Edit tour
Windows
Analysis Report
QualityUpdateAssistant.dll
Overview
General Information
| Sample name: | QualityUpdateAssistant.dll |
| Analysis ID: | 1432032 |
| MD5: | 873fca43ec90d167a4244c9867989030 |
| SHA1: | ab368df3c3e152c4efcb2ffc09c4870743d360f3 |
| SHA256: | a07d18fed2517e314e001a98b0d3342f27951338e78096a61c3a5a3eb32e3397 |
| Infos: | |
 | |
Detection
| Score: | 11 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 0% |
Signatures
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
Analysis Advice
| Sample may be VM or Sandbox-aware, try analysis on a native machine |
| Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
| Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
| Sample crashes during execution, try analyze it on another analysis machine |
| Sample searches for specific file, try point organization specific fake files to the analysis machine |
- System is w10x64
loaddll64.exe (PID: 6456 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\Qua lityUpdate Assistant. dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 6180 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1600 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Qua lityUpdate Assistant. dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 7160 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\Qual ityUpdateA ssistant.d ll",#1 MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 1560 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 7 160 -s 516 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 3876 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Quali tyUpdateAs sistant.dl l,Execute MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 3452 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 876 -s 516 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 6548 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Qual ityUpdateA ssistant.d ll",Execut e MD5: EF3179D498793BF4234F708D3BE28633) - WerFault.exe (PID: 2436 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 548 -s 508 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - WerFault.exe (PID: 5512 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 456 -s 488 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Code function: | 3_2_00007FF8B90D34B0 | |
| Source: | Code function: | 3_2_00007FF8B90CE310 | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 3_2_00007FF8B90C5128 | |
| Source: | Code function: | 3_2_00007FF8B90B16E8 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 3_2_00007FF8B90CE0C0 | |
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 3_2_00007FF8B90C16D4 | |
| Source: | Code function: | 3_2_00007FF8B90C1514 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 3_2_00007FF8B90A4D2C | |
| Source: | Code function: | 3_2_00007FF8B90AF744 | |
| Source: | Code function: | 3_2_00007FF8B90A5A6C | |
| Source: | Code function: | 3_2_00007FF8B90B9AF0 | |
| Source: | Code function: | 3_2_00007FF8B90B7AE4 | |
| Source: | Code function: | 3_2_00007FF8B90D398C | |
| Source: | Code function: | 3_2_00007FF8B90C99C4 | |
| Source: | Code function: | 3_2_00007FF8B90ABC04 | |
| Source: | Code function: | 3_2_00007FF8B90C6C7B | |
| Source: | Code function: | 3_2_00007FF8B90BEE54 | |
| Source: | Code function: | 3_2_00007FF8B90ADEB4 | |
| Source: | Code function: | 3_2_00007FF8B90ACD10 | |
| Source: | Code function: | 3_2_00007FF8B90C607B | |
| Source: | Code function: | 3_2_00007FF8B90B329F | |
| Source: | Code function: | 3_2_00007FF8B90D4110 | |
| Source: | Code function: | 3_2_00007FF8B90AD450 | |
| Source: | Code function: | 3_2_00007FF8B90D34B0 | |
| Source: | Code function: | 3_2_00007FF8B90C731B | |
| Source: | Code function: | 3_2_00007FF8B90B53A8 | |
| Source: | Code function: | 3_2_00007FF8B90AA3D9 | |
| Source: | Code function: | 3_2_00007FF8B90C9664 | |
| Source: | Code function: | 3_2_00007FF8B90B16E8 | |
| Source: | Code function: | 3_2_00007FF8B90B3878 | |
| Source: | Code function: | 3_2_00007FF8B90A9749 | |
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_00007FF8B90C5370 | |
| Source: | Code function: | 3_2_00007FF8B90C5950 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_00007FF8B90B3878 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_00007FF8B90C881B | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Code function: | 3_2_00007FF8B90B69E8 | |
| Source: | Code function: | 3_2_00007FF8B90C5128 | |
| Source: | Code function: | 3_2_00007FF8B90B16E8 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_00007FF8B90A657C | |
| Source: | Code function: | 3_2_00007FF8B90B3878 | |
| Source: | Code function: | 3_2_00007FF8B90A4D2C | |
| Source: | Code function: | 3_2_00007FF8B90DAFDC | |
| Source: | Code function: | 3_2_00007FF8B90DA6A4 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 3_2_00007FF8B90C4AD0 | |
| Source: | Code function: | 3_2_00007FF8B90D6C88 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 11 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 22 Virtualization/Sandbox Evasion | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 22 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 4 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Rundll32 | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Timestomp | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1432032 |
| Start date and time: | 2024-04-26 10:21:56 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 57s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 20 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | QualityUpdateAssistant.dll |
| Detection: | CLEAN |
| Classification: | clean11.evad.winDLL@14/19@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 104.208.16.94
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
- Not all processes where analyzed, report is missing behavior information
| Time | Type | Description |
|---|---|---|
| 10:22:43 | API Interceptor | |
| 10:22:54 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_f1e2a93da88b32cda8c0398fc0f16d5f7ea571e1_606702e6_15d5ab69-9905-49c3-8179-a8d144bd5245\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.83652996845335 |
| Encrypted: | false |
| SSDEEP: | 96:8N8NX8ap6EsthNGTgF6faQXIDcQ2c6hFcECcw3v62v+HbHg/5P9usmdKaRFYAKto:8y866ERN0I3osjGzrzuiFuZ24lO81 |
| MD5: | F6959C5F2692AB43EBF300898C1D61D9 |
| SHA1: | 7EA6E6C168EC7D4134D7A39AACCD499A2F6CBC9C |
| SHA-256: | 059D15AA4730BB57917087E2D1EECFAF54A881C976622693DD1790C378E6A156 |
| SHA-512: | A15630CB3AC8F65B48C98FD5615D184E3949BBCEE2886A9D084A7F386BBCA32A4BD34336AC950154DD8D19616BA3F5AEB0EDF75F9FB62EE38766A8A7688849D3 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Qua_69d6fdc2216b7557c151bb744884d1a78ca7bd0_cb9a354e_aa478cdb-a592-4df8-bd48-f5f1f889ca29\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8924917592651292 |
| Encrypted: | false |
| SSDEEP: | 192:z6YWzikyICwf0YpYVfhj5/XzuiFuZ24lO8zbM:W9iJIuYpYthjxzuiFuY4lO8v |
| MD5: | 3E206F36A4F3DA5AA620386C02F27621 |
| SHA1: | 3ADC7080E26009662592E6660DD362096D486063 |
| SHA-256: | 06AFC1DDE1B7AB88576566F24CFC8B77F501E0F1D24D4AF44C6F1B56B4FC602B |
| SHA-512: | 2FA18F699133D063F8E459A86800D5F3C5EB998FA58E326EADDA8A559BFED7244563BBF7C9C21C13CE0CDF42E64D0FEB7262E72A0618AC7191CF01B41C7ECF88 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Qua_69d6fdc2216b7557c151bb744884d1a78ca7bd0_cb9a354e_cbaa4629-6e7a-4c66-8044-c5a78e9f22e9\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8891279788192098 |
| Encrypted: | false |
| SSDEEP: | 192:g0qziRyeCwf0YpYVfhj5fXzuiFuZ24lO8zbM:DMiUeuYpYthjxzuiFuY4lO8v |
| MD5: | 808875342C2A98BE3A3D9D573F0ECC1C |
| SHA1: | E302D4829ED31B342EA1E3D455482C551C5AC56B |
| SHA-256: | 6BA3814B09804A8F32E565BFEBCFF02100F93783D75EFFD119CB32F6560D783B |
| SHA-512: | 7A832AC8D083E028F1D134938F8613368D16E512AE8B62018D614E1A1C131DDA32EA410458A7F9F17B8E4D1A13958AFFAC0B601EEEB12CCF8391B3D86F2E4E08 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Qua_69d6fdc2216b7557c151bb744884d1a78ca7bd0_cb9a354e_ef734fa1-f744-4e89-a5e4-a6e6eee6643c\Report.wer
Download File
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8921681460927494 |
| Encrypted: | false |
| SSDEEP: | 192:KLziUyPCwf0YpYVfhj5fXzuiFuZ24lO8zbMB:CiZPuYpYthjRzuiFuY4lO8vi |
| MD5: | CF2A8363A1CC5B3195C13DC88A79E274 |
| SHA1: | D639B5F856734353CC090F60A49D8CB97C81ED01 |
| SHA-256: | A928546B4AE2AAA9AF95DE7540699720393E355809BD773E84C013BE9489BFB8 |
| SHA-512: | 43EA24C775815696DB5D769B41A2F70CB108390FAFEB9615D6AF8CA8957991C3552F6ED0D03F0914F49836B2B3A8B77D6848BA703A3AF19B617396FCF4F63EFC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 62674 |
| Entropy (8bit): | 1.8797619422280836 |
| Encrypted: | false |
| SSDEEP: | 192:iq674OM9ZyXQXNoVOQd+h+3KKXKxxv9wTbp+eQkLnIyz:6LOyXHO1saFxxvQFQkLdz |
| MD5: | E2E53D52C9E0C9ABAC854F9DBB89ECCF |
| SHA1: | 1FB374107F20C4FD1774328DB106134229C93253 |
| SHA-256: | B1A53D09D84688D3CBA657583F0E5F65B247FC42E85B23846B107AC4E20858B0 |
| SHA-512: | 73FDDFB4FBDC3CC70E83D21EAC99EBF9406C9174CA8B7DC45DAA6A7E77E900ACA2477023AF4EBC63F811C6D681AB9576841CC1EE8D5E278A2B8955B6BE6CCF4C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 61462 |
| Entropy (8bit): | 1.8809869877234071 |
| Encrypted: | false |
| SSDEEP: | 192:icE7hOM9pBz91rxqBjmh+3KKXYReTp+/6Und8BU:qgur1FEjmsa8Y6UneBU |
| MD5: | A6F45F2A3652368E8E03524AC36A3399 |
| SHA1: | 3DCAD23343257801EA549D149F9B05C242D36A51 |
| SHA-256: | 98BE69D51B892D76CEED65BE6176DEBB7E2A4510EBE3AF2DF8CEEC971A2D5BD9 |
| SHA-512: | F22022AEF0785166EEA8DB7D4C390D7214D97669B57850C16E0ECADB0F7EF4A817A0E3E74CDBA21602FC2AE0BA73287CF6F637ECED12B08AFB37EA329CF8ED0D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8834 |
| Entropy (8bit): | 3.698605704212644 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJFY56YEBRwd13gmfcdm7DmfMprr89bD6zffBm:R6lXJ656YSmd13gmfkADOlDmf0 |
| MD5: | 27415E18356B524FE3A4F68035FBCFF9 |
| SHA1: | D04BF0F459D47A460D9EFDEAE473B888289D8C32 |
| SHA-256: | 0146BE862CAAD84CB162BCF74888CF9368B1EEB148AD23ED5D4EF60601834E37 |
| SHA-512: | 18B5E72FEA94F49079928906D0DD3BE64E47C40D74EDF2508BAFFA4E67E04C54DABA0F94589ABFA5772A8DA631FDA9B61329F816827949DFF60951E58D5BDE36 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 9022 |
| Entropy (8bit): | 3.7047736490230125 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJ3xmwe6Y4ZZgmfcdm7DmfMpr189bDvkf0vBm:R6lXJBw6Y2ZgmfkADOLDMfN |
| MD5: | 6D11AC24387229F673531763F8E545E1 |
| SHA1: | 32F40F4DFB770AC2C70DD3E9EAE619B0393D46D1 |
| SHA-256: | 0768F0E7023ACEBE72817CBDA40703C9A48666CF860124198C52894A38581A4A |
| SHA-512: | 99D19209B37A54407D7C2598AE7ECA43639EA56A307E4A959DFD2D91A7A3635BCF92C8F86BD8177F793ECEDADBB4A672452BD3122D0753C90B7AA5D53187D79C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4830 |
| Entropy (8bit): | 4.512628709491895 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsYJg771I9cnWpW8VYCYm8M4JCkqCkIfaFCHvNyq85mk4o0ptSTS+d:uIjfeI7TW7VWJxkMxH1e45poO+d |
| MD5: | 62710D05C003D6C256FB348F47D78FCD |
| SHA1: | 2CA3D05FBFC1F2085783FE1DC4D3779578A05F16 |
| SHA-256: | 4A1F3E6329677C8D40964CDEB08437698F19ACD0A6AC321EAA0F0DB36E87FE09 |
| SHA-512: | 9793930C070350BB3FC007DD7D7E618E101FAEC9387548C6EB3D06F908D7932B7E53386BBD66D806DC81DB4012C567293CE669902F4BCF827F0B37D380BC9969 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4830 |
| Entropy (8bit): | 4.516271388733592 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsYJg771I9cnWpW8VYiYm8M4JCkqCkIfaFbuyq85mk4ooptSTShDd:uIjfeI7TW7VmJxkMZe4RpoOhDd |
| MD5: | EBC8D2AE6040C00F35881E366EDFE0CF |
| SHA1: | FD58E21F68B7A6E2D68E3265A9E9E9489866F3E2 |
| SHA-256: | 564B9D46DCD10DADFE297001F02EEE830F211424E9B98713D98DCED94F9537D4 |
| SHA-512: | 89EEB74771AECA4AB43815CE25908480F4ECA7ED99F604A06FAA7BB84027637EB355BED38DAD1ABA0EBD8EFB4662F596766AEBECAB00DEB02EB1F54144F990EF |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 61550 |
| Entropy (8bit): | 1.897614889905113 |
| Encrypted: | false |
| SSDEEP: | 192:fsDfmQFfOM9RCg6PeThbMoT+lL6bOImkyh+3KKXLzGHiSrev:UD+mWmCgZB4HZkysaUz6iz |
| MD5: | 07D2642E6FF8F3611705AE811994AAD7 |
| SHA1: | 8EAB855EB7F5FCDB45C4C10E542B1403D0EB396D |
| SHA-256: | 7A3603735B993B148409C250C82B6E72993CA36E86592AD55E4926A3A862EE7C |
| SHA-512: | E0F462901826FB5BD4482CD3E2C026E21816195B53AE9D61F3A07539694CB1D00AD3E46F8DCF06ED6087B3ACA65AA6A3C9950C844F45CC4126606B1DDF17F583 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 62810 |
| Entropy (8bit): | 1.8207146279836193 |
| Encrypted: | false |
| SSDEEP: | 384:m3iyBlr7F8my/5bzdg8PpBxPOtTpnliAr:p8zGFtMr |
| MD5: | 05726D53D4298A108ED9125DF69D06FF |
| SHA1: | 2B0742296AF48D56EB891041E6A11A239141EE29 |
| SHA-256: | B078FC16DB2172B2918A1DD65637D7913BB20979A70B77AB7113A0FFE0E05480 |
| SHA-512: | 75DBB4874EE5F99702C4B59DED969247F5FC1ED524849A4CA19FBC55F0EDF2AE4EA5586E4914CCD2675CA873C38D688AD95D46CD5B757153EED426F16E7364FC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8594 |
| Entropy (8bit): | 3.6946609876491543 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJazO6Y41ngmfcdm7DmfMprM89be7mfnKm:R6lXJeO6YyngmfkADOwe6f7 |
| MD5: | 189375AA2DDC8C4896C23DF60194D97A |
| SHA1: | 7F2A3F5DF28CC58812D196E18D6F90B3DF0C635D |
| SHA-256: | E4EF327AC82F7023956E3CBAF3F434EB2B3A39EF6A919C67D3C94006951D7D5E |
| SHA-512: | 44F0D214501813CC306B5E80F57AF8620FBD0B788102ECE9BE2A63AA4641C59C143C9B2C0E1731CBEB2414EBFF31270AB572A1457500962EF0AF9B51A3EA8E51 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8776 |
| Entropy (8bit): | 3.7024859152574585 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJoIv6YEIre2dgmfT752pB789berIcBfJKm:R6lXJPv6YEke2dgmfX5lerIqf1 |
| MD5: | 0337BE897B54971DB55FC1A12273364D |
| SHA1: | FE098F67D6202AF8F5405F0BBD8FAA0E41F7510D |
| SHA-256: | 3897F547AC5C39CB0C45A60EB2EC3C05E719BBF1FF9A93072E2DAEB244BCF533 |
| SHA-512: | AA1C94D2A0C25A6BFD555CA90B3403E8A744916CCEDFE9A248795D2AC8CC10DCC4A5D48659608030BEF96465BBDDCF0328B731BF8C49436344972B8EB90B3620 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4829 |
| Entropy (8bit): | 4.509959601160068 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsYJg771I9cnWpW8VYzYm8M4JCkqCkIfaFIyq85mk4o/ptSTStd:uIjfeI7TW7VzJxkMje4GpoOtd |
| MD5: | 74DF1D13B7E1DBFB0F327F9951BEC3F1 |
| SHA1: | 83E44DD32FB6B3A81F4634957BA35543EACC5024 |
| SHA-256: | 0F87981B37EAACBB613F1AD71CFEA56E05974C5ED25C901675CBC944DBC7BCDA |
| SHA-512: | CF679B8C0B074E6D35381806205D0281E51CF1A7D166137EE9F4D6D6A52755086465893E898DDF931E5AAB770F34127F00CBFDFB5024823F9DE52229C87D9C5C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4672 |
| Entropy (8bit): | 4.458275850105816 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsYJg771I9cnWpW8VYKYm8M4J8fAFUtyq85GoPFV1xYd:uIjfeI7TW7VSJQVtLeF7xYd |
| MD5: | 1073AA976B78389ECB8F9F68802C060D |
| SHA1: | 39935188C206BD9391F4B46534887619DD2CD38F |
| SHA-256: | 25456D2AF292455679EED4EE63EFD61212B53982696F9D5CDF2E7DA88CE86EE7 |
| SHA-512: | E52AD1DABC8B36EBF772749F5191C4BD8E958688B8D2CCAA0192F13E8399DF2E44BD737CD591768F54F1D79F941C36E0601574800A323119FCED919FCEC6A4EA |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\rundll32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.10531786303762895 |
| Encrypted: | false |
| SSDEEP: | 12:T42/q2xX/7EzzRipqrGNYDy+f+MMkNYDv:TNNdpuGae+fvaT |
| MD5: | 2E0F077C114CAEED131B4DC872A6343D |
| SHA1: | 4189E756046B0A6F1A9F2F016899760A7615C79A |
| SHA-256: | 6F512F407262462DB4D133491BA2962E7F180208907EEF03819EB7FA10253A40 |
| SHA-512: | DF0D9CE4AB29CAF92FAD524FA147FAEB3F405221C3B7DFD9C8DE30BED1C9EA1D75F71801AFC8CDB6E5F14215DB61950FFABE21255F1E755B3B18D1BB848AB962 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.42511024578488 |
| Encrypted: | false |
| SSDEEP: | 6144:5Svfpi6ceLP/9skLmb0OTvWSPHaJG8nAgeMZMMhA2fX4WABlEnNK0uhiTw:wvloTvW+EZMM6DFyU03w |
| MD5: | 1211E301203ABCDB55337D0C0248577A |
| SHA1: | 22CDFB0F2A46088EB33317CC68A97812463186A4 |
| SHA-256: | 99F80F7BB9CF68393D7CF89048B7F89AD2C3AA62BFD872522D5D7581521B4036 |
| SHA-512: | F549470D42A2EFEF808BF3D1F2E79D54AAC64879F62EA2DB64DC196C664697D92DE585D6F152F3D31AB4AD22E087A3559A1700763DE4ADCF1D93BD955A837122 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\rundll32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.10531786303762895 |
| Encrypted: | false |
| SSDEEP: | 12:T42/q2xX/7EzzRipqrGNYDy+f+MMkNYDv:TNNdpuGae+fvaT |
| MD5: | 2E0F077C114CAEED131B4DC872A6343D |
| SHA1: | 4189E756046B0A6F1A9F2F016899760A7615C79A |
| SHA-256: | 6F512F407262462DB4D133491BA2962E7F180208907EEF03819EB7FA10253A40 |
| SHA-512: | DF0D9CE4AB29CAF92FAD524FA147FAEB3F405221C3B7DFD9C8DE30BED1C9EA1D75F71801AFC8CDB6E5F14215DB61950FFABE21255F1E755B3B18D1BB848AB962 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.028559145439662 |
| TrID: |
|
| File name: | QualityUpdateAssistant.dll |
| File size: | 509'408 bytes |
| MD5: | 873fca43ec90d167a4244c9867989030 |
| SHA1: | ab368df3c3e152c4efcb2ffc09c4870743d360f3 |
| SHA256: | a07d18fed2517e314e001a98b0d3342f27951338e78096a61c3a5a3eb32e3397 |
| SHA512: | fdd7d3be06bdc68ef89226bb48414ba33b848902d4be2cef7ffa380bde9c170e399a4b1c51453bcc4c843e2609229eb6269aa3381332a30bdd4cf52b28de2cca |
| SSDEEP: | 6144:dCtMA6BUPpxj79GcJPTbfnStTLkS4zHoRlR65uZOVhDK+vMXtsyZ+pSEABE1j3pw:EvfnS8HUliDK+vMz+1T77m |
| TLSH: | DBB4292D66E84A68E273D6388AB78541E67378551B3193DF02A0C17D6E33FE09D35F22 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Q...Q...Q.......E...X.......Q...........[.......U.......M.......P.............n.S.....l.P.......P...RichQ.................. |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x18004a620 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x180000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| Time Stamp: | 0xC5977AAD [Fri Jan 18 12:08:13 2075 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 10 |
| OS Version Minor: | 0 |
| File Version Major: | 10 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 10 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 14ce1460ad5cd3ff8a67939f92ac19be |
| Signature Valid: | false |
| Signature Issuer: | CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 2031DA039AA9D5538864F72D52C08AD7 |
| Thumbprint SHA-1: | 8870483E0E833965A53F422494F1614F79286851 |
| Thumbprint SHA-256: | 2724AEB0C497BF5FD732958120D1AE3341CFD252AB1680DE03D10503ABC666C1 |
| Serial: | 33000004158295A1A3D82E2857000000000415 |
| Instruction |
|---|
| dec eax |
| mov dword ptr [esp+08h], ebx |
| dec eax |
| mov dword ptr [esp+10h], esi |
| push edi |
| dec eax |
| sub esp, 20h |
| dec ecx |
| mov edi, eax |
| mov ebx, edx |
| dec eax |
| mov esi, ecx |
| cmp edx, 01h |
| jne 00007F4AB0F7D207h |
| call 00007F4AB0F7DA80h |
| dec esp |
| mov eax, edi |
| mov edx, ebx |
| dec eax |
| mov ecx, esi |
| dec eax |
| mov ebx, dword ptr [esp+30h] |
| dec eax |
| mov esi, dword ptr [esp+38h] |
| dec eax |
| add esp, 20h |
| pop edi |
| jmp 00007F4AB0F7D064h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| jmp 00007F4AB0F7E0F0h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| nop word ptr [eax+eax+00000000h] |
| dec eax |
| cmp ecx, dword ptr [000294D9h] |
| jne 00007F4AB0F7D212h |
| dec eax |
| rol ecx, 10h |
| test cx, FFFFh |
| jne 00007F4AB0F7D203h |
| ret |
| dec eax |
| ror ecx, 10h |
| jmp 00007F4AB0F7D247h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov ebx, ecx |
| xor ecx, ecx |
| call dword ptr [0000601Bh] |
| dec eax |
| mov ecx, ebx |
| call dword ptr [00006022h] |
| call dword ptr [00006214h] |
| dec eax |
| mov ecx, eax |
| mov edx, C0000409h |
| dec eax |
| add esp, 20h |
| pop ebx |
| dec eax |
| jmp dword ptr [000061F8h] |
| jno 00007F4AB0F7D1CCh |
| ficomp dword ptr [edx] |
| mov dh, 17h |
| mov eax, 4C894899h |
| and al, 08h |
| dec eax |
| sub esp, 00000000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x6fd70 | 0x58 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6fdc8 | 0x4ec | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7a000 | 0xd48 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x76000 | 0x2d24 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x7a000 | 0x25e0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7b000 | 0x610 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x63d48 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x503c0 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x50500 | 0xab8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x6fa78 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x4de88 | 0x4e000 | ad118e42a54190660378cb51ac7588f8 | False | 0.4605243389423077 | data | 6.357409718288773 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x4f000 | 0x23ad8 | 0x24000 | 7eb374df03cd0e00bfd47cdc488a7215 | False | 0.3054606119791667 | data | 4.417190105672742 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x73000 | 0x25a0 | 0x1000 | 2702a0a63c1e0a889e10cd4c9480574c | False | 0.196533203125 | data | 2.824729777011446 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x76000 | 0x2d24 | 0x3000 | cae78bf4df57aee5214aca96167c9398 | False | 0.5020345052083334 | PEX Binary Archive | 5.474575160748802 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .didat | 0x79000 | 0x70 | 0x1000 | 0db2b8ee0386ba22f1384974e764b39e | False | 0.017822265625 | data | 0.16740489391507368 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x7a000 | 0xd48 | 0x1000 | 7a1f05b9f4f557fe4a1ddba08e052f8d | False | 0.33837890625 | data | 4.496362030694204 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x7b000 | 0x610 | 0x1000 | 6897cac0234a1219a67234026a9e8f5e | False | 0.229248046875 | data | 2.882649466970565 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| XML | 0x7a4c0 | 0x881 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.39641708773541573 |
| RT_VERSION | 0x7a0f0 | 0x3cc | data | English | United States | 0.42386831275720166 |
| DLL | Import |
|---|---|
| api-ms-win-crt-runtime-l1-1-0.dll | _initterm_e, _initterm |
| api-ms-win-crt-private-l1-1-0.dll | _o__localtime64, _o__lock_file, _o__malloc_base, _o__purecall, _o__register_onexit_function, _o__seh_filter_dll, _o__unlock_file, _o__wcsdup, _o__wcsicmp, _o__wcsupr_s, _o__free_base, _o__wfsopen, memmove, _o__wtol, _o_abort, _o_ceilf, _o_fclose, _o_fflush, _o_fgetc, _o_fgetpos, _o_fgetwc, _o_fputwc, _o_free, _o_fsetpos, _o_fwrite, _o_malloc, _o_pow, _o_realloc, _o_setlocale, _o_setvbuf, _o_terminate, _o_ungetc, _o_ungetwc, _o_wcstol, _o_wcstoul, __C_specific_handler, __current_exception, __current_exception_context, _CxxThrowException, wcschr, _o__execute_onexit_table, _o__errno, _o__invalid_parameter_noinfo_noreturn, _o__invalid_parameter_noinfo, _o__initialize_onexit_table, _o__crt_atexit, _o__configure_narrow_argv, wcsstr, strchr, __uncaught_exception, _o__initialize_narrow_environment, _o__cexit, _o__calloc_base, _o__callnewh, _o___stdio_common_vswscanf, _o___stdio_common_vswprintf, _o___stdio_common_vsprintf_s, _o___stdio_common_vsnprintf_s, _o___std_type_info_destroy_list, _o___std_exception_destroy, _o___std_exception_copy, _o___pctype_func, _o____mb_cur_max_func, _o____lc_locale_name_func, _o____lc_collate_cp_func, _o____lc_codepage_func, __CxxFrameHandler3, memcmp, _o__fseeki64, memcpy |
| api-ms-win-crt-string-l1-1-0.dll | wcsnlen, wcscmp, wcsncmp, memset |
| api-ms-win-core-libraryloader-l1-2-0.dll | FreeLibrary, GetModuleFileNameA, LoadLibraryExA, GetModuleFileNameW, GetModuleHandleW, GetModuleHandleExW, LoadLibraryExW, GetProcAddress |
| api-ms-win-core-synch-l1-2-0.dll | InitOnceComplete, Sleep, InitializeConditionVariable, WakeConditionVariable, WakeAllConditionVariable, InitOnceBeginInitialize, SleepConditionVariableSRW |
| api-ms-win-core-synch-l1-1-0.dll | AcquireSRWLockShared, CreateMutexExW, TryAcquireSRWLockExclusive, CreateSemaphoreExW, LeaveCriticalSection, ReleaseSemaphore, WaitForSingleObject, DeleteCriticalSection, ReleaseMutex, InitializeCriticalSection, InitializeSRWLock, CreateEventExW, OpenSemaphoreW, WaitForSingleObjectEx, ReleaseSRWLockExclusive, SetEvent, CreateMutexW, AcquireSRWLockExclusive, ReleaseSRWLockShared, InitializeCriticalSectionEx |
| api-ms-win-core-heap-l1-1-0.dll | HeapSize, HeapFree, HeapDestroy, HeapAlloc, HeapReAlloc, GetProcessHeap |
| api-ms-win-core-errorhandling-l1-1-0.dll | SetUnhandledExceptionFilter, RaiseException, UnhandledExceptionFilter, GetLastError, SetLastError |
| api-ms-win-eventing-provider-l1-1-0.dll | EventWriteTransfer, EventRegister, EventUnregister, EventSetInformation |
| api-ms-win-core-processthreads-l1-1-0.dll | GetCurrentThreadId, GetExitCodeProcess, TerminateProcess, GetCurrentProcess, CreateProcessW, GetCurrentProcessId |
| api-ms-win-core-localization-l1-2-0.dll | FormatMessageW, GetUserDefaultLocaleName, LCMapStringEx |
| api-ms-win-core-debug-l1-1-0.dll | IsDebuggerPresent, DebugBreak, OutputDebugStringW |
| api-ms-win-core-handle-l1-1-0.dll | CloseHandle |
| OLEAUT32.dll | SysFreeString, VariantClear, VariantInit, SysStringLen, SysAllocString |
| api-ms-win-core-rtlsupport-l1-1-0.dll | RtlCaptureContext, RtlVirtualUnwind, RtlLookupFunctionEntry |
| api-ms-win-core-processthreads-l1-1-1.dll | IsProcessorFeaturePresent |
| api-ms-win-core-profile-l1-1-0.dll | QueryPerformanceCounter |
| api-ms-win-core-sysinfo-l1-1-0.dll | GetSystemDirectoryW, GlobalMemoryStatusEx, GetSystemTimeAsFileTime, GetLocalTime, GetWindowsDirectoryW, GetVersionExA, GetSystemTime, GetSystemWindowsDirectoryW |
| api-ms-win-core-interlocked-l1-1-0.dll | InitializeSListHead |
| api-ms-win-core-shlwapi-legacy-l1-1-0.dll | PathRemoveFileSpecW, PathFileExistsW, PathFindFileNameW |
| api-ms-win-core-file-l1-1-0.dll | GetDiskFreeSpaceExW, FindNextFileW, GetFileSize, FindFirstFileW, CreateFileW, FindClose, GetFileAttributesW, DeleteFileW, CreateDirectoryW, CompareFileTime |
| api-ms-win-eventing-controller-l1-1-0.dll | StartTraceW, ControlTraceW, EnableTraceEx2 |
| api-ms-win-core-registry-l1-1-0.dll | RegDeleteTreeW, RegDeleteValueW, RegQueryInfoKeyW, RegGetValueW, RegEnumValueW, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, RegCloseKey, RegQueryValueExW |
| api-ms-win-security-sddl-l1-1-0.dll | ConvertStringSecurityDescriptorToSecurityDescriptorW |
| api-ms-win-eventing-legacy-l1-1-0.dll | QueryTraceW |
| api-ms-win-core-com-l1-1-0.dll | CoInitializeEx, CoUninitialize, CLSIDFromString, CoCreateInstance, CoSetProxyBlanket, CoTaskMemFree, CoCreateFreeThreadedMarshaler, CoTaskMemRealloc, CoGetApartmentType, CoTaskMemAlloc, CoWaitForMultipleHandles |
| api-ms-win-core-heap-l2-1-0.dll | LocalAlloc, LocalFree, GlobalFree |
| api-ms-win-core-string-obsolete-l1-1-0.dll | lstrcmpiW, lstrcmpW |
| RPCRT4.dll | UuidCreate |
| api-ms-win-core-kernel32-legacy-l1-1-0.dll | GetSystemPowerStatus, MoveFileW |
| api-ms-win-core-libraryloader-l1-2-1.dll | LoadLibraryW |
| api-ms-win-core-registry-l1-1-1.dll | RegDeleteKeyValueW, RegSetKeyValueW |
| api-ms-win-core-realtime-l1-1-0.dll | QueryUnbiasedInterruptTime |
| SHELL32.dll | SHGetSpecialFolderPathW |
| pdh.dll | PdhCloseQuery, PdhGetFormattedCounterValue, PdhAddCounterW, PdhOpenQueryW, PdhCollectQueryData |
| api-ms-win-crt-time-l1-1-0.dll | _time64 |
| api-ms-win-crt-locale-l1-1-0.dll | _unlock_locales, _lock_locales |
| WINHTTP.dll | WinHttpReceiveResponse, WinHttpSendRequest, WinHttpCloseHandle, WinHttpSetTimeouts, WinHttpOpenRequest, WinHttpQueryOption, WinHttpReadData, WinHttpQueryHeaders, WinHttpAddRequestHeaders, WinHttpConnect, WinHttpOpen, WinHttpQueryDataAvailable |
| api-ms-win-core-version-l1-1-1.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW |
| CRYPT32.dll | CertGetCertificateChain, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CryptStringToBinaryW, CertFreeCertificateChain |
| api-ms-win-core-version-l1-1-0.dll | VerQueryValueW |
| api-ms-win-core-sysinfo-l1-2-0.dll | GetProductInfo |
| api-ms-win-core-winrt-string-l1-1-0.dll | WindowsDeleteString, WindowsCreateString, WindowsCreateStringReference, WindowsGetStringRawBuffer |
| api-ms-win-core-winrt-l1-1-0.dll | RoGetActivationFactory, RoActivateInstance |
| ntdll.dll | NtPowerInformation, RtlConvertDeviceFamilyInfoToString |
| api-ms-win-core-processenvironment-l1-1-0.dll | GetEnvironmentVariableW |
| api-ms-win-core-file-l1-2-0.dll | GetTempPathW |
| api-ms-win-core-kernel32-legacy-l1-1-1.dll | PowerClearRequest, PowerSetRequest, PowerCreateRequest |
| api-ms-win-core-timezone-l1-1-0.dll | SystemTimeToFileTime |
| api-ms-win-core-winrt-error-l1-1-0.dll | RoOriginateError, RoTransformError |
| api-ms-win-core-string-l1-1-0.dll | MultiByteToWideChar, CompareStringEx, WideCharToMultiByte, GetStringTypeW |
| api-ms-win-security-cryptoapi-l1-1-0.dll | CryptCreateHash, CryptDestroyHash, CryptReleaseContext, CryptHashData, CryptGetHashParam, CryptAcquireContextW |
| api-ms-win-core-memory-l1-1-0.dll | MapViewOfFile, UnmapViewOfFile, CreateFileMappingW |
| wkscli.dll | NetGetJoinInformation |
| netutils.dll | NetApiBufferFree |
| api-ms-win-core-delayload-l1-1-1.dll | ResolveDelayLoadedAPI |
| api-ms-win-core-delayload-l1-1-0.dll | DelayLoadFailureHook |
| api-ms-win-core-util-l1-1-0.dll | EncodePointer, DecodePointer |
| USER32.dll | UnregisterClassA |
| NETAPI32.dll | NetFreeAadJoinInformation, NetGetAadJoinInformation |
| WINTRUST.dll | WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain |
| urlmon.dll | URLDownloadToFileW |
| Name | Ordinal | Address |
|---|---|---|
| Execute | 1 | 0x1800144e0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:22:40 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\loaddll64.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff601d90000 |
| File size: | 165'888 bytes |
| MD5 hash: | 763455F9DCB24DFEECC2B9D9F8D46D52 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 10:22:40 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 10:22:40 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66b790000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 10:22:40 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff683440000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 10:22:40 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff683440000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 10:22:41 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a3760000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 10:22:41 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a3760000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 10:22:43 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\rundll32.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff683440000 |
| File size: | 71'680 bytes |
| MD5 hash: | EF3179D498793BF4234F708D3BE28633 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 10:22:43 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a3760000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 10:22:43 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\WerFault.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a3760000 |
| File size: | 570'736 bytes |
| MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 2.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 20.8% |
| Total number of Nodes: | 399 |
| Total number of Limit Nodes: | 7 |
Graph
Function 00007FF8B90AF744 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 288memoryfilestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A4D2C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 197memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AF408 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 208memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A4470 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 247COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B0114 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 244COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C607B Relevance: 83.1, APIs: 6, Strings: 41, Instructions: 807comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B329F Relevance: 82.6, APIs: 14, Strings: 33, Instructions: 347sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90ADEB4 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 501sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B3878 Relevance: 63.3, APIs: 19, Strings: 17, Instructions: 320registrylibraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B9AF0 Relevance: 61.6, APIs: 26, Strings: 9, Instructions: 300memoryregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C731B Relevance: 60.1, APIs: 6, Strings: 28, Instructions: 561COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A9749 Relevance: 60.0, APIs: 10, Strings: 24, Instructions: 480COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B7AE4 Relevance: 56.7, APIs: 11, Strings: 21, Instructions: 722registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C6C7B Relevance: 51.1, APIs: 9, Strings: 20, Instructions: 388registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AD450 Relevance: 46.1, APIs: 7, Strings: 19, Instructions: 615fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BEE54 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 239COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B16E8 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 343fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90ACD10 Relevance: 33.7, APIs: 3, Strings: 16, Instructions: 423COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AA3D9 Relevance: 33.6, APIs: 1, Strings: 18, Instructions: 305COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C5950 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 255comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B69E8 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 134registrylibrarytimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D398C Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 348comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D4110 Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 231fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D34B0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 154fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C1514 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90CE0C0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 158filenetworkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A5A6C Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 216memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C5370 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C16D4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 72nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B53A8 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 293memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A657C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C5128 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90CE310 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C4AD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D6C88 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C99C4 Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BA3D0 Relevance: 37.2, APIs: 20, Strings: 1, Instructions: 404registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C1220 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 156registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A1760 Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 175windowthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A775C Relevance: 29.8, APIs: 1, Strings: 16, Instructions: 86COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B73D8 Relevance: 28.4, APIs: 4, Strings: 12, Instructions: 380registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B6C08 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 226registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B8BFC Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 201COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AEA7C Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 173synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BD4B8 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 131registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C5D58 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 128processsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90CE9BC Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 421COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B518C Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 138memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D846C Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 107libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B9FB8 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 251registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AA8F9 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 200COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B80DD Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 180registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B8F2C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 152memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D623C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 127libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D2ED0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 227commemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A7CD0 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 215COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AAC70 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 194COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BBCA8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 173COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B1CD9 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 138fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BF8F0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 240COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D3118 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 226comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D69C4 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 119COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BD2CC Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 111COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B7218 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 108timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D8BA8 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B9092AAB Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 52libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A32DC Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 159COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D3F00 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 139COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D645C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B9784 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A3154 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B9534 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 150COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B49B8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 71timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D8364 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 60libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BBF5C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 167comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D37A0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 119COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AAC6B Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AA900 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 111COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AF15C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103memoryregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BAA64 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102memoryregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D9E4C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98memoryregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B795C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C8028 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90CE4D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C0620 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 63registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B4030 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D6148 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AB3BC Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 157memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A5588 Relevance: 12.1, APIs: 8, Instructions: 111memorysynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AED00 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 87memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B3E40 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BD928 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A81D9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BF388 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B9144 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67registrytimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AB6E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A5340 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B48E8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B5E10 Relevance: 9.4, APIs: 3, Strings: 3, Instructions: 353COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B64FC Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 258COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B99A8 Relevance: 9.1, APIs: 6, Instructions: 75encryptionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C1BDC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 190COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BED7C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D5A1C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C4E94 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B9240 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B93D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A8598 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B47DE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BE13C Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B1388 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 230COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90CC820 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 189COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A628C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C0198 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BF4BC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94comCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C0944 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AF2D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C0720 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A3EF9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C897C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A6044 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A1E3B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B7A6E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90DA680 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D6BDC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A3DB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90DA6DB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BD6F4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D8C4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A3C89 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A43EC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A3D2A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90DDEEB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D6810 Relevance: 6.1, APIs: 4, Instructions: 120registryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A5A04 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 80COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AEDF9 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 29memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B07A4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A70CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B1114 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D7EF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D4DC4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C202E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A1CAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90AB5CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B45F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90C81A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90CE40C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90D9FB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90BAEB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B04B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90A3E6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF8B90B4F70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |