Windows
Analysis Report
SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe (PID: 3076 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Loa dMoney.108 5.10205.72 76.exe" MD5: 98CC7DD8EEEAF079B8E8F650D847525F) WerFault.exe (PID: 4456 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 076 -s 488 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_00425784 | |
Source: | Code function: | 0_2_00425835 | |
Source: | Code function: | 0_2_00425B69 |
Source: | Static PE information: |
Source: | Code function: | 0_2_00426865 |
Source: | Code function: | 0_2_00436131 |
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_00418031 | |
Source: | Code function: | 0_2_004120E0 | |
Source: | Code function: | 0_2_0043C238 | |
Source: | Code function: | 0_2_004222C3 | |
Source: | Code function: | 0_2_00420301 | |
Source: | Code function: | 0_2_00444440 | |
Source: | Code function: | 0_2_0043B409 | |
Source: | Code function: | 0_2_00421481 | |
Source: | Code function: | 0_2_0043259A | |
Source: | Code function: | 0_2_0040F730 | |
Source: | Code function: | 0_2_0042B78D | |
Source: | Code function: | 0_2_00420845 | |
Source: | Code function: | 0_2_00426865 | |
Source: | Code function: | 0_2_0041D86A | |
Source: | Code function: | 0_2_0042EADB | |
Source: | Code function: | 0_2_0042CD5C | |
Source: | Code function: | 0_2_00420D89 | |
Source: | Code function: | 0_2_00415E6E | |
Source: | Code function: | 0_2_00430E1A | |
Source: | Code function: | 0_2_00437E3B |
Source: | Process created: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Classification label: |
Source: | Code function: | 0_2_00423319 |
Source: | Code function: | 0_2_00438D35 |
Source: | Code function: | 0_2_00426FD8 |
Source: | Code function: | 0_2_00426181 |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 0_2_004351F9 | |
Source: | Command line argument: | 0_2_004351F9 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Code function: | 0_2_004230F3 |
Source: | Static PE information: |
Source: | Code function: | 0_2_00415788 | |
Source: | Code function: | 0_2_004127C8 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Code function: | 0_2_0043A8D8 |
Source: | Code function: | 0_2_0043545F |
Source: | Evasive API call chain: | graph_0-32588 |
Source: | API coverage: |
Source: | Code function: | 0_2_00426865 |
Source: | Code function: | 0_2_00438BF9 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_00411360 |
Source: | Code function: | 0_2_004230F3 |
Source: | Code function: | 0_2_00428340 | |
Source: | Code function: | 0_2_00428340 | |
Source: | Code function: | 0_2_00429751 | |
Source: | Code function: | 0_2_00429751 | |
Source: | Code function: | 0_2_00429751 |
Source: | Code function: | 0_2_0042C16E | |
Source: | Code function: | 0_2_00417277 | |
Source: | Code function: | 0_2_00411360 | |
Source: | Code function: | 0_2_0043259A | |
Source: | Code function: | 0_2_00429737 | |
Source: | Code function: | 0_2_004127E7 | |
Source: | Code function: | 0_2_00410F21 |
Source: | Code function: | 0_2_00422F0E |
Source: | Code function: | 0_2_00419F6E |
Source: | Code function: | 0_2_004177B1 |
Source: | Code function: | 0_2_0043902A |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 3 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Access Token Manipulation | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Native API | Boot or Logon Initialization Scripts | 1 Process Injection | 1 Access Token Manipulation | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Process Injection | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 25 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
68% | ReversingLabs | Win32.Trojan.Generic | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1446236 |
Start date and time: | 2024-05-23 01:30:22 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 44s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 11 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe |
Detection: | MAL |
Classification: | mal56.evad.winEXE@2/5@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.22
- Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe
Time | Type | Description |
---|---|---|
19:31:43 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_ec24384a58645712a8216dd34a3884cb9132512_265dce86_e1f415c1-83d4-44dc-a094-cc48ee5b9763\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8728362306142596 |
Encrypted: | false |
SSDEEP: | 96:rvUFsM5fKs8huzFXefhQXIDcQvc6QcEVcw3cE/f+HbHgnoW6HeE7snL9tjo2fn2l:r8dRKqt0BU/4jnZrsMqzuiFIZ24IO8u |
MD5: | E04350460002F9A95B05460D96F89396 |
SHA1: | EFDC24F9BA1984EF7E1AB78B147DCBBA9D24A7AC |
SHA-256: | 6014FD72A4B39B2CBD35B835B6D80D9EFDBEB2790790C3181BD0215F53B039A7 |
SHA-512: | 0C52BBD557F72FD5F9F09EF9C69E57C35C60949D6EBA9E897DD237504EE3D221EEB3980E1038E45F3465D4B2CFEC96E7C5FCFA1A01849769E8B6BB62E405BFF9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 36800 |
Entropy (8bit): | 2.007609435064957 |
Encrypted: | false |
SSDEEP: | 192:EdJrAMbZyB+mKOUOW77zmIwm/ggziWg8MvBFVq1XOqaOZn20:OJrrNMjXSzqMZM5FAOqa+ |
MD5: | FCDDA76E63952B0929B45B75074B2DC2 |
SHA1: | 17A010C01258CD8C461201C399507A10A31E44DF |
SHA-256: | AC9F7845F4CAD79E044D1DEBC0710F36CB272EC276A15E82FF81EE09CF8EFC08 |
SHA-512: | 968293156F8B440C70DA463D77509B1426FB9D4AEBEC0B04B4AC066E2B30ACFE5D0907C1B1DFF5400BACD4F9F4FA283862A76FFC4F5F591D107667951A775735 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8464 |
Entropy (8bit): | 3.7035225480837717 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJCv6sr6YWfSU9Dfgmfk0SLprw89bDYsfjhm:R6lXJi6sr6YuSU9Dfgmfk0SLDLf4 |
MD5: | D61319F39A438E354A3D3B4E44B2FC43 |
SHA1: | F3D7C72BC894FBF23A3766A81A870E797D1C9340 |
SHA-256: | 7E5C6C978A5C2F06332ADDFC919D10B3D49AB4500F3CA1BAAE501654A8307A68 |
SHA-512: | EADF0DCD9356F9F0B50EA8E5F655211E8E96B50D3E656093AD2B14CD7C5FC82481D7F655AAE18F725AF915F277A8AA4402247C0CEE080D0D846590D93FD6BECE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4790 |
Entropy (8bit): | 4.561588191050228 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsoNJg77aI9mrVWpW8VY+Ym8M4JROA9FTL3P+q82P+5YDY2d:uIjfMI7oI7VSJzkSs2d |
MD5: | 75011462992D6AE1C8D921FE83EE0E30 |
SHA1: | 0B065C2BD61E529861420FB5E27830B8BE5EBC2D |
SHA-256: | 937170E934E2A747D096998041DB7D48603822CB19EC350279B62104742F04DA |
SHA-512: | A74D0283139C0947ABD3F525C2BBC02A76CFE9835BA1449DCEE160D29997CE8160812342C3623CCC7B15230BE3BB0F2EFA55180DEFDFF4063DD5147AAA2F9B96 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.295922598257211 |
Encrypted: | false |
SSDEEP: | 6144:441fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+HGmBMZJh1VjF:11/YCW2AoQ0NiBGwMHrVZ |
MD5: | 65B443CF0677BB4FB47CC774C0322A74 |
SHA1: | A2F1A9D4DBE1BA80F19AFA2D16347410DCA54851 |
SHA-256: | 723F052BED1ED0A8AA5A2AC120525470314FA59192EFAC70F64D3241098CCFEF |
SHA-512: | EBA5A064A11816BDF26994CA63E26D2C240D395E0907BAF0A56F5155642E4A0F4579B0DB4FFC28BC0DDDA8FA39114FDDC90215E3BBA27DB1FBC19AE4AEE024A8 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.425136010677569 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe |
File size: | 386'048 bytes |
MD5: | 98cc7dd8eeeaf079b8e8f650d847525f |
SHA1: | 2f8bdb79155ce50f7b02209cd28f996fc9e62915 |
SHA256: | 5b9cb6ebd3779665272eb9303004faf88f121cbe8f7e63c00a547e6d9ae13998 |
SHA512: | 24de92368cf508ac40db171f891075c67a90d71fa9febefc8cce4218c4d248870dcca240347e7bfc39b66a52477c3b0b9b9cd0fe478fafd226ce092147b2a92f |
SSDEEP: | 6144:4i4TBXZh3Am19Lk/8LS35qQkOLwfFGIMcPayeMlTDIeuhDF28VBUJpEzubg66:4isBXZh3Amr4/8YN9Lw4izIeuhDF28Vh |
TLSH: | 2D849E12B745F032C4130171BA19A3B6823DB9716B398187B3D85F6EEEF16D27939B42 |
File Content Preview: | MZ......................@...`r...................r......................!..L.!This program cannot be run in DOS mode....$.........L..u"..u"..u"......u"......u".....lu"...O..u"...Y..u"..u#..t"......u"......u"......u".Rich.u"...?.....PE..L...X..V........... |
Icon Hash: | 03e1565848481a3e |
Entrypoint: | 0x411b23 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x561CF058 [Tue Oct 13 11:51:52 2015 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 8765057780dde950993dc56a99702829 |
Instruction |
---|
call 00007F4EF491F9CEh |
jmp 00007F4EF4919BBEh |
int3 |
int3 |
int3 |
cmp dword ptr [00458030h], 00000000h |
je 00007F4EF491FA64h |
sub esp, 08h |
stmxcsr dword ptr [esp+04h] |
mov eax, dword ptr [esp+04h] |
and eax, 00001F80h |
cmp eax, 00001F80h |
jne 00007F4EF4919D51h |
fstcw word ptr [esp] |
mov ax, word ptr [esp] |
and ax, 007Fh |
cmp ax, 007Fh |
lea esp, dword ptr [esp+08h] |
jne 00007F4EF491FA33h |
jmp 00007F4EF4919D42h |
movq xmm0, qword ptr [esp+04h] |
movapd xmm2, dqword ptr [004447C0h] |
movapd xmm3, xmm0 |
movapd xmm1, xmm0 |
movapd xmm4, xmm0 |
movapd xmm6, xmm0 |
psllq xmm0, 01h |
psrlq xmm0, 35h |
psrlq xmm3, 34h |
andpd xmm4, dqword ptr [004447D0h] |
movd eax, xmm0 |
psubd xmm2, xmm0 |
mov ecx, dword ptr [esp+0Ch] |
psrlq xmm1, xmm2 |
psllq xmm1, xmm2 |
movd edx, xmm3 |
cmp eax, 000003FFh |
jl 00007F4EF4919D60h |
cmp eax, 00000432h |
jnle 00007F4EF4919D62h |
movq qword ptr [ecx], xmm1 |
subsd xmm6, xmm1 |
orpd xmm6, xmm4 |
movq qword ptr [esp+04h], xmm6 |
fld qword ptr [esp+04h] |
ret |
movq qword ptr [ecx], xmm4 |
fld qword ptr [esp+04h] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x52e64 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5a000 | 0x4028 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x5f000 | 0x0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x44000 | 0x43c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4252b | 0x42600 | 157e0f1d68cb70fce7efeadfb4906c21 | False | 0.530404013653484 | data | 6.582694661440288 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x44000 | 0x10660 | 0x10800 | 6f4e83ef0b02b76a70997b70cc098204 | False | 0.3940133759469697 | data | 4.903645653152718 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x55000 | 0x4188 | 0x1c00 | 8b998369db83f67882398c0e74ebd57e | False | 0.3588169642857143 | data | 3.767074441607386 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x5a000 | 0x4028 | 0x4200 | e4296c6bc6d208dca5934d7351c48b2d | False | 0.5220170454545454 | data | 5.7759752035222185 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x5f000 | 0x5320 | 0x5400 | 85d3b064f6d049f7daa79e59a7dffe81 | False | 0.5010230654761905 | data | 5.313122944050481 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x5a148 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Russian | Russia | 0.5283195020746888 |
RT_ICON | 0x5c6f0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Russian | Russia | 0.6083489681050657 |
RT_ICON | 0x5d798 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Russian | Russia | 0.42021276595744683 |
RT_GROUP_ICON | 0x5dc00 | 0x30 | data | Russian | Russia | 0.8541666666666666 |
RT_MANIFEST | 0x5dc30 | 0x3f7 | ASCII text, with very long lines (1015), with no line terminators | English | United States | 0.4896551724137931 |
DLL | Import |
---|---|
KERNEL32.dll | CreatePipe, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, VirtualAlloc, HeapCreate, LoadLibraryA, GetProcAddress, HeapAlloc, ExitThread, LocalFree, lstrlenW, GetTempPathW, LoadLibraryW, GetCurrentProcess, QueryDosDeviceW, GetFullPathNameW, GetLongPathNameW, GetModuleFileNameW, GetEnvironmentVariableW, GetCurrentProcessId, MoveFileExW, ExpandEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetFileAttributesW, GetVersion, CreateSemaphoreW, ReleaseSemaphore, GetFileInformationByHandle, CopyFileW, DeleteFileW, IsBadWritePtr, CreateFileW, SetFilePointer, CreateToolhelp32Snapshot, Process32FirstW, OpenProcess, GetProcessTimes, Process32NextW, GetCommandLineW, GetExitCodeThread, InterlockedExchange, DeleteCriticalSection, GetFileSizeEx, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetProcessHeap, SetEndOfFile, FlushFileBuffers, GetConsoleMode, GetConsoleCP, SetStdHandle, InitializeCriticalSectionAndSpinCount, GetModuleHandleA, GetStringTypeW, GetStringTypeA, GetLocaleInfoA, IsValidCodePage, GetOEMCP, GetACP, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStartupInfoA, GetFileType, SetHandleCount, GetModuleFileNameA, HeapReAlloc, VirtualFree, GetFileSize, ReadFile, GetStdHandle, ExitProcess, WaitForMultipleObjects, GetCurrentThreadId, LeaveCriticalSection, SetEvent, EnterCriticalSection, ResetEvent, SetProcessShutdownParameters, CreateThread, HeapSize, SetLastError, TlsFree, TlsSetValue, TerminateProcess, TlsAlloc, TlsGetValue, GetCPInfo, LCMapStringW, LCMapStringA, RtlUnwind, RaiseException, GetStartupInfoW, HeapFree, IsDebuggerPresent, UnhandledExceptionFilter, GetModuleHandleW, EnumResourceNamesW, InitializeCriticalSection, CreateEventW, SetUnhandledExceptionFilter, SetErrorMode, GetTickCount, CreateProcessW, SetFileAttributesW, WriteFile, WaitForSingleObject, Sleep, GetLastError, GetSystemInfo, GetDiskFreeSpaceExW, GetDriveTypeW, GetLogicalDriveStringsW, GlobalMemoryStatusEx, GetSystemTimeAsFileTime, CloseHandle, GetFileTime, GetVersionExW, GetVolumeInformationW, GetVolumePathNameW, GetSystemDirectoryW, CreateFileA, InterlockedDecrement, InterlockedIncrement |
USER32.dll | DrawIconEx, GetSysColorBrush, EndPaint, RedrawWindow, LoadImageW, BeginPaint, GetSysColor, SetTimer, EnableWindow, GetForegroundWindow, ShowWindow, DestroyWindow, FlashWindow, AttachThreadInput, SetCursor, CharLowerW, PostMessageW, GetCursorPos, KillTimer, MessageBoxW, LoadCursorW, GetSystemMetrics, ReleaseDC, GetDC, SetRect, SetFocus, DefWindowProcW, LoadStringW, SendMessageW, RegisterClassExW, CreateWindowExW, GetMessageW, DispatchMessageW, AdjustWindowRectEx, SetParent, IsDialogMessageW, TranslateMessage, SetWindowTextW, SetWindowPos, PostQuitMessage, SetWindowLongW, GetWindowLongW |
GDI32.dll | SetDIBitsToDevice, StretchBlt, BitBlt, CreateFontIndirectW, GetStockObject, GetObjectW, SelectObject, CreateBitmap, CreateCompatibleDC, GetDeviceCaps, StretchDIBits |
gdiplus.dll | GdipDeleteGraphics, GdipDeleteBrush, GdipDrawImageRectI, GdipFillRectangleI, GdipCreateSolidFill, GdipCreateFromHDC, GdipGetImageWidth, GdipLoadImageFromStream, GdiplusShutdown, GdiplusStartup, GdipDisposeImage, GdipGetImageHeight |
SHLWAPI.dll | StrCpyW, AssocQueryStringW, PathCreateFromUrlW |
COMCTL32.dll | InitCommonControlsEx |
COMDLG32.dll | GetSaveFileNameW |
ADVAPI32.dll | GetNamedSecurityInfoW, SetNamedSecurityInfoW, AdjustTokenPrivileges, LookupPrivilegeValueW, CopySid, GetLengthSid, GetTokenInformation, OpenProcessToken, RegEnumKeyExW, RegQueryInfoKeyW, RegSetValueExW, RegCreateKeyExW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, CryptGenRandom, CryptGetHashParam, CryptDestroyHash, CryptHashData, CryptReleaseContext, CryptCreateHash, CryptAcquireContextW, EqualSid |
SHELL32.dll | ShellExecuteW, SHOpenFolderAndSelectItems, SHGetFolderPathW |
ole32.dll | OleSetContainedObject, OleCreate, CoSetProxyBlanket, CoTaskMemFree, GetHGlobalFromStream, CreateStreamOnHGlobal, CoUninitialize, CoCreateInstance, CoInitializeEx, OleLockRunning |
OLEAUT32.dll | VariantClear, VariantInit, SysFreeString, SysAllocString |
WININET.dll | HttpOpenRequestW, HttpSendRequestW, InternetQueryOptionW, InternetCloseHandle, HttpQueryInfoW, InternetReadFile, InternetConnectW, InternetSetOptionW, InternetOpenW, HttpQueryInfoA |
POWRPROF.dll | CallNtPowerInformation |
VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
PSAPI.DLL | GetProcessImageFileNameW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Russian | Russia | |
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 19:31:37 |
Start date: | 22/05/2024 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 386'048 bytes |
MD5 hash: | 98CC7DD8EEEAF079B8E8F650D847525F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 19:31:37 |
Start date: | 22/05/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x520000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 0.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 1% |
Total number of Nodes: | 205 |
Total number of Limit Nodes: | 7 |
Graph
Function 0041978C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00415791 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00419C2C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043259A Relevance: 212.9, APIs: 48, Strings: 72, Instructions: 2861threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042EADB Relevance: 86.3, APIs: 15, Strings: 33, Instructions: 2324windowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042CD5C Relevance: 63.3, APIs: 14, Strings: 21, Instructions: 2013windowtimeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00430E1A Relevance: 55.7, APIs: 5, Strings: 26, Instructions: 1459sleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B78D Relevance: 51.4, APIs: 19, Strings: 10, Instructions: 682windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00436131 Relevance: 45.9, APIs: 17, Strings: 9, Instructions: 373networkfilesynchronizationCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429751 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 251memorylibrarythreadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004351F9 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 180fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00425835 Relevance: 28.7, APIs: 19, Instructions: 242encryptionfileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426865 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 449stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426181 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 330comCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043A8D8 Relevance: 12.7, Strings: 10, Instructions: 176COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00410F21 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042C16E Relevance: 7.6, APIs: 5, Instructions: 78fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004230F3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00423319 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438D35 Relevance: 4.7, APIs: 3, Instructions: 168COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00428340 Relevance: 3.1, APIs: 2, Instructions: 83COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429737 Relevance: 3.0, APIs: 2, Instructions: 7COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043B409 Relevance: 1.8, Strings: 1, Instructions: 506COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00417277 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F730 Relevance: .9, Instructions: 915COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00444440 Relevance: .1, Instructions: 104COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004120E0 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422F0E Relevance: .0, Instructions: 40COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00436A86 Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 435networkCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004254D1 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 102windowregistrylibraryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004289FB Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 230processCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00428420 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 245fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414F1C Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 57libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004293A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004291A8 Relevance: 15.2, APIs: 10, Instructions: 178fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00437B48 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 130processCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C280 Relevance: 13.9, APIs: 9, Instructions: 404COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00428713 Relevance: 13.7, APIs: 9, Instructions: 156fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422D7C Relevance: 13.6, APIs: 9, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422B07 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422CA9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B022 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 125sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00424152 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429621 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00423391 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042379B Relevance: 9.1, APIs: 6, Instructions: 55filesynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B2FB Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 302threadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429DFB Relevance: 9.0, APIs: 6, Instructions: 50COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00423144 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042533E Relevance: 7.6, APIs: 5, Instructions: 138COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B658 Relevance: 7.6, APIs: 5, Instructions: 89windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00423206 Relevance: 7.6, APIs: 5, Instructions: 64threadsynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042329B Relevance: 7.6, APIs: 5, Instructions: 56COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043CD9A Relevance: 7.6, APIs: 5, Instructions: 56COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00425CFC Relevance: 7.5, APIs: 5, Instructions: 44threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429EDF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004128FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413F2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041B35A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422D23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33sleepfileCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042A4CB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25sleepwindowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00410C76 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042511D Relevance: 6.2, APIs: 4, Instructions: 193COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F210 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F380 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00437CD8 Relevance: 6.1, APIs: 4, Instructions: 95sleepsynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422831 Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429B6D Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004238CE Relevance: 6.0, APIs: 4, Instructions: 24threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00417FF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|