Windows
Analysis Report
wlogon.exe
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
wlogon.exe (PID: 3556 cmdline:
"C:\Users\ user\Deskt op\wlogon. exe" MD5: 87C6D766D6048E521338054117217074)
- cleanup
- • Compliance
- • Spreading
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
- • Remote Access Functionality
Click to jump to signature section
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF7FC6749FC |
Source: | Code function: | 0_2_00007FF7FC637E10 |
Source: | Code function: | 0_2_00007FF7FC64CD90 | |
Source: | Code function: | 0_2_00007FF7FC666564 | |
Source: | Code function: | 0_2_00007FF7FC64B560 | |
Source: | Code function: | 0_2_00007FF7FC64FD50 | |
Source: | Code function: | 0_2_00007FF7FC64B5B0 | |
Source: | Code function: | 0_2_00007FF7FC65EDA0 | |
Source: | Code function: | 0_2_00007FF7FC631E90 | |
Source: | Code function: | 0_2_00007FF7FC672E84 | |
Source: | Code function: | 0_2_00007FF7FC66563C | |
Source: | Code function: | 0_2_00007FF7FC675E18 | |
Source: | Code function: | 0_2_00007FF7FC66CECC | |
Source: | Code function: | 0_2_00007FF7FC65E790 | |
Source: | Code function: | 0_2_00007FF7FC650FE0 | |
Source: | Code function: | 0_2_00007FF7FC632FD0 | |
Source: | Code function: | 0_2_00007FF7FC6717A4 | |
Source: | Code function: | 0_2_00007FF7FC65D840 | |
Source: | Code function: | 0_2_00007FF7FC64B840 | |
Source: | Code function: | 0_2_00007FF7FC665824 | |
Source: | Code function: | 0_2_00007FF7FC667024 | |
Source: | Code function: | 0_2_00007FF7FC6310D0 | |
Source: | Code function: | 0_2_00007FF7FC65A0D0 | |
Source: | Code function: | 0_2_00007FF7FC6778BC | |
Source: | Code function: | 0_2_00007FF7FC64A0C0 | |
Source: | Code function: | 0_2_00007FF7FC675E18 | |
Source: | Code function: | 0_2_00007FF7FC671124 | |
Source: | Code function: | 0_2_00007FF7FC665A0C | |
Source: | Code function: | 0_2_00007FF7FC66B210 | |
Source: | Code function: | 0_2_00007FF7FC6749FC | |
Source: | Code function: | 0_2_00007FF7FC63CA00 | |
Source: | Code function: | 0_2_00007FF7FC66B9F0 | |
Source: | Code function: | 0_2_00007FF7FC6661D8 | |
Source: | Code function: | 0_2_00007FF7FC6771B8 | |
Source: | Code function: | 0_2_00007FF7FC66DAF4 | |
Source: | Code function: | 0_2_00007FF7FC65D2B0 | |
Source: | Code function: | 0_2_00007FF7FC64B2A0 | |
Source: | Code function: | 0_2_00007FF7FC64EB90 | |
Source: | Code function: | 0_2_00007FF7FC679B60 | |
Source: | Code function: | 0_2_00007FF7FC632340 | |
Source: | Code function: | 0_2_00007FF7FC672C08 | |
Source: | Code function: | 0_2_00007FF7FC678414 | |
Source: | Code function: | 0_2_00007FF7FC650C10 | |
Source: | Code function: | 0_2_00007FF7FC67D3E8 | |
Source: | Code function: | 0_2_00007FF7FC666BF0 | |
Source: | Code function: | 0_2_00007FF7FC65E3A0 | |
Source: | Code function: | 0_2_00007FF7FC65F490 | |
Source: | Code function: | 0_2_00007FF7FC647C80 | |
Source: | Code function: | 0_2_00007FF7FC670C74 | |
Source: | Code function: | 0_2_00007FF7FC65EC30 | |
Source: | Code function: | 0_2_00007FF7FC668D0C | |
Source: | Code function: | 0_2_00007FF7FC648CF0 |
Source: | Binary string: |
Source: | Classification label: |
Source: | Code function: | 0_2_00007FF7FC637970 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Malware Analysis System Evasion |
---|
Source: | Code function: | 0_2_00007FF7FC6337A0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API coverage: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF7FC639DC0 |
Source: | Code function: | 0_2_00007FF7FC6749FC |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00007FF7FC6337A0 |
Source: | Code function: | 0_2_00007FF7FC676FFC |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF7FC661628 | |
Source: | Code function: | 0_2_00007FF7FC633950 | |
Source: | Code function: | 0_2_00007FF7FC6619DC | |
Source: | Code function: | 0_2_00007FF7FC66FB54 | |
Source: | Code function: | 0_2_00007FF7FC661BC0 |
Source: | Code function: | 0_2_00007FF7FC67D230 |
Source: | Code function: | 0_2_00007FF7FC639DC0 |
Source: | Code function: | 0_2_00007FF7FC672E84 |
Source: | Code function: | 0_2_00007FF7FC63B4D0 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 12 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 221 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
8% | ReversingLabs | Win64.PUA.SoftCnapp |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1526177 |
Start date and time: | 2024-10-04 22:00:07 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 53s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | wlogon.exe |
Detection: | MAL |
Classification: | mal48.evad.winEXE@1/0@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe - VT rate limit hit for: wlogon
.exe
File type: | |
Entropy (8bit): | 6.444327896274894 |
TrID: |
|
File name: | wlogon.exe |
File size: | 426'496 bytes |
MD5: | 87c6d766d6048e521338054117217074 |
SHA1: | 702dff2e0e597d53a9a4e5a60ac1fee71c69a0d3 |
SHA256: | 623a129ab187469af1154a99dbc64a7764dd34485be48f762260d39c98b9761a |
SHA512: | ba9ba4a1f1256d16b46e82a0b3a6dc3e980def985564c689f3585e505876037843adc33a4f4bac67dc6b47722a9f4527e5fd8e22e1e554d7c3c04830cc542e70 |
SSDEEP: | 6144:d3ObrJReIjxwwZT2qbAU/yZGXlTVGgh1wR+44tIiwCcRKz15mH:d34rJRDwuT2GAU/y6TVGgh1wOZ5m |
TLSH: | BF947D95F3E414F8D5A7C238C6564607EBB2B4151321DBDF03A88A6A2F13BE15E3EB11 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........".................H..........@..........................................`................................ |
Icon Hash: | 0424c49885bab885 |
Entrypoint: | 0x140031348 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66CEBE8D [Wed Aug 28 06:07:09 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | a9c7bfe311ed91b5f199529f439a57a0 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007EFEA5058FF8h |
dec eax |
add esp, 28h |
jmp 00007EFEA50588FFh |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007EFEA5059568h |
test eax, eax |
je 00007EFEA5058AA3h |
dec eax |
mov eax, dword ptr [00000030h] |
dec eax |
mov ecx, dword ptr [eax+08h] |
jmp 00007EFEA5058A87h |
dec eax |
cmp ecx, eax |
je 00007EFEA5058A96h |
xor eax, eax |
dec eax |
cmpxchg dword ptr [00034C18h], ecx |
jne 00007EFEA5058A70h |
xor al, al |
dec eax |
add esp, 28h |
ret |
mov al, 01h |
jmp 00007EFEA5058A79h |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
movzx eax, byte ptr [00034C03h] |
test ecx, ecx |
mov ebx, 00000001h |
cmove eax, ebx |
mov byte ptr [00034BF3h], al |
call 00007EFEA505936Fh |
call 00007EFEA505A22Ah |
test al, al |
jne 00007EFEA5058A86h |
xor al, al |
jmp 00007EFEA5058A96h |
call 00007EFEA5064A45h |
test al, al |
jne 00007EFEA5058A8Bh |
xor ecx, ecx |
call 00007EFEA505A23Ah |
jmp 00007EFEA5058A6Ch |
mov al, bl |
dec eax |
add esp, 20h |
pop ebx |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
cmp byte ptr [00034BB8h], 00000000h |
mov ebx, ecx |
jne 00007EFEA5058AE9h |
cmp ecx, 01h |
jnbe 00007EFEA5058AECh |
call 00007EFEA50594CEh |
test eax, eax |
je 00007EFEA5058AAAh |
test ebx, ebx |
jne 00007EFEA5058AA6h |
dec eax |
lea ecx, dword ptr [00034BA2h] |
call 00007EFEA5058B62h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x61d44 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6e000 | 0x1330 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x68000 | 0x3ee8 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x70000 | 0xa58 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x5d090 | 0x138 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x4f000 | 0x410 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4d100 | 0x4d200 | cbbe40a6e50eb517b2f8837cab34ae5a | False | 0.550930029376013 | data | 6.467951044899261 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x4f000 | 0x139c2 | 0x13a00 | 9bbc13adc81f0ac7a826ff876ed08c3b | False | 0.4710390127388535 | data | 5.479069171443292 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x63000 | 0x4698 | 0xe00 | 180a8c8ad0ec7fddd70e238e9cec82e4 | False | 0.1484375 | data | 1.9318506016685375 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x68000 | 0x3ee8 | 0x4000 | a6a332fb92ec1d1f7ec4dafdc2d33153 | False | 0.477294921875 | PEX Binary Archive | 5.703765867853137 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_RDATA | 0x6c000 | 0xf4 | 0x200 | de82bd225ccfba2cd60d9fa0607ba765 | False | 0.314453125 | data | 2.44396225347699 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.uniques | 0x6d000 | 0x1f | 0x200 | 5bad05a2f49489d4f4c80f74cef303f7 | False | 0.083984375 | ASCII text, with no line terminators | 0.5859127733147627 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x6e000 | 0x1330 | 0x1400 | 00aa56cb1971fafdc9e4cffc23637369 | False | 0.6853515625 | data | 6.624363760031692 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x70000 | 0xa58 | 0xc00 | 347ce8ca5d48998ecdae2344948a13fa | False | 0.4772135416666667 | data | 5.114128650365127 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x6e130 | 0xdd1 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.7989821882951654 |
RT_GROUP_ICON | 0x6ef08 | 0x14 | data | English | United States | 1.05 |
RT_VERSION | 0x6ef20 | 0x28c | PGP symmetric key encrypted data - Plaintext or unencrypted data | English | United States | 0.504601226993865 |
RT_MANIFEST | 0x6f1b0 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
WS2_32.dll | WSAIoctl, ntohl, socket, inet_pton, getaddrinfo, WSAStartup, htonl, inet_ntop, htons, freeaddrinfo, getsockopt, ioctlsocket, accept, getpeername, getsockname, connect, recvfrom, recv, sendto, WSAGetLastError, bind, closesocket, listen, send, ntohs |
bcrypt.dll | BCryptGenRandom |
KERNEL32.dll | GetStartupInfoW, SetEndOfFile, WriteConsoleW, HeapSize, GetFileAttributesExW, CreateProcessW, GetExitCodeProcess, WaitForSingleObject, GetProcessHeap, GetStringTypeW, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, GetFileSizeEx, DeleteFileW, FlushFileBuffers, SetFilePointerEx, SetStdHandle, HeapReAlloc, GetModuleHandleA, Sleep, IsDebuggerPresent, GetModuleFileNameA, SetUnhandledExceptionFilter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GetCurrentThreadId, DeleteCriticalSection, GetCurrentProcessId, GetLocalTime, QueryPerformanceFrequency, QueryPerformanceCounter, FormatMessageA, FindClose, FindNextFileW, GetLastError, MultiByteToWideChar, WideCharToMultiByte, GetSystemTimeAsFileTime, InitializeSRWLock, InitOnceExecuteOnce, SetLastError, GetHandleInformation, GetTickCount64, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, CloseHandle, ReleaseSRWLockShared, GetQueuedCompletionStatusEx, GetProcAddress, AcquireSRWLockShared, GetModuleHandleW, CreateIoCompletionPort, SetFileCompletionNotificationModes, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, InitializeSListHead, RtlUnwindEx, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetCommandLineW, GetTimeZoneInformation, ExitProcess, GetModuleHandleExW, CreateFileW, GetFileType, ReadFile, GetStdHandle, WriteFile, GetModuleFileNameW, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, HeapAlloc, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 16:00:56 |
Start date: | 04/10/2024 |
Path: | C:\Users\user\Desktop\wlogon.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7fc630000 |
File size: | 426'496 bytes |
MD5 hash: | 87C6D766D6048E521338054117217074 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 3.1% |
Total number of Nodes: | 257 |
Total number of Limit Nodes: | 6 |
Graph
Function 00007FF7FC66FEC8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7FC637970 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 131networkwindowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF7FC637BB0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100windownetworkCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|