Windows
Analysis Report
WtRLqa6ZXn.exe
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- WtRLqa6ZXn.exe (PID: 6444 cmdline:
C:\Users\u ser\Deskto p\WtRLqa6Z Xn.exe MD5: DE237777518DC9C0B7A03C536746D878)
- cleanup
Timestamp: | 192.168.2.6185.158.115.1914970910012806881 11/26/23-18:54:06.452721 |
SID: | 2806881 |
Source Port: | 49709 |
Destination Port: | 1001 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6185.158.115.1915029010022806881 11/26/23-18:56:07.142932 |
SID: | 2806881 |
Source Port: | 50290 |
Destination Port: | 1002 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00841300 |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | IP Address: |
Source: | Code function: | 0_2_00841490 |
Source: | Static PE information: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Decision node followed by non-executed suspicious API: | graph_0-805 |
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread delayed: | Jump to behavior |
Source: | Code function: | 0_2_00841300 |
Source: | Binary or memory string: |
Source: | Thread delayed: | Jump to behavior |
Source: | Code function: | 0_2_00841540 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00841360 |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact | Resource Development | Reconnaissance |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 21 Virtualization/Sandbox Evasion | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Abuse Accessibility Features | Acquire Infrastructure | Gather Victim Identity Information |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | SIM Card Swap | Obtain Device Cloud Backups | Network Denial of Service | Domains | Credentials |
Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 Account Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Data Encrypted for Impact | DNS Server | Email Addresses | ||
Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 System Owner/User Discovery | Distributed Component Object Model | Input Capture | Traffic Duplication | Protocol Impersonation | Data Destruction | Virtual Private Server | Employee Names | ||
Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Scheduled Transfer | Fallback Channels | Data Encrypted for Impact | Server | Gather Victim Network Information | ||
Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 11 System Information Discovery | VNC | GUI Input Capture | Data Transfer Size Limits | Multiband Communication | Service Stop | Botnet | Domain Properties |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
70% | ReversingLabs | Win32.Trojan.MintMurphy | ||
75% | Virustotal | Browse | ||
100% | Avira | TR/Crypt.XPACK.Gen | ||
100% | Joe Sandbox ML |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
217.69.139.60 | unknown | Russian Federation | 47764 | MAILRU-ASMailRuRU | false | |
212.227.17.178 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | false | |
195.54.174.27 | unknown | unknown | 199236 | EMARSYS-ASEmarsyseMarketingSystemsAGAT | false | |
67.195.228.94 | unknown | United States | 36647 | YAHOO-GQ1US | false | |
93.186.225.205 | unknown | Russian Federation | 47541 | VKONTAKTE-SPB-AShttpvkcomRU | false | |
142.251.111.109 | unknown | United States | 15169 | GOOGLEUS | false | |
95.181.181.87 | unknown | Russian Federation | 61120 | AIRNETRU | false | |
87.240.139.193 | unknown | Russian Federation | 47541 | VKONTAKTE-SPB-AShttpvkcomRU | false | |
143.90.14.136 | unknown | Japan | 4725 | ODNSoftBankMobileCorpJP | false | |
149.154.167.99 | unknown | United Kingdom | 62041 | TELEGRAMRU | false | |
52.96.48.54 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
142.251.167.108 | unknown | United States | 15169 | GOOGLEUS | false | |
62.173.147.3 | unknown | Russian Federation | 34300 | SPACENET-ASInternetServiceProviderRU | false | |
178.248.235.219 | unknown | Russian Federation | 197068 | QRATORRU | false | |
37.1.217.172 | unknown | Ukraine | 58061 | SCALAXY-ASNL | false | |
44.241.129.35 | unknown | United States | 16509 | AMAZON-02US | false | |
52.40.178.147 | unknown | United States | 16509 | AMAZON-02US | false | |
81.19.78.89 | unknown | Russian Federation | 24638 | RAMBLER-TELECOM-ASRU | false | |
81.19.78.87 | unknown | Russian Federation | 24638 | RAMBLER-TELECOM-ASRU | false | |
87.248.103.8 | unknown | United Kingdom | 34010 | YAHOO-IRDGB | false | |
212.227.17.162 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | false | |
92.53.64.209 | unknown | Russian Federation | 49505 | SELECTELRU | false | |
94.100.184.66 | unknown | Russian Federation | 47764 | MAILRU-ASMailRuRU | false | |
185.158.115.191 | unknown | Russian Federation | 44812 | IPSERVER-RU-NETFiordRU | true | |
52.96.88.34 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
195.49.132.16 | unknown | France | 57633 | TERANET2FR | false | |
142.251.16.109 | unknown | United States | 15169 | GOOGLEUS | false | |
67.195.176.152 | unknown | United States | 26101 | YAHOO-3US | false | |
213.59.254.8 | unknown | Russian Federation | 12389 | ROSTELECOM-ASRU | false | |
178.248.238.27 | unknown | Russian Federation | 197068 | QRATORRU | false | |
91.206.14.139 | unknown | Russian Federation | 49505 | SELECTELRU | false | |
104.127.87.210 | unknown | United States | 20940 | AKAMAI-ASN1EU | false | |
52.96.32.178 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
Joe Sandbox Version: | 38.0.0 Ammolite |
Analysis ID: | 1348052 |
Start date and time: | 2023-11-26 18:53:12 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | WtRLqa6ZXn.exerenamed because original name is a hash value |
Original Sample Name: | de237777518dc9c0b7a03c536746d878.exe |
Detection: | MAL |
Classification: | mal68.winEXE@1/0@0/33 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 52.113.194.133, 52.178.182.128, 52.158.121.3, 20.190.151.7, 20.190.151.69, 20.190.151.67, 20.190.151.134, 20.190.151.8, 20.190.151.131, 20.190.151.68, 20.190.151.132, 104.16.120.50, 104.16.119.50, 17.32.194.38, 17.32.194.7, 172.253.122.95, 192.168.2.6
- Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ajax.googleapis.com, www.tm.v4.a.prd.aadg.akadns.net, go-skype-com.s-0006.s-msedge.net, ctldl.windowsupdate.com, login.skype-apps.akadns.net, login.msa.msidentity.com, idmsa.idms-apple.com.akadns.net, fe3cr.delivery.mp.microsoft.com, idmsa.apple.com, secure.skype-apps.akadns.net, ocsp.digicert.com, login.live.com, auth.riotgames.com.cdn.cloudflare.net, s-0006.s-msedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net
- Report size getting too big, too many NtDeviceIoControlFile calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
217.69.139.60 | Get hash | malicious | Unknown | Browse | ||
67.195.228.94 | Get hash | malicious | Phorpiex | Browse | ||
Get hash | malicious | Phorpiex | Browse | |||
Get hash | malicious | Tofsee | Browse | |||
Get hash | malicious | Phorpiex, Xmrig | Browse | |||
Get hash | malicious | Phorpiex | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Raccoon RedLine SmokeLoader Tofsee Vidar Xmrig | Browse | |||
Get hash | malicious | Tofsee Xmrig | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Tofsee Xmrig | Browse | |||
Get hash | malicious | Raccoon RedLine SmokeLoader Tofsee Vidar Xmrig | Browse | |||
Get hash | malicious | Raccoon RedLine SmokeLoader Tofsee Vidar Xmrig | Browse | |||
Get hash | malicious | Raccoon RedLine SmokeLoader Tofsee Vidar Xmrig | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Tofsee Xmrig | Browse | |||
Get hash | malicious | Tofsee Xmrig | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | MyDoom | Browse | |||
93.186.225.205 | Get hash | malicious | Unknown | Browse | ||
95.181.181.87 | Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
MAILRU-ASMailRuRU | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Pushdo | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Pushdo | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Pushdo | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Pushdo | Browse |
| ||
EMARSYS-ASEmarsyseMarketingSystemsAGAT | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
ONEANDONE-ASBrauerstrasse48DE | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook, NSISDropper | Browse |
| ||
Get hash | malicious | FormBook, NSISDropper | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Pushdo | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
|
File type: | |
Entropy (8bit): | 6.220436500559913 |
TrID: |
|
File name: | WtRLqa6ZXn.exe |
File size: | 63'824 bytes |
MD5: | de237777518dc9c0b7a03c536746d878 |
SHA1: | a357466573e35d634a119b7f2e7a8a18f5018811 |
SHA256: | 23c6e8163646ba03c0a5c6dcdf0f0df5688ec4a91c8bd9b663888440254bc12f |
SHA512: | 40337a848a49487805dbb663313de888c967cb4392fe1c63311395a005b22633f603c8868d2bfbc05539844926072c80cd9dd4abfcb0786098e8e3e242d12067 |
SSDEEP: | 1536:2mLuy2AtwhCC3P43iyGS5lzYAfQzf/3ma9cS3:2qJzC3Ki5ylUA4zf/3mocC |
TLSH: | 0853F105E4526CCDEBF68275A6650489E134CB524B033CE323E13DBA1D4EEC9A1B7626 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p'..4F..4F..4F...I..6F...1..9F..4F...F......6F..R...5F..R...5F..R...5F..Rich4F..........................PE..L...+.We........... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x401020 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6557E72B [Fri Nov 17 22:20:27 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | f9e0f22dd6f41da7f3579c559466fbd0 |
Instruction |
---|
push ebp |
mov ebp, esp |
call 00007F874089250Dh |
push FFFFFFFFh |
call dword ptr [00403038h] |
mov eax, 00000001h |
pop ebp |
retn 0010h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
sub esp, 20h |
mov dword ptr [ebp-14h], 00000000h |
mov dword ptr [ebp-20h], 0040313Ch |
mov dword ptr [ebp-1Ch], 00403148h |
mov dword ptr [ebp-18h], 00403154h |
mov dword ptr [ebp-04h], 00000000h |
jmp 00007F8740891B2Bh |
mov eax, dword ptr [ebp-04h] |
add eax, 01h |
mov dword ptr [ebp-04h], eax |
cmp dword ptr [ebp-04h], 03h |
jnc 00007F8740891B90h |
mov dword ptr [ebp-08h], FFFFFFFFh |
mov dword ptr [ebp-0Ch], 00000000h |
jmp 00007F8740891B2Bh |
mov ecx, dword ptr [ebp-0Ch] |
add ecx, 01h |
mov dword ptr [ebp-0Ch], ecx |
cmp dword ptr [ebp-0Ch], 03h |
jnl 00007F8740891B3Fh |
mov edx, dword ptr [ebp-04h] |
mov eax, dword ptr [ebp+edx*4-20h] |
push eax |
call 00007F874089269Fh |
add esp, 04h |
mov dword ptr [ebp-08h], eax |
cmp dword ptr [ebp-08h], FFFFFFFFh |
je 00007F8740891B24h |
jmp 00007F8740891B24h |
jmp 00007F8740891AF6h |
cmp dword ptr [ebp-08h], FFFFFFFFh |
je 00007F8740891B4Ch |
push 00000019h |
mov ecx, dword ptr [ebp-08h] |
push ecx |
call 00007F8740891BCEh |
add esp, 08h |
mov dword ptr [ebp-10h], eax |
cmp dword ptr [ebp-10h], FFFFFFFFh |
je 00007F8740891B35h |
mov edx, dword ptr [ebp-10h] |
push edx |
call dword ptr [004030ACh] |
mov dword ptr [ebp-14h], 00000001h |
jmp 00007F8740891B24h |
jmp 00007F8740891AA5h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x37a0 | 0x49 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3414 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6000 | 0x1d0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3000 | 0xc4 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1fe0 | 0x2000 | False | 0.525390625 | data | 5.955345217509494 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3000 | 0x7e9 | 0x800 | False | 0.4580078125 | data | 5.233547677908448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x4000 | 0xa8 | 0x200 | False | 0.033203125 | DOS executable (block device driver) | 0.06591441234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x5000 | 0x1e0 | 0x200 | False | 0.525390625 | data | 4.696122618599126 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x6000 | 0x44a | 0x600 | False | 0.30859375 | data | 2.7348987790512544 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x5060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
WS2_32.dll | socket, setsockopt, send, select, gethostbyname, WSAStartup, recv, inet_addr, connect, htons, closesocket |
DNSAPI.dll | DnsQuery_A, DnsFree |
KERNEL32.dll | GetComputerNameA, InterlockedExchange, GetTempPathA, lstrlenA, lstrcatA, lstrcpyA, GetWindowsDirectoryA, GetVolumeInformationA, SetEvent, Sleep, CreateThread, FindClose, FindFirstFileA, CloseHandle, GetLastError, HeapAlloc, HeapFree, GetProcessHeap, CreateEventW, WaitForSingleObject, CreateMutexA, lstrcmpiA |
USER32.dll | wsprintfA |
ADVAPI32.dll | GetUserNameA |
ntdll.dll | memcpy, memcmp, _chkstk |
SHLWAPI.dll | StrToIntA, StrStrIA |
Name | Ordinal | Address |
---|---|---|
DllEntry | 1 | 0x401000 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 18:54:04 |
Start date: | 26/11/2023 |
Path: | C:\Users\user\Desktop\WtRLqa6ZXn.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x840000 |
File size: | 63'824 bytes |
MD5 hash: | DE237777518DC9C0B7A03C536746D878 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 45.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 16% |
Total number of Nodes: | 244 |
Total number of Limit Nodes: | 12 |
Graph
Callgraph
Function 00841540 Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 327memorysleepthreadCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841490 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55networkCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841360 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841300 Relevance: 4.5, APIs: 3, Instructions: 27fileCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00842800 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 160networkCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841A10 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 99stringsynchronizationthreadCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008421D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 189memorynetworkCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841E50 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 97networkCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841C20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61networkCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841170 Relevance: 6.0, APIs: 4, Instructions: 35networkCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841D60 Relevance: 4.6, APIs: 3, Instructions: 61sleepsynchronizationCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00842A20 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00842D51 Relevance: 3.0, APIs: 2, Instructions: 42networkCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841BC0 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008419AC Relevance: 1.6, APIs: 1, Instructions: 56COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00842DFE Relevance: 1.5, APIs: 1, Instructions: 31networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841B70 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841CD0 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00842E55 Relevance: 1.5, APIs: 1, Instructions: 25networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00842E74 Relevance: 1.5, APIs: 1, Instructions: 25networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841D30 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00841020 Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008424A0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00842620 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78networkstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |