Edit tour
Windows
Analysis Report
fxc.exe
Overview
General Information
| Sample name: | fxc.exe |
| Analysis ID: | 1541091 |
| MD5: | 0b1904602a90ed190066095f29a3f92a |
| SHA1: | f0a25529b0d0aabce9d72ba46aaf1c78c5b48c31 |
| SHA256: | 6e349195bdc65a1964367317ba14b905440d75398c3fbb1911c3400082d7f149 |
| Tags: | exeMDeployeruser-smica83 |
| Infos: | |
 | |
Detection
| Score: | 60 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains sections with non-standard names
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64
fxc.exe (PID: 7312 cmdline: "C:\Users\ user\Deskt op\fxc.exe " MD5: 0B1904602A90ED190066095F29A3F92A) 
WerFault.exe (PID: 7388 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 7 312 -s 232 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 0_2_00007FF7BC212410 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF7BC2085E0 | |
| Source: | Code function: | 0_2_00007FF7BC21EF88 | |
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00007FF7BC1F1D30 | |
| Source: | Code function: | 0_2_00007FF7BC200230 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF7BC1F1D30 | |
| Source: | Code function: | 0_2_00007FF7BC1F12D0 | |
| Source: | Code function: | 0_2_00007FF7BC201B10 | |
| Source: | Code function: | 0_2_00007FF7BC209420 | |
| Source: | Code function: | 0_2_00007FF7BC203D40 | |
| Source: | Code function: | 0_2_00007FF7BC1F7520 | |
| Source: | Code function: | 0_2_00007FF7BC1FD590 | |
| Source: | Code function: | 0_2_00007FF7BC1F8590 | |
| Source: | Code function: | 0_2_00007FF7BC1F6D90 | |
| Source: | Code function: | 0_2_00007FF7BC226558 | |
| Source: | Code function: | 0_2_00007FF7BC21D5F4 | |
| Source: | Code function: | 0_2_00007FF7BC211E40 | |
| Source: | Code function: | 0_2_00007FF7BC2046C0 | |
| Source: | Code function: | 0_2_00007FF7BC21EF88 | |
| Source: | Code function: | 0_2_00007FF7BC200790 | |
| Source: | Code function: | 0_2_00007FF7BC2097A0 | |
| Source: | Code function: | 0_2_00007FF7BC202FE0 | |
| Source: | Code function: | 0_2_00007FF7BC215870 | |
| Source: | Code function: | 0_2_00007FF7BC211207 | |
| Source: | Code function: | 0_2_00007FF7BC1FB1F0 | |
| Source: | Code function: | 0_2_00007FF7BC210A20 | |
| Source: | Code function: | 0_2_00007FF7BC1F2B10 | |
| Source: | Code function: | 0_2_00007FF7BC1F4350 | |
| Source: | Code function: | 0_2_00007FF7BC210BD0 | |
| Source: | Code function: | 0_2_00007FF7BC203400 | |
| Source: | Code function: | 0_2_00007FF7BC212410 | |
| Source: | Code function: | 0_2_00007FF7BC2233FC | |
| Source: | Code function: | 0_2_00007FF7BC20EC90 | |
| Source: | Code function: | 0_2_00007FF7BC206C60 | |
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00007FF7BC201B10 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF7BC215870 | |
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Code function: | 0_2_00007FF7BC2085E0 | |
| Source: | Code function: | 0_2_00007FF7BC21EF88 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00007FF7BC21E54C | |
| Source: | Code function: | 0_2_00007FF7BC215870 | |
| Source: | Code function: | 0_2_00007FF7BC221F64 | |
| Source: | Code function: | 0_2_00007FF7BC21E54C | |
| Source: | Code function: | 0_2_00007FF7BC218F70 | |
| Source: | Code function: | 0_2_00007FF7BC219118 | |
| Source: | Code function: | 0_2_00007FF7BC226ADC | |
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF7BC2263A0 | |
| Source: | Code function: | 0_2_00007FF7BC212410 | |
| Source: | Code function: | 0_2_00007FF7BC218E4C | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 2 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Process Injection | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 53% | ReversingLabs | Win64.Trojan.Generic | ||
| 100% | Avira | TR/AVI.Agent.robcr |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1541091 |
| Start date and time: | 2024-10-24 12:06:05 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 16s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 9 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | fxc.exe |
| Detection: | MAL |
| Classification: | mal60.winEXE@3/7@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: fxc.exe
| Time | Type | Description |
|---|---|---|
| 06:07:12 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fxc.exe_d5c59118b01e5ac2e9fe2cdeb3cf1adce977e24e_6f60c9ae_8b4724b5-c86e-4711-b290-a9b5b2b0ec6d\Report.wer 
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.6728573216818682 |
| Encrypted: | false |
| SSDEEP: | 96:6sFb+Ix67sYhqFy7qA8SKQXIDcQTc65cE1cw3u+HbHg/KHnOgrZAX/d5FMT2SlPB:z5x678/U0N9/Dj+zuiF/Z24lO8ID |
| MD5: | 3691DBE0C0CCD7C21D1906B1B48F6608 |
| SHA1: | 6AE458A3EB2C13F909F3838734A189E8E7A83711 |
| SHA-256: | 4AE7D1474B59ABCDCA2CDECC26C57B90B9742B706C6D95277B893FC2C0351A8E |
| SHA-512: | 36B0C7FFC3E71AA1638B68A310A941CB452AB53388B818981BF9A1D22E2324EF1E521C1DDF668995E8250F1E174C4B77013896A564D4FC9B69E3DA8276F51AC9 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 45042 |
| Entropy (8bit): | 1.405447527681338 |
| Encrypted: | false |
| SSDEEP: | 96:5w8EH/X74RvrEXi7V1Ii6l1lsUzTBiBgNBhuOWIqsIGKKAeT:REDOV1IhuUzUijXL |
| MD5: | 675533C5A57EE551BA29EFD019E4B910 |
| SHA1: | F22AB31832151DE70D41C9264595929A2426871F |
| SHA-256: | 559F5095C2EC35E87C0676A6109C136D08764FEAC2103F265F2AED9D739C9A57 |
| SHA-512: | A173BEBBA6783FBF0473EA3EE6981D66F0BAD9599B0E2E6513825CA8B70924546973FA43DE4D8234852C8BDD126701AA62DDE27C6854488B87A8753C5779F68C |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8548 |
| Entropy (8bit): | 3.6882233133926294 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJTfwr8V6Y9RdLZIgmfDopDa89b8Dkf+0m:R6lXJLwr8V6YbPIgmfDW8gfk |
| MD5: | F5AE93F79CE827BEB61C8E994328D5E6 |
| SHA1: | 42A5AAC3A912BCAF36D6DF19CC771790BA5F25CB |
| SHA-256: | 0E33EE03DAAC5F2EA81A0F56897B66615E4887B788A769CAA004D86EF6EC8258 |
| SHA-512: | 27C397DA9F17ECEEB70F1CE9B66CE17FBB91C276D371FF347931515E935700F4B3EC161C0F35335E9449C16EB6E02EBABCDF61CF90953E183497B34E06190C9F |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4707 |
| Entropy (8bit): | 4.412733950254919 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsFJg771I9HyzJWpW8VY6Ym8M4JNXVgFJ8yq8vfXVpuQreTd:uIjffI79s7VaJ28WvuoGd |
| MD5: | 561D5A71770CB8AFF8689E0E23AF95C9 |
| SHA1: | A647710A9981C58D1BCDB90D90D4B623E6083E73 |
| SHA-256: | 81CC975015FF88FF1E7E4EBD13B3BA84660EBFBAC760BB0E9C2BF7AE5990F19A |
| SHA-512: | 853E04B7500445077BB4FDD8D09EAD56841A27B390244DD6E2D64FF566F808E64E84F13E9BD261961380B5EEF5A7FE75F0851348661C4EBE8E3B525F81748904 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.465446814406059 |
| Encrypted: | false |
| SSDEEP: | 6144:gIXfpi67eLPU9skLmb0b4eWSPKaJG8nAgejZMMhA2gX4WABl0uNMdwBCswSbkn:lXD94eWlLZMM6YFHq+kn |
| MD5: | E2FC2FECDC61BD1707A31530694208C9 |
| SHA1: | C6415863386027A0ACE5552FB147731897E82B7B |
| SHA-256: | F4E04A62E0F77566C5DC0D8E34BE43CD9BB57AC2181F7905E17BD7E37F147E6F |
| SHA-512: | CC8364C8E000031CDAAFD784AAF47EC8875ECE8F266B078BFB1F5CD83ED900B34D7C94FEEBD17872EBB9AE595ED45FE5D6160FA8FE8FB4CDD66DA2F455105B76 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\fxc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 13 |
| Entropy (8bit): | 3.238901256602631 |
| Encrypted: | false |
| SSDEEP: | 3:5bn:5b |
| MD5: | B8E0C5361ACE0B62719F10962426B704 |
| SHA1: | 9386FD982496B811D4FEAEB51631AC9C08E97F76 |
| SHA-256: | 954297FEA35BC7CCC2C8E474E61EE24ED7248C625804B9FF8768EA15554C2773 |
| SHA-512: | 41DC778B14295F97A435DD6BF142D1DFD63A5A17B7D519B9E92CFB9C4BBFCB50B0FFAAF6121E604FE996CA4CF0FE62FD8825EAFD222A10E2BE25D0DCDE6509B8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\fxc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4 |
| Entropy (8bit): | 2.0 |
| Encrypted: | false |
| SSDEEP: | 3:H:H |
| MD5: | EF399B2D446BB37B7C32AD2CC1B6045B |
| SHA1: | 1B480158E1F30E0B6CEE7813E9ECF094BD6B3745 |
| SHA-256: | 6C45CB72A36E63D522AA54ED8ADBD7A29A989474F2F77E0458AF8800564EF3CB |
| SHA-512: | BF9C0733CA09AE29BAE7EFBFF03B69E87A5489CE610F19DA806F795847563F6055964E5AEC1771293067662402C8613BEB0F498E77E20820587E133B16F73CF5 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.299817634972105 |
| TrID: |
|
| File name: | fxc.exe |
| File size: | 324'608 bytes |
| MD5: | 0b1904602a90ed190066095f29a3f92a |
| SHA1: | f0a25529b0d0aabce9d72ba46aaf1c78c5b48c31 |
| SHA256: | 6e349195bdc65a1964367317ba14b905440d75398c3fbb1911c3400082d7f149 |
| SHA512: | d18058b6b1a045d8544db79940ca5500843a71d3541c012b01d0a70648d0b210113b1715b608c3866d61f41db521109b7084a109a279dc306aed4544ffd17b54 |
| SSDEEP: | 6144:6BrFsAPhVdTPrOi4OU4Ym0D+slljJbJ3pvTVFIh:6BrFBEF3mEBvr |
| TLSH: | 99645D15FB9618FDD5ABC074C6468A72B933B8860B21BDEF12A441353F276E46E3DB10 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..0...c...c...cJ..b...cJ..b...cJ..b...c...b(..c...b...c...b...c...c...c...c...c9k.b...cRich...c................PE..d......f... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x140028b50 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x669FA2B4 [Tue Jul 23 12:31:48 2024 UTC] |
| TLS Callbacks: | 0x4000e530, 0x1 |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | e56ef045fa5f5c9fae11e44b0b3dd79a |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F74C4B9CDC8h |
| dec eax |
| add esp, 28h |
| jmp 00007F74C4B9C947h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| nop word ptr [eax+eax+00000000h] |
| dec eax |
| sub esp, 10h |
| dec esp |
| mov dword ptr [esp], edx |
| dec esp |
| mov dword ptr [esp+08h], ebx |
| dec ebp |
| xor ebx, ebx |
| dec esp |
| lea edx, dword ptr [esp+18h] |
| dec esp |
| sub edx, eax |
| dec ebp |
| cmovb edx, ebx |
| dec esp |
| mov ebx, dword ptr [00000010h] |
| dec ebp |
| cmp edx, ebx |
| jnc 00007F74C4B9CAE8h |
| inc cx |
| and edx, 8D4DF000h |
| wait |
| add al, dh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4bb04 | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x4f000 | 0x24cc | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x53000 | 0x9c8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x46a90 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x46b00 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x46950 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x39000 | 0x3d8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x37720 | 0x37800 | a02ec713fbe9974812e412b84ffebaad | False | 0.5355917440878378 | data | 6.3992226630856495 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x39000 | 0x1389a | 0x13a00 | 13b8deb7020ad1349aeef6eb5d67cc1f | False | 0.39951980493630573 | data | 5.309728177527535 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x4d000 | 0x1dd8 | 0xc00 | 217dde2fe845fd603a329ab7852c64e6 | False | 0.14485677083333334 | data | 2.0102799590686815 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x4f000 | 0x24cc | 0x2600 | ab62c9ecd85cc5c7443fed8a745a001f | False | 0.4862253289473684 | data | 5.453329444307597 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| _RDATA | 0x52000 | 0x15c | 0x200 | 5556100c66644b92472d605a319cfb77 | False | 0.40625 | data | 3.2977765662674985 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x53000 | 0x9c8 | 0xa00 | 8233352803a1d795b1a18ffe13667efb | False | 0.5890625 | data | 5.39691148505322 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| kernel32.dll | CreateWaitableTimerExW, SetWaitableTimer, WaitForSingleObject, CloseHandle, Sleep, GetExitCodeProcess, HeapReAlloc, GetModuleHandleA, GetProcAddress, GetCurrentThread, TryAcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetStdHandle, GetConsoleMode, SetFilePointerEx, MultiByteToWideChar, WriteConsoleW, SetLastError, GetModuleHandleW, FormatMessageW, GetCurrentProcess, GetEnvironmentVariableW, CreateFileW, SetFileInformationByHandle, GetFullPathNameW, GetFileInformationByHandle, GetFileInformationByHandleEx, FindFirstFileW, FindClose, GetEnvironmentStringsW, HeapFree, CompareStringOrdinal, GetModuleFileNameW, GetSystemDirectoryW, AcquireSRWLockExclusive, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, DuplicateHandle, CreateThread, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, GetLastError, GetCurrentProcessId, CreateNamedPipeW, ReadFileEx, SleepEx, WriteFileEx, SetThreadStackGuarantee, TerminateProcess, GetProcessHeap, HeapAlloc, GetCurrentDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, CreateMutexA, WaitForSingleObjectEx, LoadLibraryA, ReleaseMutex, RtlVirtualUnwind, AcquireSRWLockShared, ReleaseSRWLockShared, DeleteFileW, GetConsoleOutputCP, FreeEnvironmentStringsW, AddVectoredExceptionHandler, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, RtlUnwindEx, EncodePointer, RaiseException, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RtlPcToFileHeader, WriteFile, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, WideCharToMultiByte, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, HeapSize, FlushFileBuffers |
| ntdll.dll | RtlNtStatusToDosError, NtReadFile, NtWriteFile |
| bcrypt.dll | BCryptGenRandom |
| advapi32.dll | SystemFunction036 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 06:06:56 |
| Start date: | 24/10/2024 |
| Path: | C:\Users\user\Desktop\fxc.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7bc1f0000 |
| File size: | 324'608 bytes |
| MD5 hash: | 0B1904602A90ED190066095F29A3F92A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 06:06:57 |
| Start date: | 24/10/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6e4b30000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 2.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 64.3% |
| Total number of Nodes: | 759 |
| Total number of Limit Nodes: | 10 |
Graph
Function 00007FF7BC209420 Relevance: 144.4, APIs: 76, Strings: 5, Instructions: 2623memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1F12D0 Relevance: 72.3, APIs: 35, Strings: 6, Instructions: 595memorysynchronizationtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1F1D30 Relevance: 53.2, APIs: 28, Strings: 2, Instructions: 663memoryfilenativeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC2085E0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191filememoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC201B10 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 378windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC200230 Relevance: 4.6, APIs: 3, Instructions: 66filenativesynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC206A00 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 173memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1F2920 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 139memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1F1010 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC2187E0 Relevance: 6.1, APIs: 4, Instructions: 54memoryfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC201611 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1FE830 Relevance: 4.5, APIs: 3, Instructions: 38threadmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1F3B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 120memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC215870 Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 481libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC2046C0 Relevance: 33.9, APIs: 9, Strings: 10, Instructions: 676libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1F2B10 Relevance: 27.5, APIs: 16, Strings: 2, Instructions: 509memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC211207 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 358memorythreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC206C60 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 453COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC212410 Relevance: 18.5, APIs: 12, Instructions: 504memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC211E40 Relevance: 13.8, APIs: 9, Instructions: 264memorythreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21E54C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC20EC90 Relevance: 8.5, APIs: 3, Strings: 2, Instructions: 967memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC218E4C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC226558 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC203D40 Relevance: .3, Instructions: 342COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1F4350 Relevance: .3, Instructions: 321COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1FB1F0 Relevance: .2, Instructions: 192COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC2263A0 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC219118 Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1F3340 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 257memorysynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC200340 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 202COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC221944 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC217A60 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 387COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21AE98 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC217C68 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 142memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC2130F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91memorythreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1FFED0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 216COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21C13C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21E134 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC225E64 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1FE4D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 25libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21E2AC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21A4C8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1FF990 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1FF2D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21D2C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC2261B4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21E374 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC215780 Relevance: 7.5, APIs: 5, Instructions: 42synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21B370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21B6CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1FF200 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC1FF650 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC2010D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21FFB4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21CAD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC217CD8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC217CE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC224550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FF7BC21C5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|