.221.95 | true | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.72.57 | keyauth.win | United States | 13335 | CLOUDFLARENETUS | false |
| IP |
|---|
| 127.0.0.1 |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1538243 |
| Start date and time: | 2024-10-20 21:20:10 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 39s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 41 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | flX5YA1C09.exerenamed because original name is a hash value |
| Original Sample Name: | 2ab72b91ce16dd1252e5a054ac75752e.exe |
| Detection: | MAL |
| Classification: | mal56.evad.winEXE@67/22@1/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.182.143.212
- Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size exceeded maximum capacity and may have missing disassembly code.
- VT rate limit hit for: flX5YA1C09.exe
| Time | Type | Description |
|---|---|---|
| 15:21:21 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.72.57 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| keyauth.win | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| fp2e7a.wpc.phicdn.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | RMSRemoteAdmin | Browse |
| ||
| Get hash | malicious | RMSRemoteAdmin | Browse |
| ||
| Get hash | malicious | RMSRemoteAdmin | Browse |
| ||
| Get hash | malicious | RMSRemoteAdmin | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| bg.microsoft.map.fastly.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | RMSRemoteAdmin | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Phisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
|
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_flX5YA1C09.exe_6193f6e47d768fb07ef4e778aeb03f9f2b24ff_41b9c7aa_8ba48ea0-4bd8-4fb0-9fd2-b26a74e926a9\Report.wer 
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9989196732181074 |
| Encrypted: | false |
| SSDEEP: | 96:74FmXAJ6PsBh8z75fQbQXIDcQNc6GcEOcw3X+HbHg/8BRTf3o8Fa9KifQvH+DFdO:s4G6Pf0jCUAjvVm8zuiFVZ24lO8L |
| MD5: | D4EEA43C6D13EEB3C3DA1A888F6EADF3 |
| SHA1: | 3B2AA851D572D4CC7EFA3668A9B8E4C81B335B0C |
| SHA-256: | 1A06BB69A0B9711B750E2B4C346A6861A1647D73F9FF80B1EA26B4289BD43E84 |
| SHA-512: | 0F8D02CC1CC21527DC2825541AF33879998C4F5951482698B0EB1CA9C413FE8539E1570FCDFA7572244B7715CAFC6A868313564A6503E860AB7DAD5268F9501D |
| Malicious: | true |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 106948 |
| Entropy (8bit): | 1.6017360298464471 |
| Encrypted: | false |
| SSDEEP: | 384:0JKKOFDj81+20DMjbnRafpqwSRuKLBIihjj+kJAkBYpmrIrbW:gyf8s20HSRuKLBLjVKpm0b |
| MD5: | 4529676BF936B99A49941F7220BB959F |
| SHA1: | F314297396CD324BB9CCA7B179C6CFB2A5ED288B |
| SHA-256: | 51C7F271E180FEBA698820B6ECF9D0A330E55EDAD0547CDC80D9187E0719254D |
| SHA-512: | CA9984D5D6FFAA07F6325F91AC034FB6DF41952CA326C3A2259BEBEEF8F7AE04BB422CA59FDD751E02F5E2A50AAB26AF1FAF6D31A8F07B61CA9FAE3079B535DC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 10138 |
| Entropy (8bit): | 3.7148182515668258 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJmFaO6Y2D1Kphkgmf9+pr+89bC0h+f3Qim:R6lXJM16YgKpCgmf98BIfS |
| MD5: | ABC89B928323F66B6223D326BF32946E |
| SHA1: | 59249ED0C5C239FA9D6C98F003B2F182625AEC5F |
| SHA-256: | AE73307E20511B2868F882FD54EB55A417E6DFE3B32530F996F518A7A626600F |
| SHA-512: | DE004C5AF18A65B473CF8B88E7E12E632B0CE3F1DD1C39D57301648358BF72F161075A8819D5FFC6A689507C3B2A40FC69C40534C14D13A17A54634A2FD9CD5D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4645 |
| Entropy (8bit): | 4.467744226737068 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zskJg771I9bQWpW8VYlYm8M4J1QmeQXZFVpmyq85lQ1QNl/iXjHOd:uIjfiI78p7VFJakZpmTaPiXjHOd |
| MD5: | 32F0003900DCE39DCEBD21FE39ADDA36 |
| SHA1: | 88B521D67069882C318ED1D84D60F9CBB37F4F85 |
| SHA-256: | 133D333FAA4C19FC12517A394580078DADD139C1639B275FAD939DFDF1571CC7 |
| SHA-512: | 4B082A57F83FD62FFDF90D4EABB4C0AD7057F23429D82F920C8CB43BE22198F4F3E72C96B7F3DB2057CF2E449803FC4C2D8632BF423D95B857FDA6B1B6A7BFC8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.468735284041842 |
| Encrypted: | false |
| SSDEEP: | 6144:YzZfpi6ceLPx9skLmb0fxZWSP3aJG8nAgeiJRMMhA2zX4WABluuNSjDH5S:OZHtxZWOKnMM6bFpYj4 |
| MD5: | 77E3835604A82A39AB556865220851D4 |
| SHA1: | EBF4C8D0E2FB8621875B5D2C5C866443C5105222 |
| SHA-256: | D1ADE13663A813BA8C878F3F192B291F631E8132A793018988B9A29A5139DFF5 |
| SHA-512: | 444E94997467B5E790B8EE6268C2451906F967C323C4DBC9E97BD0F5ACA0A9734E2C0C142CB30708199656322AE9A6E69A6898D2A8BD6D8766D2E387415D4539 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44 |
| Entropy (8bit): | 4.003997527334849 |
| Encrypted: | false |
| SSDEEP: | 3:HnRthLK5a6eCMABe:HRoJPO |
| MD5: | DF5DC1ABC0D52F3C9E931E26A7C0065C |
| SHA1: | EE84123D3B3BC440C63DFE65FF5616BE2B0904D5 |
| SHA-256: | F7167A2FACDE50428D8D2697A1CDFF075DE809323DD16D62B65CDD103B2A9A6D |
| SHA-512: | 9B2253CE41880D22A2DDF4F886BB6CB22FF0C981400CD9D03A1FCA81DE5FAEB86C26B85B66ECEC960816D7BBE9740843890F2FCCD334B6D274295A32A8E6A4E9 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.423212701081575 |
| TrID: |
|
| File name: | flX5YA1C09.exe |
| File size: | 506'368 bytes |
| MD5: | 2ab72b91ce16dd1252e5a054ac75752e |
| SHA1: | a9b72d4e2e3ced63e58d36e11d0bf5e8a3132f0f |
| SHA256: | ef1550c124e6a450ffce5f4ffe0313962c73e2169b7f6e4b289bafa386912400 |
| SHA512: | 83f8a0b269ce7755f973c0e67c5bb7ce7b8d62e4b534b8663d663168a1aaa5d8c1adaf5cfb122a3e2555464f4a7c939c3544d0b34c85aaa91d905fe951fb4e0c |
| SSDEEP: | 12288:EcRxIa0CO71s6Hxw2KJrSddWzF1H43DPb6+:EoxIoOhlG2KJ2WR+Pb6 |
| TLSH: | 5BB46D96A7A807E9D1A7C03CC547C603E7B6B4991311DBDB43A4CA791F637E12E3A720 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V..._.+.B...PHE.^...PH..v...PH..\...PH..R...PH..P.......A...V...s.......?...9H..T...9H..W...9HG.W...9H..W...RichV.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x14005fa28 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x671280FD [Fri Oct 18 15:38:37 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 3dd1b7e6418973ac2798d88d33677d96 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F58B90800E8h |
| dec eax |
| add esp, 28h |
| jmp 00007F58B907F9D7h |
| int3 |
| int3 |
| jmp 00007F58B9080398h |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov ebx, ecx |
| xor ecx, ecx |
| call dword ptr [0000173Bh] |
| dec eax |
| mov ecx, ebx |
| call dword ptr [000016A2h] |
| call dword ptr [00001724h] |
| dec eax |
| mov ecx, eax |
| mov edx, C0000409h |
| dec eax |
| add esp, 20h |
| pop ebx |
| dec eax |
| jmp dword ptr [00001720h] |
| dec eax |
| mov dword ptr [esp+08h], ecx |
| dec eax |
| sub esp, 38h |
| mov ecx, 00000017h |
| call dword ptr [00001714h] |
| test eax, eax |
| je 00007F58B907FB69h |
| mov ecx, 00000002h |
| int 29h |
| dec eax |
| lea ecx, dword ptr [00018DC2h] |
| call 00007F58B907FD2Eh |
| dec eax |
| mov eax, dword ptr [esp+38h] |
| dec eax |
| mov dword ptr [00018EA9h], eax |
| dec eax |
| lea eax, dword ptr [esp+38h] |
| dec eax |
| add eax, 08h |
| dec eax |
| mov dword ptr [00018E39h], eax |
| dec eax |
| mov eax, dword ptr [00018E92h] |
| dec eax |
| mov dword ptr [00018D03h], eax |
| dec eax |
| mov eax, dword ptr [esp+40h] |
| dec eax |
| mov dword ptr [00018E07h], eax |
| mov dword ptr [00018CDDh], C0000409h |
| mov dword ptr [00018CD7h], 00000001h |
| mov dword ptr [000000E1h], 00000000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x760f0 | 0x1cc | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7d000 | 0x1e8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x79000 | 0x3f84 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7e000 | 0x4e4 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6ffc0 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x70080 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x6fe80 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x61000 | 0x818 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5fdf8 | 0x5fe00 | 6e1e4d840b96fa78546683623c1ccd96 | False | 0.5328848191003911 | data | 6.336775963819167 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x61000 | 0x16b92 | 0x16c00 | 52e99968a6c7e9d2b183e4b7669d7b0c | False | 0.37964672046703296 | data | 5.5807888225661255 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x78000 | 0xdf8 | 0x400 | 187efa02209dcc291bd59d9caee44253 | False | 0.21484375 | data | 2.434631909806376 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x79000 | 0x3f84 | 0x4000 | 258717b56f67e0367f4feb0b60186654 | False | 0.482421875 | data | 5.779326294134831 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x7d000 | 0x1e8 | 0x200 | 7d03a0f9d3c3a10dec18b513161e66d8 | False | 0.54296875 | data | 4.772037401703051 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x7e000 | 0x4e4 | 0x600 | 39326fb49822ad82593e9e49b5e608b8 | False | 0.5123697916666666 | data | 4.849267575521713 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x7d060 | 0x188 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5892857142857143 |
| DLL | Import |
|---|---|
| KERNEL32.dll | WideCharToMultiByte, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, GetTickCount, QueryPerformanceCounter, VerifyVersionInfoA, LoadLibraryA, GetProcAddress, GetModuleHandleA, FreeLibrary, GetSystemDirectoryA, CreateFileA, VerSetConditionMask, SleepEx, LeaveCriticalSection, EnterCriticalSection, FormatMessageA, SetLastError, CloseHandle, GetCurrentProcess, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetModuleHandleW, GetCurrentProcessId, GetCurrentThreadId, GetFileSizeEx, WaitForMultipleObjects, PeekNamedPipe, ReadFile, GetFileType, GetEnvironmentVariableA, MultiByteToWideChar, WaitForSingleObjectEx, QueryPerformanceFrequency, GetSystemTimeAsFileTime, MoveFileExA, DeleteCriticalSection, GetLastError, InitializeCriticalSectionEx, OutputDebugStringW, InitializeSListHead, GetConsoleWindow, SetConsoleTitleA, SetConsoleTextAttribute, Sleep, GetStdHandle |
| USER32.dll | GetWindowLongPtrA, SetWindowLongPtrA, MessageBoxA, SetLayeredWindowAttributes |
| ADVAPI32.dll | CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptGenRandom, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey, CryptEncrypt |
| SHELL32.dll | ShellExecuteA |
| MSVCP140.dll | ?_Xlength_error@std@@YAXPEBD@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exception@std@@YA_NXZ, ?_Xbad_function_call@std@@YAXXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z |
| urlmon.dll | URLDownloadToFileA |
| Normaliz.dll | IdnToAscii |
| WLDAP32.dll | |
| CRYPT32.dll | CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CertFreeCertificateChain, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore, CryptDecodeObjectEx |
| WS2_32.dll | gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, select, ioctlsocket, listen, htonl, accept, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, socket, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername, connect, bind, WSAGetLastError, send, recv, closesocket, ntohl, __WSAFDIsSet |
| VCRUNTIME140.dll | __std_exception_copy, __std_exception_destroy, _CxxThrowException, memcpy, memset, __std_terminate, __C_specific_handler, __current_exception_context, __current_exception, memchr, memcmp, strchr, strstr, memmove, strrchr |
| VCRUNTIME140_1.dll | __CxxFrameHandler4 |
| api-ms-win-crt-runtime-l1-1-0.dll | _invalid_parameter_noinfo_noreturn, _beginthreadex, _errno, __sys_nerr, _getpid, exit, system, terminate, _register_thread_local_exe_atexit_callback, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, strerror, _c_exit, _initterm, _initterm_e, _exit, __p___argv, __p___argc, _get_initial_narrow_environment |
| api-ms-win-crt-heap-l1-1-0.dll | realloc, _callnewh, free, calloc, _set_new_mode, malloc |
| api-ms-win-crt-utility-l1-1-0.dll | rand, qsort |
| api-ms-win-crt-stdio-l1-1-0.dll | __stdio_common_vfprintf, fseek, feof, __p__commode, __acrt_iob_func, ftell, fputc, _lseeki64, _read, _write, _close, _open, fflush, __stdio_common_vsscanf, __stdio_common_vsprintf, fread, fputs, fopen, fwrite, fgets, fclose, _set_fmode |
| api-ms-win-crt-convert-l1-1-0.dll | strtod, atoi, strtoul, strtoull, strtol, strtoll |
| api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale, localeconv |
| api-ms-win-crt-time-l1-1-0.dll | _time64, _gmtime64 |
| api-ms-win-crt-string-l1-1-0.dll | strcmp, strncmp, isupper, strcspn, strspn, _strdup, strncpy, tolower, strpbrk |
| api-ms-win-crt-filesystem-l1-1-0.dll | _stat64, _unlink, _access, _fstat64 |
| api-ms-win-crt-math-l1-1-0.dll | __setusermatherr, _dclass |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 20, 2024 21:21:11.941822052 CEST | 49721 | 443 | 192.168.2.6 | 172.67.72.57 |
| Oct 20, 2024 21:21:11.941884995 CEST | 443 | 49721 | 172.67.72.57 | 192.168.2.6 |
| Oct 20, 2024 21:21:11.942189932 CEST | 49721 | 443 | 192.168.2.6 | 172.67.72.57 |
| Oct 20, 2024 21:21:12.004559040 CEST | 49721 | 443 | 192.168.2.6 | 172.67.72.57 |
| Oct 20, 2024 21:21:12.004600048 CEST | 443 | 49721 | 172.67.72.57 | 192.168.2.6 |
| Oct 20, 2024 21:21:12.780273914 CEST | 443 | 49721 | 172.67.72.57 | 192.168.2.6 |
| Oct 20, 2024 21:21:12.780354023 CEST | 49721 | 443 | 192.168.2.6 | 172.67.72.57 |
| Oct 20, 2024 21:21:12.785415888 CEST | 49721 | 443 | 192.168.2.6 | 172.67.72.57 |
| Oct 20, 2024 21:21:12.785432100 CEST | 443 | 49721 | 172.67.72.57 | 192.168.2.6 |
| Oct 20, 2024 21:21:12.785697937 CEST | 443 | 49721 | 172.67.72.57 | 192.168.2.6 |
| Oct 20, 2024 21:21:12.792165041 CEST | 49721 | 443 | 192.168.2.6 | 172.67.72.57 |
| Oct 20, 2024 21:21:12.835402012 CEST | 443 | 49721 | 172.67.72.57 | 192.168.2.6 |
| Oct 20, 2024 21:21:13.082602024 CEST | 443 | 49721 | 172.67.72.57 | 192.168.2.6 |
| Oct 20, 2024 21:21:13.082658052 CEST | 443 | 49721 | 172.67.72.57 | 192.168.2.6 |
| Oct 20, 2024 21:21:13.082847118 CEST | 49721 | 443 | 192.168.2.6 | 172.67.72.57 |
| Oct 20, 2024 21:21:23.105897903 CEST | 49721 | 443 | 192.168.2.6 | 172.67.72.57 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 20, 2024 21:21:11.911408901 CEST | 54525 | 53 | 192.168.2.6 | 1.1.1.1 |
| Oct 20, 2024 21:21:11.919394970 CEST | 53 | 54525 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 20, 2024 21:21:11.911408901 CEST | 192.168.2.6 | 1.1.1.1 | 0xd8db | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 20, 2024 21:21:03.663131952 CEST | 1.1.1.1 | 192.168.2.6 | 0xe72a | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Oct 20, 2024 21:21:03.663131952 CEST | 1.1.1.1 | 192.168.2.6 | 0xe72a | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false | ||
| Oct 20, 2024 21:21:05.348247051 CEST | 1.1.1.1 | 192.168.2.6 | 0x5c53 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
| Oct 20, 2024 21:21:05.348247051 CEST | 1.1.1.1 | 192.168.2.6 | 0x5c53 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Oct 20, 2024 21:21:11.919394970 CEST | 1.1.1.1 | 192.168.2.6 | 0xd8db | No error (0) | 172.67.72.57 | A (IP address) | IN (0x0001) | false | ||
| Oct 20, 2024 21:21:11.919394970 CEST | 1.1.1.1 | 192.168.2.6 | 0xd8db | No error (0) | 104.26.1.5 | A (IP address) | IN (0x0001) | false | ||
| Oct 20, 2024 21:21:11.919394970 CEST | 1.1.1.1 | 192.168.2.6 | 0xd8db | No error (0) | 104.26.0.5 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49721 | 172.67.72.57 | 443 | 1468 | C:\Users\user\Desktop\flX5YA1C09.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-20 19:21:12 UTC | 128 | OUT | |
| 2024-10-20 19:21:12 UTC | 58 | OUT |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 15:21:06 |
| Start date: | 20/10/2024 |
| Path: | C:\Users\user\Desktop\flX5YA1C09.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff791530000 |
| File size: | 506'368 bytes |
| MD5 hash: | 2AB72B91CE16DD1252E5A054AC75752E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 15:21:06 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff624060000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff624060000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff624060000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 15:21:07 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff699af0000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff699af0000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 15:21:08 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 15:21:09 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 15:21:09 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff624060000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 15:21:09 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 15:21:09 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff624060000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 15:21:09 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 15:21:09 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff624060000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 15:21:10 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 15:21:10 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff699af0000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 22 |
| Start time: | 15:21:10 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 23 |
| Start time: | 15:21:10 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff699af0000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 24 |
| Start time: | 15:21:10 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 25 |
| Start time: | 15:21:14 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 26 |
| Start time: | 15:21:14 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff624060000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 27 |
| Start time: | 15:21:15 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 28 |
| Start time: | 15:21:15 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff624060000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 29 |
| Start time: | 15:21:15 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 30 |
| Start time: | 15:21:15 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\taskkill.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff624060000 |
| File size: | 101'376 bytes |
| MD5 hash: | A599D3B2FAFBDE4C1A6D7D0F839451C7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 31 |
| Start time: | 15:21:15 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 32 |
| Start time: | 15:21:15 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff699af0000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 33 |
| Start time: | 15:21:15 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 34 |
| Start time: | 15:21:15 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\sc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff699af0000 |
| File size: | 72'192 bytes |
| MD5 hash: | 3FB5CF71F7E7EB49790CB0E663434D80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 35 |
| Start time: | 15:21:15 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff676220000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 38 |
| Start time: | 15:21:15 |
| Start date: | 20/10/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff609560000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Function 00007FF79155F5E0 Relevance: 178.5, APIs: 31, Strings: 70, Instructions: 1702stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791569F8D Relevance: 116.1, APIs: 43, Strings: 23, Instructions: 552stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791541580 Relevance: 114.1, APIs: 51, Strings: 14, Instructions: 304processsleepfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915589D0 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 191libraryloadernetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791557D10 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915586B0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128librarystringloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791564AB0 Relevance: 24.1, APIs: 16, Instructions: 127networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915569D0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791532AF0 Relevance: 40.7, APIs: 16, Strings: 7, Instructions: 402sleepwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156B610 Relevance: 38.9, APIs: 6, Strings: 16, Instructions: 385COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156AAA0 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791569CC0 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791552970 Relevance: 28.6, APIs: 6, Strings: 10, Instructions: 557COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791551900 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 153COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791557350 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 161networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791568720 Relevance: 19.6, APIs: 13, Instructions: 128networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791566030 Relevance: 16.7, APIs: 11, Instructions: 241sleepnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791554F40 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791532890 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 121processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791565C90 Relevance: 10.7, APIs: 7, Instructions: 242sleepnetworkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156BCE0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791546D50 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 193COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915511E0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791561760 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791555F20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791547E48 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915335A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 156windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915824D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79154797B Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 246COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791561320 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791569AD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791551EE0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 106COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915628E0 Relevance: 127.2, APIs: 25, Strings: 47, Instructions: 1229stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915489E0 Relevance: 105.7, APIs: 41, Strings: 19, Instructions: 728stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157D270 Relevance: 102.1, APIs: 45, Strings: 13, Instructions: 581COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915395AD Relevance: 78.0, APIs: 39, Strings: 5, Instructions: 978COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791579570 Relevance: 77.4, APIs: 26, Strings: 18, Instructions: 435networkfilepipeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79153AC4D Relevance: 74.4, APIs: 37, Strings: 5, Instructions: 930COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791585B20 Relevance: 72.3, APIs: 17, Strings: 24, Instructions: 549encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791574A40 Relevance: 67.0, APIs: 25, Strings: 13, Instructions: 515networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79154F130 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 254stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791586440 Relevance: 52.8, APIs: 17, Strings: 13, Instructions: 253fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791553380 Relevance: 51.2, APIs: 21, Strings: 8, Instructions: 401stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791581600 Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 425COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791557680 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 317stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79153978B Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 509COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915805D0 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 252fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791567D10 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 422stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791569350 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791542690 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156C620 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 223COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157B7A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157B54D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791590138 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791569280 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156C270 Relevance: 6.0, APIs: 4, Instructions: 33encryptionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156C210 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79153D2A0 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156C260 Relevance: .0, Instructions: 3COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791569480 Relevance: 145.9, APIs: 50, Strings: 47, Instructions: 425stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791554AA0 Relevance: 52.7, APIs: 34, Strings: 1, Instructions: 215COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791570980 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 297stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791582C00 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 312networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791539938 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 423COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157DB60 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 257stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915644D0 Relevance: 33.2, APIs: 6, Strings: 16, Instructions: 206COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791536360 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 463COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791549A70 Relevance: 31.8, APIs: 21, Instructions: 269stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157E290 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 214stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791579190 Relevance: 31.7, APIs: 9, Strings: 12, Instructions: 208stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155E620 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 310stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791573A00 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 284stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791554290 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 219COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79154A3F0 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 154COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791566490 Relevance: 27.3, APIs: 1, Strings: 17, Instructions: 341COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915354C0 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 362COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156B230 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 241encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791561A50 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 218stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791587C51 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 165COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791581CC0 Relevance: 24.2, APIs: 14, Strings: 2, Instructions: 227COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791588A10 Relevance: 24.2, APIs: 1, Strings: 15, Instructions: 179COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791571A20 Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 279COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79153A7F2 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 217COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791542550 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791584980 Relevance: 19.8, APIs: 8, Strings: 5, Instructions: 266COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791586860 Relevance: 19.7, APIs: 5, Strings: 8, Instructions: 165COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157C5F3 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 290COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157A8A0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 180networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157C250 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 179COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155BA20 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156DA30 Relevance: 18.2, APIs: 4, Strings: 8, Instructions: 207COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915545E0 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 280stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155E1B0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 178COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158B6D0 Relevance: 16.8, APIs: 2, Strings: 9, Instructions: 279COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156D700 Relevance: 16.7, APIs: 5, Strings: 6, Instructions: 223COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157F241 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 140COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79154C980 Relevance: 16.6, APIs: 11, Instructions: 119stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791551CB0 Relevance: 16.4, APIs: 13, Instructions: 164stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791553B79 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915745E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915584F0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158761E Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791577800 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158E290 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 230COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791537449 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 230COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791549205 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791562500 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 181COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791549313 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 169COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915706F0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 135stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915763C1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791586AEC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157E930 Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 223COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158A550 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 211COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158799C Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 174COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791577B60 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 111stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915765DE Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 261COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158BC70 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 252stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155D3C0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 227networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791539520 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791589805 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791576C10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157A6F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158770E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158780D Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 173COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791586CAD Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 165COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791587744 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 130COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915879A4 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791575806 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915836F0 Relevance: 10.9, APIs: 5, Strings: 2, Instructions: 424stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791567950 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915491CC Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158967A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 154COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791549369 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791570310 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791573450 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 146stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791573220 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791558470 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 144COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915323C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791580B80 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157CB50 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155C3B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 106COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791587660 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 106COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791586B21 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158980D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791580480 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156E986 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791555690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158742C Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 126COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158795F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 98COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158D8A0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 91COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915876D5 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156F981 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 85stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791587726 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915876F3 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791587C90 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791586B91 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 80COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915759B3 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915492F8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 155COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915491ED Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915621F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791532660 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157F5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915895B8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791534360 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915406D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791576A60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155A560 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155C860 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915894A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791566A9D Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 166COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791584380 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791571A8B Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 134COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158D630 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 129stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155B720 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 127COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915872A3 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 125COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79156E4A0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 118COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915871E0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791587434 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791587D08 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791542C90 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915657E0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 206COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791572800 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 120networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791589A45 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157BA90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915894DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915897BF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791555B40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915725E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791564180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791544363 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915444E8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157A4E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915871B1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155A800 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 135COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791589BFF Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158A880 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79158ACC0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791589B45 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 90COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157621D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791550290 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155932D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 56stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791572500 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7915619B0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155921A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791559222 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791581210 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 227COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79157E7AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF79155A6D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791555510 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF791589B18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|