Edit tour
Windows
Analysis Report
vm-uw.exe
Overview
General Information
| Sample name: | vm-uw.exe |
| Analysis ID: | 1455404 |
| MD5: | 78c6129bfd81f88cfb7171caf2d386a1 |
| SHA1: | f626224572dea0bc2983e3b3986bd1c1af5533ce |
| SHA256: | aa1ad7c508d497292d1e017b946cc381be204bd641543bcf584da286eb6f685f |
| Tags: | exetrojan |
| Infos: |  |
 | |
Detection
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Potentially malicious time measurement code found
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Modifies existing windows services
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Process Start Locations
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Classification
- System is w10x64
vm-uw.exe (PID: 6688 cmdline:
"C:\Users\ user\Deskt op\vm-uw.e xe" MD5: 78C6129BFD81F88CFB7171CAF2D386A1) 
cmd.exe (PID: 5308 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\Wind ows\Fonts\ systkm32\v v.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
mode.com (PID: 5272 cmdline: mode con: cols=16 li nes=2 MD5: FB615848338231CEBC16E32A3035C3F8) - PING.EXE (PID: 5252 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - csrss.exe (PID: 2832 cmdline:
C:\Windows \Fonts\sys tkm32\csrs s.exe WMPN etworkSxc C:\Windows \Fonts\sys tkm32\svch ost.exe MD5: C43D1B84143FB2561F22E1A2C8FACF53) - PING.EXE (PID: 7068 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - reg.exe (PID: 6780 cmdline:
reg add HK EY_LOCAL_M ACHINE\SYS TEM\Curren tControlSe t\Services \WMPNetwor kSxc /v De scription /d "Shares Windows M edia Playe r librarie s to other networked players a nd media d evices usi ng Univers al Plug an d Play." / t reg_sz / f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - reg.exe (PID: 616 cmdline:
reg add HK EY_LOCAL_M ACHINE\SYS TEM\Curren tControlSe t\Services \WMPNetwor kSxc /v Di splayName /d "Window s Media Pl ayer Netwo rk Sharing Service." /t reg_sz /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - reg.exe (PID: 4868 cmdline:
reg add HK EY_LOCAL_M ACHINE\SYS TEM\Curren tControlSe t\Services \WMPNetwor kSxc\Param eters MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - reg.exe (PID: 5960 cmdline:
reg add HK EY_LOCAL_M ACHINE\SYS TEM\Curren tControlSe t\Services \WMPNetwor kSxc\Param eters /v A ppDirector y /d "C:\W indows\Fon ts\systkm3 2" /t reg_ sz /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - reg.exe (PID: 5712 cmdline:
reg add HK EY_LOCAL_M ACHINE\SYS TEM\Curren tControlSe t\Services \WMPNetwor kSxc\Param eters /v A pplication /d ""C:\P rogram Fil es (x86)\V Mware\VMwa re Worksta tion\vmwar e.exe" -x "C:\Window s\Logs\ubu \3333.vmx" " /t reg_s z /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - PING.EXE (PID: 4052 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - sc.exe (PID: 4040 cmdline:
sc start W MPNetworkS xc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - PING.EXE (PID: 6808 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - regini.exe (PID: 6748 cmdline:
regini 1.i ni MD5: C99C3BB423097FCF4990539FC1ED60E3) - cmd.exe (PID: 2012 cmdline:
"C:\Window s\system32 \cmd.exe" /c "C:\Use rs\user\Ap pData\Loca l\Temp\HZ~ F6EC.tmp.b at" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 1404 cmdline:
ping 127.0 .0.1 -n 2 MD5: B3624DD758CCECF93A1226CEF252CA12)
- svchost.exe (PID: 5544 cmdline:
C:\Windows \Fonts\sys tkm32\svch ost.exe MD5: 4635935FC972C582632BF45C26BFCB0E)
- svchost.exe (PID: 7060 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: David Burkett, @signalblur: | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community: | ||
| Source: | Author: vburov: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00224F98 | |
Networking | |
|---|
| Source: | Process created: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 9_2_00401070 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_0020F8DE | |
| Source: | Code function: | 0_2_001F7C90 | |
| Source: | Code function: | 0_2_001E1000 | |
| Source: | Code function: | 0_2_002130A0 | |
| Source: | Code function: | 0_2_001FA160 | |
| Source: | Code function: | 0_2_0022720E | |
| Source: | Code function: | 0_2_00205306 | |
| Source: | Code function: | 0_2_002175E5 | |
| Source: | Code function: | 0_2_001EC600 | |
| Source: | Code function: | 0_2_0022C6B9 | |
| Source: | Code function: | 0_2_0022B6BC | |
| Source: | Code function: | 0_2_001EE680 | |
| Source: | Code function: | 0_2_001F68C0 | |
| Source: | Code function: | 0_2_00215958 | |
| Source: | Code function: | 0_2_002189EC | |
| Source: | Code function: | 0_2_00217ADE | |
| Source: | Code function: | 0_2_001E3B7E | |
| Source: | Code function: | 0_2_0022DB44 | |
| Source: | Code function: | 0_2_00218BEC | |
| Source: | Code function: | 0_2_0022DBFE | |
| Source: | Code function: | 0_2_0020DC0C | |
| Source: | Code function: | 0_2_001F2C50 | |
| Source: | Code function: | 0_2_00217C58 | |
| Source: | Code function: | 0_2_0021FC5D | |
| Source: | Code function: | 0_2_0022DD1B | |
| Source: | Code function: | 0_2_00226D60 | |
| Source: | Code function: | 0_2_001F3D50 | |
| Source: | Code function: | 0_2_00218D8D | |
| Source: | Code function: | 0_2_001F8F60 | |
| Source: | Code function: | 18_2_01001493 | |
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_001F3F50 | |
| Source: | Code function: | 9_2_00401000 | |
| Source: | Code function: | 0_2_001E2777 | |
| Source: | Code function: | 18_2_01001D2C | |
| Source: | Code function: | 18_2_01001D2C | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File written: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_001E51C0 | |
| Source: | Code function: | 0_2_0021BDC9 | |
| Source: | Code function: | 0_2_0022BE76 | |
| Source: | Code function: | 0_2_0022BE76 | |
| Source: | Code function: | 18_2_010021F4 | |
| Source: | Code function: | 18_2_0100221C | |
| Source: | Code function: | 18_2_0100226B | |
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | Executable created and started: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry key created: | Jump to behavior | ||
| Source: | Registry key value modified: | Jump to behavior | ||
| Source: | Code function: | 18_2_01001D2C | |
| Source: | Process created: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_001E18A0 | |
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00224F98 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Anti Debugging | |
|---|
| Source: | Code function: | 0_2_001E1A90 | |
| Source: | Code function: | 0_2_001E1B00 | |
| Source: | Code function: | 0_2_001E18A0 | |
| Source: | Code function: | 0_2_0021BB7B | |
| Source: | Code function: | 0_2_001E51C0 | |
| Source: | Code function: | 0_2_002217B3 | |
| Source: | Code function: | 0_2_00225C60 | |
| Source: | Code function: | 0_2_0021BB7B | |
| Source: | Code function: | 0_2_0021BD0E | |
| Source: | Code function: | 0_2_0021AFAC | |
| Source: | Code function: | 0_2_0021EF9A | |
| Source: | Code function: | 18_2_0100229A | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_001E16C0 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0022450B | |
| Source: | Code function: | 0_2_002189EC | |
| Source: | Code function: | 0_2_001E1CE0 | |
| Source: | Code function: | 0_2_001E1D80 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 1 Scripting | Valid Accounts | 1 Command and Scripting Interpreter | 34 Windows Service | 34 Windows Service | 22 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 13 Service Execution | 1 Scripting | 11 Process Injection | 1 Modify Registry | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 Remote System Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 3 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 23 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 71% | ReversingLabs | Win32.Trojan.Zusy | ||
| 100% | Avira | TR/Reconyc.cciah |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|
| IP |
|---|
| 127.0.0.1 |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1455404 |
| Start date and time: | 2024-06-11 19:42:06 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 43s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 24 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | vm-uw.exe |
| Detection: | MAL |
| Classification: | mal96.troj.evad.winEXE@38/6@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: vm-uw.exe
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Windows\Fonts\systkm32\csrss.exe | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| C:\Windows\Fonts\systkm32\svchost.exe | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Young Lotus | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Xmrig | Browse | |||
| Get hash | malicious | ETERNALBLUE GhostRat Xmrig | Browse |
| Process: | C:\Users\user\Desktop\vm-uw.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 132 |
| Entropy (8bit): | 4.717649701325578 |
| Encrypted: | false |
| SSDEEP: | 3:CxK6OWR2N2+WTKCXBALW9VCSLVLx695ON2+WTKC8m:CxBR2N2RGo3CSLpA9IN2RG7m |
| MD5: | 620ACF8E7B2F70716670A63E0385328C |
| SHA1: | 174A65757E136944AF23DC3D02ADBAB3BEC35F0F |
| SHA-256: | 2D5B93EACBB86909B2ED55D5A7C2CF2AF4C392A633342EEA3890A3A9AA9EB1C0 |
| SHA-512: | C4CF92493798C25C945BA8377F450444473804619F5C8151096F10F75A03802CBE5E7EF3AC1D36DD24C8ADB4DEF781BC07FFA32EFD217513765B173EF1186962 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 74 |
| Entropy (8bit): | 4.978458988199209 |
| Encrypted: | false |
| SSDEEP: | 3:aCdgLCgT/K/TvvKXO2EF+F4cn:mLC6/KbKXO2E8n |
| MD5: | 33568E8BAAB39EF9097F9B78FE231FB1 |
| SHA1: | 45C01839B0AFEF46EBFB4A884AB3FF24EF6ECD49 |
| SHA-256: | E5C492B214D845AF45727327E9AECACBD9632D1AA6DCFB0308ABCDB18CA4D5E8 |
| SHA-512: | F6F432C0ACED10FB60AA148939EC9EFA7830B98EAF8B4B93C16DC74E9955D712056F4462F93D668CFD4D9B7FF2CAB1A823F918EC0B4261F40933075F9A16C2DE |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\vm-uw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 18432 |
| Entropy (8bit): | 5.536012760236597 |
| Encrypted: | false |
| SSDEEP: | 384:tD7x2ARjcLagJm8lGJ3BY+SpzV5hdfjWNwG:5hRjyppV+8dYwG |
| MD5: | C43D1B84143FB2561F22E1A2C8FACF53 |
| SHA1: | 3F1357007F61F02F97F0AAABB8756C6ECA2ACEBD |
| SHA-256: | BBF4C224F9861B2C1F5A1364EE71E38728495B2709621763053B979BA88522F1 |
| SHA-512: | 27A25AB6045498E0B7131BE58556C685DFA01596675C3AF689E61D8329E1A0EFF4128C57E202C32C69271B84F57E7425C45FB5FA132EC0F5B352F86323FFA13E |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: | |
| Preview: |
| Process: | C:\Users\user\Desktop\vm-uw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8192 |
| Entropy (8bit): | 5.259110186515502 |
| Encrypted: | false |
| SSDEEP: | 96:8ldfxd/yKaP64DMI1XT3kaiyMlH38ZldnXFADkYLyAFdfcdTbGu00C:mSP64DMI1DkHMZ36kYLxFdfcdnGu00C |
| MD5: | 4635935FC972C582632BF45C26BFCB0E |
| SHA1: | 7C5329229042535FE56E74F1F246C6DA8CEA3BE8 |
| SHA-256: | ABD4AFD71B3C2BD3F741BBE3CEC52C4FA63AC78D353101D2E7DC4DE2725D1CA1 |
| SHA-512: | 167503133B5A0EBD9F8B2971BCA120E902497EB21542D6A1F94E52AE8E5B6BDE1E4CAE1A2C905870A00D772E0DF35F808701E2CFBD26DCBB130A5573FA590060 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\vm-uw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1152 |
| Entropy (8bit): | 5.3887292706534735 |
| Encrypted: | false |
| SSDEEP: | 24:e8J5DnVZ6c3Y02M6bZAcalIAI72M6MRMJMAI72M6oB2M6oQGQEOI72M6oh1EAI0f:t5D+co0c1AP8cMRe8cMcYO8cI1EAZ0Tg |
| MD5: | ED936FD33024AC753E8E7BE6B4C39F69 |
| SHA1: | 2A9329EDEC6273CB30DFD420BDE80A4E7675FFC7 |
| SHA-256: | 038A41E1CC19BF3833333DC8997B633CF33500A13C373593408E3416447B8553 |
| SHA-512: | 60C95EB51C5DEDE283581BADF970B6722013A7CB3CED4716DCC74674FDD9B75227300DB0EDB8F70DC5C760D4BB8313BEA1F9403BCE2A5B9AC9BBCD10214F6D3F |
| Malicious: | true |
| Preview: |
| Process: | C:\Windows\Fonts\systkm32\csrss.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 181 |
| Entropy (8bit): | 4.448922834861267 |
| Encrypted: | false |
| SSDEEP: | 3:CmXhmnXjzDZAeKXO2E77Qyd45QnBX9jgDKVgjoH/XS1FmAsoWROn:CmRmnXjP+VXO2E77/64guVJ/XSeAsLRO |
| MD5: | 56A963BDFAA124C4D00843552370D1FE |
| SHA1: | 66ED31AD816394CF07C7D8330C3E60927170BABD |
| SHA-256: | 1AFA092248E35494CD5153C9744494C51BF93B44BDCB38C5CAFE5B4FF88F8902 |
| SHA-512: | 239CA8D84138FA11F8F9E74DFE8B14A2645A87D75EFC4CB495538876E5304464DCCD36DF610288C637587E7B6DB8FF4A8A91F57FA1FE71BFAF6B289A91DDB455 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.48742080673987 |
| TrID: |
|
| File name: | vm-uw.exe |
| File size: | 580'475 bytes |
| MD5: | 78c6129bfd81f88cfb7171caf2d386a1 |
| SHA1: | f626224572dea0bc2983e3b3986bd1c1af5533ce |
| SHA256: | aa1ad7c508d497292d1e017b946cc381be204bd641543bcf584da286eb6f685f |
| SHA512: | 38d0f61a25f015ad149765ced45ab81591ec02f9fe290c1560db9f53f9b7e6edc371eaebbcc54156006e63fe323b976bf560b9db69328f5ffe0fd9b734a9717b |
| SSDEEP: | 12288:LQM9bROJmafSPZDz7qElw2KxPo0q7qzC9b/uEvtHKYTsviIR8Cufe9ZqQwExr//R:Ld9Mrf7iaNVxowGT/M |
| TLSH: | 21C47C31B7A2C0B5C26D41301FA8EAB655AD7F244F610AE777C87E1A29F04E06635F36 |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........:.>T[.mT[.mT[.m...mY[.m...m.[.m...mN[.mT[.mV[.m.2.lW[.m.3.lF[.m.3.lL[.m.3.lz[.m.2.lU[.m]#|mP[.m]#lmE[.mT[.m.[.m.2.l.[.m.2.mU[. |
 | |
| Icon Hash: | db3b74597872391b |
| Entrypoint: | 0x43b6f1 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x618DE39C [Fri Nov 12 03:46:36 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | eec4c9510d1f15621b464022e8c2d408 |
| Instruction |
|---|
| call 00007FD3BCED83E7h |
| jmp 00007FD3BCED7B3Fh |
| call 00007FD3BCED7CE7h |
| push 00000000h |
| call 00007FD3BCED7878h |
| pop ecx |
| test al, al |
| je 00007FD3BCED7CD0h |
| push 0043B811h |
| call 00007FD3BCED7A22h |
| pop ecx |
| xor eax, eax |
| ret |
| push 00000007h |
| call 00007FD3BCED811Fh |
| int3 |
| push ebp |
| mov ebp, esp |
| push FFFFFFFFh |
| push 0044F522h |
| mov eax, dword ptr fs:[00000000h] |
| push eax |
| push ebx |
| push esi |
| push edi |
| mov eax, dword ptr [0046600Ch] |
| xor eax, ebp |
| push eax |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| push 00000FA0h |
| push 00469220h |
| call dword ptr [00450044h] |
| push 004503D0h |
| call dword ptr [0045003Ch] |
| mov esi, eax |
| test esi, esi |
| jne 00007FD3BCED7CD7h |
| push 0045A754h |
| call dword ptr [0045003Ch] |
| mov esi, eax |
| test esi, esi |
| je 00007FD3BCED7D52h |
| push 00450414h |
| push esi |
| call dword ptr [0045002Ch] |
| push 00450430h |
| push esi |
| mov ebx, eax |
| call dword ptr [0045002Ch] |
| push 0045044Ch |
| push esi |
| mov edi, eax |
| call dword ptr [0045002Ch] |
| mov esi, eax |
| test ebx, ebx |
| je 00007FD3BCED7CFAh |
| test edi, edi |
| je 00007FD3BCED7CF6h |
| test esi, esi |
| je 00007FD3BCED7CF2h |
| and dword ptr [0046923Ch], 00000000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6498c | 0x8c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6f000 | 0x1e274 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8e000 | 0x4e94 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5cf70 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x5d080 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x5cfe0 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x50000 | 0x284 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x4e8db | 0x4ea00 | 7296a174c97dde3447454c549f28ba89 | False | 0.5489554352146264 | data | 6.653917614698595 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x50000 | 0x157de | 0x15800 | 267d5b7a634664da1012e9aa48c96ae2 | False | 0.4493095930232558 | data | 5.3004440169135085 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x66000 | 0x86c0 | 0x3000 | 548ea8cc9f1d41ead8891532908d09c7 | False | 0.18123372395833334 | DOS executable (block device driver \277DN\346@\273) | 4.487709554306666 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x6f000 | 0x1e274 | 0x1e400 | 020fad0e6b278437adb11a930d31859a | False | 0.3044211647727273 | data | 5.185160331800087 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x8e000 | 0x4e94 | 0x5000 | 0f982d8863b6d552c167374e2ffd1f4b | False | 0.58095703125 | data | 6.458158429451074 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x70b10 | 0x405e | Device independent bitmap graphic, 93 x 280 x 8, 1 compression, image size 15414, resolution 2834 x 2834 px/m | Chinese | China | 0.7535501881296274 |
| RT_ICON | 0x74b70 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | Chinese | China | 0.08867837338262477 |
| RT_ICON | 0x79ff8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | Chinese | China | 0.09529995276334435 |
| RT_ICON | 0x7e220 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Chinese | China | 0.12551867219917012 |
| RT_ICON | 0x807c8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Chinese | China | 0.1775328330206379 |
| RT_ICON | 0x81870 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Chinese | China | 0.14590163934426228 |
| RT_ICON | 0x821f8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Chinese | China | 0.1799645390070922 |
| RT_DIALOG | 0x82660 | 0x1dc | data | Chinese | China | 0.5903361344537815 |
| RT_DIALOG | 0x8283c | 0x2f6 | data | Chinese | China | 0.449868073878628 |
| RT_DIALOG | 0x82b34 | 0x150 | data | Chinese | China | 0.6398809523809523 |
| RT_STRING | 0x82c84 | 0x52 | Matlab v4 mat-file (little endian) h, numeric, rows 0, columns 0 | Chinese | China | 0.7195121951219512 |
| RT_STRING | 0x82cd8 | 0x1b4 | data | Chinese | China | 0.7224770642201835 |
| RT_STRING | 0x82e8c | 0x176 | data | Chinese | China | 0.6417112299465241 |
| RT_STRING | 0x83004 | 0x104 | data | Chinese | China | 0.8115384615384615 |
| RT_STRING | 0x83108 | 0xc8 | data | Chinese | China | 0.75 |
| RT_STRING | 0x831d0 | 0xb8 | data | Chinese | China | 0.8695652173913043 |
| RT_STRING | 0x83288 | 0xc4 | data | Chinese | China | 0.8877551020408163 |
| RT_STRING | 0x8334c | 0x148 | data | Chinese | China | 0.774390243902439 |
| RT_STRING | 0x83494 | 0x1ae | data | Chinese | China | 0.7023255813953488 |
| RT_STRING | 0x83644 | 0x11a | data | Chinese | China | 0.7269503546099291 |
| RT_STRING | 0x83760 | 0xaa | data | Chinese | China | 0.8588235294117647 |
| RT_STRING | 0x8380c | 0x22e | data | Chinese | China | 0.7795698924731183 |
| RT_STRING | 0x83a3c | 0x92 | data | Chinese | China | 0.8424657534246576 |
| RT_STRING | 0x83ad0 | 0x1b0 | data | Chinese | China | 0.7453703703703703 |
| RT_STRING | 0x83c80 | 0x10a | data | Chinese | China | 0.793233082706767 |
| RT_STRING | 0x83d8c | 0x1aa | data | Chinese | China | 0.8004694835680751 |
| RT_STRING | 0x83f38 | 0x12c | data | Chinese | China | 0.8333333333333334 |
| RT_STRING | 0x84064 | 0x170 | data | Chinese | China | 0.6847826086956522 |
| RT_STRING | 0x841d4 | 0x98 | data | Chinese | China | 0.5723684210526315 |
| RT_STRING | 0x8426c | 0x124 | data | Chinese | China | 0.6027397260273972 |
| RT_STRING | 0x84390 | 0x180 | data | Chinese | China | 0.8203125 |
| RT_STRING | 0x84510 | 0x258 | data | Chinese | China | 0.75 |
| RT_STRING | 0x84768 | 0x13c | data | Chinese | China | 0.7468354430379747 |
| RT_STRING | 0x848a4 | 0x336 | data | Chinese | China | 0.39659367396593675 |
| RT_STRING | 0x84bdc | 0x16c | data | Chinese | China | 0.6813186813186813 |
| RT_STRING | 0x84d48 | 0x19e | data | Chinese | China | 0.6714975845410628 |
| RT_STRING | 0x84ee8 | 0x1da | data | Chinese | China | 0.729957805907173 |
| RT_STRING | 0x850c4 | 0x72 | data | Chinese | China | 0.7631578947368421 |
| RT_STRING | 0x85138 | 0x104 | data | Chinese | China | 0.7692307692307693 |
| RT_STRING | 0x8523c | 0x150 | data | Chinese | China | 0.8184523809523809 |
| RT_STRING | 0x8538c | 0x154 | data | Chinese | China | 0.7088235294117647 |
| RT_STRING | 0x854e0 | 0xe2 | data | Chinese | China | 0.7168141592920354 |
| RT_STRING | 0x855c4 | 0x17a | data | Chinese | China | 0.6375661375661376 |
| RT_STRING | 0x85740 | 0x162 | data | Chinese | China | 0.7994350282485876 |
| RT_STRING | 0x858a4 | 0x144 | data | Chinese | China | 0.7067901234567902 |
| RT_STRING | 0x859e8 | 0xc4 | data | Chinese | China | 0.8469387755102041 |
| RT_STRING | 0x85aac | 0x118 | data | Chinese | China | 0.7607142857142857 |
| RT_STRING | 0x85bc4 | 0xbe | data | Chinese | China | 0.8210526315789474 |
| RT_STRING | 0x85c84 | 0x142 | data | Chinese | China | 0.6490683229813664 |
| RT_STRING | 0x85dc8 | 0xd6 | data | Chinese | China | 0.8878504672897196 |
| RT_STRING | 0x85ea0 | 0x54 | data | Chinese | China | 0.7738095238095238 |
| RT_STRING | 0x85ef4 | 0x1a4 | data | Chinese | China | 0.6761904761904762 |
| RT_STRING | 0x86098 | 0x152 | data | Chinese | China | 0.7396449704142012 |
| RT_STRING | 0x861ec | 0xfa | data | Chinese | China | 0.756 |
| RT_STRING | 0x862e8 | 0x134 | data | Chinese | China | 0.7012987012987013 |
| RT_STRING | 0x8641c | 0x144 | data | Chinese | China | 0.6820987654320988 |
| RT_STRING | 0x86560 | 0xf4 | data | Chinese | China | 0.7172131147540983 |
| RT_STRING | 0x86654 | 0x1dc | data | Chinese | China | 0.5063025210084033 |
| RT_STRING | 0x86830 | 0x1ca | data | Chinese | China | 0.4497816593886463 |
| RT_STRING | 0x869fc | 0x15e | data | Chinese | China | 0.6914285714285714 |
| RT_STRING | 0x86b5c | 0x13a | data | Chinese | China | 0.7420382165605095 |
| RT_STRING | 0x86c98 | 0x262 | data | Chinese | China | 0.5688524590163935 |
| RT_STRING | 0x86efc | 0x262 | data | Chinese | China | 0.6557377049180327 |
| RT_STRING | 0x87160 | 0x34 | data | Chinese | China | 0.6730769230769231 |
| RT_STRING | 0x87194 | 0x16e | data | Chinese | China | 0.7021857923497268 |
| RT_STRING | 0x87304 | 0x196 | data | Chinese | China | 0.6995073891625616 |
| RT_STRING | 0x8749c | 0x1fc | data | Chinese | China | 0.5590551181102362 |
| RT_STRING | 0x87698 | 0x28a | AmigaOS bitmap font "&Tnx\232[ Rd\226\376V\007h\032\377"", fc_YSize 13568, 12134 elements, 2nd "\213S\376V\007h1Y%\215\032\377\376V\007h\357\215\204_\362]\317~X[(W\014T", 3rd ":N\034 Kb\250R\364f\260e\035 \016T2" | Chinese | China | 0.703076923076923 |
| RT_STRING | 0x87924 | 0x17e | data | Chinese | China | 0.5916230366492147 |
| RT_STRING | 0x87aa4 | 0x24e | data | Chinese | China | 0.6237288135593221 |
| RT_STRING | 0x87cf4 | 0xac | data | Chinese | China | 0.9941860465116279 |
| RT_STRING | 0x87da0 | 0x15a | data | Chinese | China | 0.6502890173410405 |
| RT_STRING | 0x87efc | 0x136 | data | Chinese | China | 0.7258064516129032 |
| RT_STRING | 0x88034 | 0xec | data | Chinese | China | 0.6228813559322034 |
| RT_STRING | 0x88120 | 0x1b0 | data | Chinese | China | 0.5347222222222222 |
| RT_STRING | 0x882d0 | 0x198 | data | Chinese | China | 0.44362745098039214 |
| RT_STRING | 0x88468 | 0x150 | data | Chinese | China | 0.8125 |
| RT_STRING | 0x885b8 | 0xe8 | data | Chinese | China | 0.8060344827586207 |
| RT_STRING | 0x886a0 | 0xe4 | data | Chinese | China | 0.7719298245614035 |
| RT_STRING | 0x88784 | 0x124 | data | Chinese | China | 0.7397260273972602 |
| RT_STRING | 0x888a8 | 0x1d0 | data | Chinese | China | 0.6896551724137931 |
| RT_STRING | 0x88a78 | 0x184 | data | Chinese | China | 0.7860824742268041 |
| RT_STRING | 0x88bfc | 0x18a | data | Chinese | China | 0.7030456852791879 |
| RT_STRING | 0x88d88 | 0x11a | data | Chinese | China | 0.8404255319148937 |
| RT_STRING | 0x88ea4 | 0x12a | data | Chinese | China | 0.714765100671141 |
| RT_STRING | 0x88fd0 | 0x1e2 | data | Chinese | China | 0.7178423236514523 |
| RT_STRING | 0x891b4 | 0x1ac | data | Chinese | China | 0.6542056074766355 |
| RT_STRING | 0x89360 | 0x100 | data | Chinese | China | 0.9296875 |
| RT_STRING | 0x89460 | 0x18e | data | Chinese | China | 0.8190954773869347 |
| RT_STRING | 0x895f0 | 0x186 | AmigaOS bitmap font "~bW[&{\323~\234g ", fc_YSize 31074, 58727 elements | Chinese | China | 0.7205128205128205 |
| RT_STRING | 0x89778 | 0x122 | data | Chinese | China | 0.803448275862069 |
| RT_STRING | 0x8989c | 0x16e | data | Chinese | China | 0.6693989071038251 |
| RT_STRING | 0x89a0c | 0x198 | data | Chinese | China | 0.6887254901960784 |
| RT_STRING | 0x89ba4 | 0x40a | data | Chinese | China | 0.5667311411992263 |
| RT_STRING | 0x89fb0 | 0xe8 | data | Chinese | China | 0.8232758620689655 |
| RT_STRING | 0x8a098 | 0xd4 | data | Chinese | China | 0.7924528301886793 |
| RT_STRING | 0x8a16c | 0xdc | data | Chinese | China | 0.7863636363636364 |
| RT_STRING | 0x8a248 | 0x350 | data | Chinese | China | 0.714622641509434 |
| RT_STRING | 0x8a598 | 0x90 | data | Chinese | China | 0.6666666666666666 |
| RT_STRING | 0x8a628 | 0xda | Matlab v4 mat-file (little endian) \232[IN\006RwS\276\213n\177\014\377, numeric, rows 0, columns 0 | Chinese | China | 0.9495412844036697 |
| RT_STRING | 0x8a704 | 0x5c | AmigaOS bitmap font "\343\211\213S\013z\217^\275_\007h", 60033 elements | Chinese | China | 0.5869565217391305 |
| RT_STRING | 0x8a760 | 0x142 | data | Chinese | China | 0.8385093167701864 |
| RT_STRING | 0x8a8a4 | 0xd4 | data | Chinese | China | 0.6792452830188679 |
| RT_STRING | 0x8a978 | 0x2c | Matlab v4 mat-file (little endian) }Y\213S\236[(u\345]wQ, numeric, rows 0, columns 0 | Chinese | China | 0.6363636363636364 |
| RT_STRING | 0x8a9a4 | 0x84 | data | Chinese | China | 0.8257575757575758 |
| RT_STRING | 0x8aa28 | 0xc2 | data | Chinese | China | 0.8505154639175257 |
| RT_STRING | 0x8aaec | 0x232 | data | Chinese | China | 0.5907473309608541 |
| RT_STRING | 0x8ad20 | 0x38 | data | Chinese | China | 0.7321428571428571 |
| RT_STRING | 0x8ad58 | 0x5c | Matlab v4 mat-file (little endian) >f:y\346\213\306~\341Oo`\006, numeric, rows 0, columns 0 | Chinese | China | 0.6413043478260869 |
| RT_STRING | 0x8adb4 | 0xcc | data | Chinese | China | 0.8774509803921569 |
| RT_STRING | 0x8ae80 | 0x106 | data | Chinese | China | 0.7366412213740458 |
| RT_STRING | 0x8af88 | 0x9c | data | Chinese | China | 0.782051282051282 |
| RT_STRING | 0x8b024 | 0x11a | data | Chinese | China | 0.8014184397163121 |
| RT_STRING | 0x8b140 | 0x20c | data | Chinese | China | 0.5343511450381679 |
| RT_STRING | 0x8b34c | 0x1e2 | data | Chinese | China | 0.5622406639004149 |
| RT_STRING | 0x8b530 | 0x10e | data | Chinese | China | 0.837037037037037 |
| RT_STRING | 0x8b640 | 0x17c | data | Chinese | China | 0.5210526315789473 |
| RT_STRING | 0x8b7bc | 0x144 | data | Chinese | China | 0.6882716049382716 |
| RT_STRING | 0x8b900 | 0x88 | Matlab v4 mat-file (little endian) O, numeric, rows 0, columns 0 | Chinese | China | 0.5294117647058824 |
| RT_STRING | 0x8b988 | 0x146 | data | Chinese | China | 0.7699386503067485 |
| RT_STRING | 0x8bad0 | 0xd8 | data | Chinese | China | 0.8888888888888888 |
| RT_STRING | 0x8bba8 | 0xbe | data | Chinese | China | 0.8368421052631579 |
| RT_STRING | 0x8bc68 | 0x118 | data | Chinese | China | 0.8142857142857143 |
| RT_STRING | 0x8bd80 | 0x84 | data | Chinese | China | 0.8787878787878788 |
| RT_STRING | 0x8be04 | 0xf0 | data | Chinese | China | 0.8 |
| RT_STRING | 0x8bef4 | 0x7a | data | Chinese | China | 0.680327868852459 |
| RT_STRING | 0x8bf70 | 0x78 | data | Chinese | China | 0.95 |
| RT_STRING | 0x8bfe8 | 0x106 | data | Chinese | China | 0.5992366412213741 |
| RT_STRING | 0x8c0f0 | 0xf6 | data | Chinese | China | 0.8617886178861789 |
| RT_STRING | 0x8c1e8 | 0x190 | data | Chinese | China | 0.78 |
| RT_STRING | 0x8c378 | 0xd2 | data | Chinese | China | 0.8428571428571429 |
| RT_STRING | 0x8c44c | 0x106 | data | Chinese | China | 0.46564885496183206 |
| RT_STRING | 0x8c554 | 0x182 | data | Chinese | China | 0.7694300518134715 |
| RT_STRING | 0x8c6d8 | 0x19c | data | Chinese | China | 0.779126213592233 |
| RT_STRING | 0x8c874 | 0x5a | data | Chinese | China | 0.7 |
| RT_STRING | 0x8c8d0 | 0x30 | data | Chinese | China | 0.6666666666666666 |
| RT_STRING | 0x8c900 | 0x66 | data | Chinese | China | 0.8235294117647058 |
| RT_GROUP_ICON | 0x8c968 | 0x84 | data | Chinese | China | 0.7045454545454546 |
| RT_VERSION | 0x8c9ec | 0x140 | MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79 | English | United States | 0.584375 |
| RT_VERSION | 0x8cb2c | 0x284 | MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79 | Chinese | China | 0.31211180124223603 |
| RT_MANIFEST | 0x8cdb0 | 0x4c1 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1157), with CRLF line terminators | English | United States | 0.4683648315529992 |
| DLL | Import |
|---|---|
| COMCTL32.dll | InitCommonControlsEx |
| SHELL32.dll | SHBrowseForFolderW, SHGetFileInfoW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, ShellExecuteW, CommandLineToArgvW |
| KERNEL32.dll | HeapAlloc, LocalFree, GetProcessHeap, GetFileAttributesW, LoadLibraryW, CloseHandle, GetProcAddress, FreeLibrary, GetCurrentProcess, GetVersionExW, GetModuleHandleW, ExpandEnvironmentStringsW, InitializeCriticalSectionAndSpinCount, WaitForSingleObject, CreateProcessW, GetModuleFileNameW, GetCurrentDirectoryW, SetCurrentDirectoryW, SetFileApisToOEM, SetPriorityClass, SetThreadPriority, GetEnvironmentVariableW, GetCurrentThread, GetCommandLineW, FindResourceW, FindFirstFileW, FindNextFileW, FindClose, GetLongPathNameW, CreateFileW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetCurrentThreadId, LoadLibraryExW, WriteFile, SetFileTime, SetEndOfFile, FormatMessageW, InterlockedExchangeAdd, ReadFile, SetFilePointer, GetFileSize, ResumeThread, GetACP, GetLastError, WideCharToMultiByte, CreateDirectoryW, GetFullPathNameW, lstrlenW, RemoveDirectoryW, GetTempPathW, SetFileAttributesW, DeleteFileW, GetWindowsDirectoryW, MoveFileExW, GetTempFileNameW, MoveFileW, CreateEventW, SetEvent, ResetEvent, WaitForMultipleObjects, GetCurrentProcessId, FileTimeToSystemTime, WriteConsoleW, DecodePointer, FlushFileBuffers, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapReAlloc, HeapSize, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, FindFirstFileExW, LCMapStringW, HeapFree, MultiByteToWideChar, VirtualFree, VirtualAlloc, GetStringTypeW, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, GetStdHandle, GetFileType, RtlUnwind, RaiseException, SetLastError, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree |
| USER32.dll | DispatchMessageW, SetTimer, IsDialogMessageW, TranslateMessage, LoadIconW, KillTimer, PostQuitMessage, EnableWindow, ScreenToClient, IsWindow, MessageBoxW, ShowWindow, PostMessageW, GetWindowRect, SetWindowPos, DialogBoxParamW, SendMessageW, EndDialog, SetWindowTextW, SetFocus, GetDlgItem, GetWindowTextW, IsWindowVisible, CreateDialogParamW, GetMessageW, GetDesktopWindow, LoadStringW, DestroyIcon, GetSystemMetrics |
| GDI32.dll | CreateSolidBrush, DeleteObject |
| ole32.dll | CoCreateInstance, CoInitializeEx, CoUninitialize, CoInitialize |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 13:42:56 |
| Start date: | 11/06/2024 |
| Path: | C:\Users\user\Desktop\vm-uw.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1e0000 |
| File size: | 580'475 bytes |
| MD5 hash: | 78C6129BFD81F88CFB7171CAF2D386A1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 13:42:56 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1c0000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 13:42:56 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 13:42:56 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1c0000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 13:42:56 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 13:42:56 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\mode.com |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x640000 |
| File size: | 26'624 bytes |
| MD5 hash: | FB615848338231CEBC16E32A3035C3F8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 13:42:57 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\PING.EXE |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8c0000 |
| File size: | 18'944 bytes |
| MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 13:42:57 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\PING.EXE |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8c0000 |
| File size: | 18'944 bytes |
| MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 13:43:00 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\Fonts\systkm32\csrss.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 18'432 bytes |
| MD5 hash: | C43D1B84143FB2561F22E1A2C8FACF53 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 13:43:00 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\PING.EXE |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8c0000 |
| File size: | 18'944 bytes |
| MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 13:43:03 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\reg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2e0000 |
| File size: | 59'392 bytes |
| MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 13:43:03 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\reg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2e0000 |
| File size: | 59'392 bytes |
| MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 13:43:03 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\reg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2e0000 |
| File size: | 59'392 bytes |
| MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 13:43:03 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\reg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2e0000 |
| File size: | 59'392 bytes |
| MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 13:43:03 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\reg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2e0000 |
| File size: | 59'392 bytes |
| MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 13:43:03 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\PING.EXE |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8c0000 |
| File size: | 18'944 bytes |
| MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 13:43:06 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\sc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf80000 |
| File size: | 61'440 bytes |
| MD5 hash: | D9D7684B8431A0D10D0E76FE9F5FFEC8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 13:43:06 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\Fonts\systkm32\svchost.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1000000 |
| File size: | 8'192 bytes |
| MD5 hash: | 4635935FC972C582632BF45C26BFCB0E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 13:43:06 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\PING.EXE |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8c0000 |
| File size: | 18'944 bytes |
| MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 13:43:10 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\SysWOW64\regini.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x6d0000 |
| File size: | 41'472 bytes |
| MD5 hash: | C99C3BB423097FCF4990539FC1ED60E3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 23 |
| Start time: | 13:43:41 |
| Start date: | 11/06/2024 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7403e0000 |
| File size: | 55'320 bytes |
| MD5 hash: | B7F884C1B74A263F746EE12A5F7C9F6A |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 10.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 5.5% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 42 |
Graph
Function 001E51C0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 60libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F7C90 Relevance: 7.9, APIs: 5, Instructions: 428fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020F8DE Relevance: .8, Instructions: 792COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001EB123 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 279threadfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E9B6D Relevance: 36.2, APIs: 24, Instructions: 210COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E6100 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 406synchronizationwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001EAC1F Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 303windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E9F25 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 275windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F5600 Relevance: 15.4, APIs: 10, Instructions: 357COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F81F0 Relevance: 10.9, APIs: 7, Instructions: 364COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F3A90 Relevance: 7.8, APIs: 5, Instructions: 250fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F5C10 Relevance: 7.6, APIs: 5, Instructions: 102threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020146A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F73F0 Relevance: 6.2, APIs: 4, Instructions: 189fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E9357 Relevance: 6.2, APIs: 4, Instructions: 164windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F5480 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F9D50 Relevance: 4.7, APIs: 3, Instructions: 235fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F5B10 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FA943 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022093B Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001EAB81 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022089B Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F8680 Relevance: 3.2, APIs: 2, Instructions: 162COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FA0B0 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021B1A7 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002207E7 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FC65C Relevance: 2.3, APIs: 1, Instructions: 751COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FD084 Relevance: 2.0, APIs: 1, Instructions: 783COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00208F27 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E9226 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E8FE7 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E6CA8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00212A40 Relevance: 1.6, APIs: 1, Instructions: 67timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001ED8B0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F4B50 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00225D4B Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002248FD Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002231BF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001EA644 Relevance: 1.5, APIs: 1, Instructions: 23windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E6ED8 Relevance: 1.5, APIs: 1, Instructions: 23windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E713D Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E6E9E Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E6EDC Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00212940 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020E8B6 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E5264 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00219F9D Relevance: 1.3, APIs: 1, Instructions: 53memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002195B2 Relevance: 1.3, APIs: 1, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F2C50 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 495libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F3F50 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 370windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F3D50 Relevance: 9.2, APIs: 6, Instructions: 171fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E16C0 Relevance: 7.6, Strings: 6, Instructions: 129COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021EF9A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001EC600 Relevance: 6.5, APIs: 4, Instructions: 515COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F8F60 Relevance: 5.2, APIs: 3, Instructions: 710COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00226D60 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00217C58 Relevance: 2.4, Strings: 1, Instructions: 1131COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020DC0C Relevance: 1.9, Strings: 1, Instructions: 641COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002189EC Relevance: 1.7, APIs: 1, Instructions: 164COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021BD0E Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E1CE0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00225C60 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001EE680 Relevance: .7, Instructions: 735COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022C6B9 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E1000 Relevance: .6, Instructions: 598COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00215958 Relevance: .5, Instructions: 532COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00218D8D Relevance: .3, Instructions: 308COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00205306 Relevance: .3, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0021FC5D Relevance: .2, Instructions: 237COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002175E5 Relevance: .2, Instructions: 175COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001FA160 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00217ADE Relevance: .1, Instructions: 128COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002130A0 Relevance: .1, Instructions: 104COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00218BEC Relevance: .1, Instructions: 100COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022DD1B Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E1B00 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E1A90 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E1D80 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E18A0 Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E4C00 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 230libraryloadersynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00226439 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00222DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00222EDA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022932D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00222F5E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00224A8B Relevance: 9.2, APIs: 6, Instructions: 216COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E503B Relevance: 9.1, APIs: 6, Instructions: 68windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00221838 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F1F00 Relevance: 7.8, APIs: 5, Instructions: 337COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001EA35D Relevance: 7.6, APIs: 5, Instructions: 107windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E4F3E Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0020408C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002235A9 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001F8860 Relevance: 6.3, APIs: 4, Instructions: 251stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0022629F Relevance: 6.1, APIs: 4, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E5472 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00224335 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001E607E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002257D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 16.6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 7.4% |
| Total number of Nodes: | 244 |
| Total number of Limit Nodes: | 5 |
Graph
Callgraph
Function 004010E0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 47serviceCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040300E Relevance: 4.6, APIs: 3, Instructions: 124COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402560 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402EDA Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 60memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004012AC Relevance: 4.6, APIs: 3, Instructions: 58COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E56 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040120D Relevance: 1.5, APIs: 1, Instructions: 35COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402675 Relevance: 1.3, APIs: 1, Instructions: 27memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401070 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30serviceCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37serviceCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 26.8% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 2.2% |
| Total number of Nodes: | 138 |
| Total number of Limit Nodes: | 3 |
Graph
Callgraph
Function 01001493 Relevance: 93.5, APIs: 38, Strings: 15, Instructions: 704registryprocesssleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0100204F Relevance: 13.6, APIs: 9, Instructions: 87COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01001F82 Relevance: 19.6, APIs: 13, Instructions: 85COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01002338 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40libraryloadertimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01001E2D Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 107stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|