Windows
Analysis Report
SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe (PID: 3244 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. BackDoor.D arkshell.2 46.151.163 84.exe" MD5: 4194BA809C07479D0B6C3681D218661B) WinH83.exe (PID: 3596 cmdline:
"C:\Window s\system32 \WinH83.ex e" MD5: C7B758D198A32EF2BA4112EF346C74BA) cmd.exe (PID: 6696 cmdline:
C:\Windows \system32\ cmd.exe /C del C:\Wi ndows\SysW OW64\WinH8 3.exe > nu l MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) cmd.exe (PID: 1752 cmdline:
C:\Windows \system32\ cmd.exe /C del C:\Us ers\user\D esktop\SEC URI~1.EXE > nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
- cleanup
System Summary |
---|
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
- • AV Detection
- • Compliance
- • Software Vulnerabilities
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_0040D07E | |
Source: | Code function: | 0_2_0040653C | |
Source: | Code function: | 0_2_0040D06A | |
Source: | Code function: | 0_2_004071E2 | |
Source: | Code function: | 1_2_00406549 | |
Source: | Code function: | 1_2_0040D07E | |
Source: | Code function: | 1_2_0040D06A | |
Source: | Code function: | 1_2_004071E2 |
Source: | IP Address: |
Source: | TCP traffic: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_0040653C |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00401680 |
Source: | Code function: | 0_2_004022C0 |
Source: | Code function: | 0_2_004023A0 | |
Source: | Code function: | 1_2_004023A0 |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_004023A0 | |
Source: | Code function: | 0_2_004078A8 | |
Source: | Code function: | 1_2_004023A0 | |
Source: | Code function: | 1_2_004078A8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00401390 | |
Source: | Code function: | 1_2_00401390 |
Source: | Code function: | 0_2_00402170 | |
Source: | Code function: | 1_2_00402170 |
Source: | Code function: | 0_2_00401D00 |
Source: | Code function: | 0_2_00401D00 | |
Source: | Code function: | 1_2_00401D00 |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static file information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_0040D07E |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_0040B254 | |
Source: | Code function: | 0_2_0040B006 | |
Source: | Code function: | 0_2_0040B232 | |
Source: | Code function: | 0_2_0040B254 | |
Source: | Code function: | 0_2_004056FE | |
Source: | Code function: | 0_2_00401C06 | |
Source: | Code function: | 0_2_0040B28F | |
Source: | Code function: | 0_2_004078A0 | |
Source: | Code function: | 0_2_0040B298 | |
Source: | Code function: | 1_2_0040B254 | |
Source: | Code function: | 1_2_0040B006 | |
Source: | Code function: | 1_2_0040B232 | |
Source: | Code function: | 1_2_0040B254 | |
Source: | Code function: | 1_2_004056FE | |
Source: | Code function: | 1_2_00401C06 | |
Source: | Code function: | 1_2_0040B28F | |
Source: | Code function: | 1_2_004078A0 | |
Source: | Code function: | 1_2_0040B298 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Persistence and Installation Behavior |
---|
Source: | Executable created and started: | Jump to behavior |
Source: | Code function: | 0_2_0040653C |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Code function: | 0_2_00401D00 |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Evasive API call chain: | graph_1-1480 | ||
Source: | Evasive API call chain: | graph_0-1522 |
Source: | Stalling execution: | graph_1-1249 |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Decision node followed by non-executed suspicious API: | graph_0-1645 | ||
Source: | Decision node followed by non-executed suspicious API: | graph_1-1585 |
Source: | Evasive API call chain: | graph_0-1353 | ||
Source: | Evasive API call chain: | graph_1-1319 |
Source: | API coverage: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-1670 | ||
Source: | API call chain: | graph_0-1497 | ||
Source: | API call chain: | graph_1-1455 | ||
Source: | API call chain: | graph_1-1628 |
Source: | Code function: | 0_2_0040D07E |
Source: | Code function: | 0_2_0040D07E | |
Source: | Code function: | 0_2_0040D06A | |
Source: | Code function: | 0_2_00401030 | |
Source: | Code function: | 0_2_00401030 | |
Source: | Code function: | 0_2_00401030 | |
Source: | Code function: | 0_2_004071E2 | |
Source: | Code function: | 1_2_0040D07E | |
Source: | Code function: | 1_2_0040D06A | |
Source: | Code function: | 1_2_00401030 | |
Source: | Code function: | 1_2_00401030 | |
Source: | Code function: | 1_2_00401030 | |
Source: | Code function: | 1_2_004071E2 |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00402CB0 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Service Execution | 14 Windows Service | 1 Access Token Manipulation | 12 Masquerading | 1 Credential API Hooking | 1 Security Software Discovery | Remote Services | 1 Credential API Hooking | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 12 Native API | 1 DLL Side-Loading | 14 Windows Service | 21 Virtualization/Sandbox Evasion | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 11 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 11 Process Injection | 1 Access Token Manipulation | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 11 Process Injection | NTDS | 2 System Information Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 File Deletion | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
70% | Virustotal | Browse | ||
78% | ReversingLabs | Win32.Backdoor.Farfli | ||
100% | Avira | TR/Crypt.XPACK.Gen |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.003zzy.com | 5.79.71.225 | true | false | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
5.79.71.225 | www.003zzy.com | Netherlands | 60781 | LEASEWEB-NL-AMS-01NetherlandsNL | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1657698 |
Start date and time: | 2025-04-06 09:30:31 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 20s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe |
Detection: | MAL |
Classification: | mal88.evad.winEXE@8/4@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Excluded IPs from analysis (wh
itelisted): 184.31.69.3 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, prod.fs.microsoft.com.akad ns.net, fs-wildcard.microsoft. com.edgekey.net, fs-wildcard.m icrosoft.com.edgekey.net.globa lredir.akadns.net, e16604.dscf .akamaiedge.net - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
03:31:26 | API Interceptor | |
03:31:32 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
5.79.71.225 | Get hash | malicious | Shiz | Browse |
| |
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Simda Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Pony | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
LEASEWEB-NL-AMS-01NetherlandsNL | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe |
File Type: | |
Category: | modified |
Size (bytes): | 50382421 |
Entropy (8bit): | 4.8397788165428794 |
Encrypted: | false |
SSDEEP: | |
MD5: | C7B758D198A32EF2BA4112EF346C74BA |
SHA1: | 0B7EF8BC77C32AFD14EFF2C624F2BFE3221E9216 |
SHA-256: | BA4F9F2FF33C114E082151EC91E23EE287028BBD08A11F1CB29CE410C9EE49C1 |
SHA-512: | 2036B63BA3322903A8C00DCDACADB082AB1021834FD771E7EB9B53139C9AEC2510D613EA12C9EA8F7A20155B8B95331491640D651FE84DDFA36723ECBA3F5C37 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32 |
Entropy (8bit): | 4.351409765557392 |
Encrypted: | false |
SSDEEP: | 3:oX6S0rvn:oXY7n |
MD5: | 9E990DB6A2F50100468FA41138047EB7 |
SHA1: | 7ECCFF3574EF5B5A7CDC7725E470BE1D3A5DADBB |
SHA-256: | 0A0E4C2B943BC5777613B57E09283F372754CBFDB60B101B60C7F45C61F3DC24 |
SHA-512: | 7BC71FF3625449E14CECBE69AC1043A6AF807B3310B7AC91021FDF6EBB07676157EEFD0C9473C3B96B1621C4E90351D2B4EC254DEE837865C0C96C2C5729C11D |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 4.8002840680985805 |
TrID: |
|
File name: | SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe |
File size: | 25'208'853 bytes |
MD5: | 4194ba809c07479d0b6c3681d218661b |
SHA1: | 2e8c858633dd5d519d8a7231150ddbc24fef2675 |
SHA256: | 666e5e939aca03a8c323fc257063430fbab202f6ae1c4bf8c04fe62c75dade4b |
SHA512: | d1fdbf68fe48122eb3150bab37d6e61a4a1461b3211e653093aa5f4a387275e36551a5969764e3dba4b603025a36803f03eade1c48c33db64c180e89f1e98521 |
SSDEEP: | 768:Epynh7s4ofEwaGHxAL/IoqATi+N1YMv47DUQYUbv8HU2LsNNkm9QIPwAHS:Epyh7FofEwjMI1ATiAP4RYUfKmlPRS |
TLSH: | 3E4722443EDE5816FBDB9933407F3DA6702F405C558FB22B89D96216B4F103A0AFD1AA |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............g...g...g...{...g..9{...g..EG...g..EG...g...g..2g..yh...g..Rx...g..}a...g..Rich.g..........................PE..L.....FJ[Lo |
Icon Hash: | b2b239396d33f051 |
Entrypoint: | 0x40d07e |
Entrypoint Section: | 300 |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4A4601AD [Sat Jun 27 11:25:33 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 75a7edd5e27e3873db683bbba6fe50dc |
Instruction |
---|
pushad |
mov dword ptr [0040D068h], ecx |
push 0040D002h |
call dword ptr [0040E056h] |
mov eax, dword ptr [0040D068h] |
cmp eax, ecx |
je 00007F66B522E5C8h |
popad |
nop |
nop |
nop |
nop |
mov eax, dword ptr fs:[00000030h] |
nop |
mov eax, dword ptr [eax+18h] |
nop |
mov eax, dword ptr [eax+0Ch] |
cmp eax, 02h |
je 00007F66B522E62Dh |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
ret |
nop |
nop |
nop |
pushad |
call 00007F66B522E625h |
pop ebx |
xor bx, bx |
add ebx, 00001000h |
push 000002F4h |
pop ecx |
mov eax, dword ptr [ebx] |
xor eax, 22DD55EEh |
mov dword ptr [ebx], eax |
add ebx, 04h |
loop 00007F66B522E614h |
popad |
nop |
nop |
pushad |
call 00007F66B522E625h |
pop ebx |
xor bx, bx |
add ebx, 00001CDCh |
push 000019D1h |
pop ecx |
mov eax, dword ptr [ebx] |
xor eax, 22DD55EEh |
mov dword ptr [ebx], eax |
add ebx, 04h |
loop 00007F66B522E614h |
popad |
nop |
pushad |
call 00007F66B522E625h |
pop ebx |
xor bx, bx |
add ebx, 000085ECh |
push 00000101h |
pop ecx |
mov eax, dword ptr [ebx] |
xor eax, 22DD55EEh |
mov dword ptr [ebx], eax |
add ebx, 04h |
loop 00007F66B522E614h |
popad |
mov dword ptr [00401E76h], FFFFFD67h |
jmp 00007F66B522E4FEh |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xe145 | 0x8c | .Katja |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf000 | 0x1504 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xc000 | 0x10 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x48a5 | 0x4a00 | 19a8c9be028846d0695fc5d7ed1786e1 | False | 0.6620565878378378 | COM executable for DOS | 7.183221181125893 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x6000 | 0xc86 | 0xe00 | 3faacc8d9bdb0bba9502ef9abf92c7ec | False | 0.45200892857142855 | data | 5.204326514440395 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.data | 0x7000 | 0x2b3c | 0x1a00 | fff70a9be21a1df56244b684a22bfced | False | 0.6604567307692307 | data | 6.6392803389643005 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.mackt | 0xa000 | 0x1000 | 0x1000 | b6665b84385f56250cb043829252ce2c | False | 0.310302734375 | data | 3.429642363371091 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.vmp0 | 0xb000 | 0x381 | 0x400 | 57e1e1ce532f5f5d62e1fe232271d622 | False | 0.740234375 | data | 5.873286808120885 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE |
.reloc | 0xc000 | 0x10 | 0x200 | 5265fb518934649cf18f37241a28e09e | False | 0.056640625 | GLS_BINARY_LSB_FIRST | 0.19977565608732903 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
300 | 0xd000 | 0x200 | 0x200 | cae9fd76ccb99fa73cee42562f62caa6 | False | 0.44140625 | data | 3.6700111801610693 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.Katja | 0xe000 | 0x1000 | 0x195 | 8d18773c7a60edfa7f3a902f8d2c212c | False | 0.528395061728395 | data | 3.2369415694512034 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xf000 | 0x2000 | 0x1600 | cf92fcb478234b44464107f3c9b16e03 | False | 0.36274857954545453 | data | 5.49774110339037 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xf0f0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Chinese | China | 0.3545966228893058 |
RT_GROUP_ICON | 0x10198 | 0x14 | data | Chinese | China | 1.1 |
RT_VERSION | 0x101ac | 0x358 | data | Chinese | China | 0.48598130841121495 |
DLL | Import |
---|---|
kernel32.dll | LoadLibraryA, GetProcAddress, GetTickCount, DeleteFileA |
GDI32.dll | DeleteObject, GetDIBits |
ADVAPI32.dll | CloseServiceHandle |
Description | Data |
---|---|
CompanyName | (C)360.cn Inc.All Rights Reserved. |
FileDescription | 360.cn |
FileVersion | 360 |
InternalName | 3, 2, 2, 1002 |
LegalCopyright | (C)360.cn Inc.All Rights Reserved. |
OriginalFilename | ZhuDongFangYu.exe |
ProductName | 360 |
ProductVersion | 3, 2, 2, 1002 |
SpecialBuild | 668531542187500 |
Translation | 0x0409 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | China |
Download Network PCAP: filtered – full
- Total Packets: 4
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 6, 2025 09:31:28.462925911 CEST | 49717 | 80 | 192.168.2.5 | 5.79.71.225 |
Apr 6, 2025 09:31:29.465687990 CEST | 49717 | 80 | 192.168.2.5 | 5.79.71.225 |
Apr 6, 2025 09:31:31.559541941 CEST | 49717 | 80 | 192.168.2.5 | 5.79.71.225 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 6, 2025 09:31:27.789021969 CEST | 65424 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 6, 2025 09:31:28.422461987 CEST | 53 | 65424 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 6, 2025 09:31:27.789021969 CEST | 192.168.2.5 | 1.1.1.1 | 0x426e | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 6, 2025 09:31:28.422461987 CEST | 1.1.1.1 | 192.168.2.5 | 0x426e | No error (0) | 5.79.71.225 | A (IP address) | IN (0x0001) | false | ||
Apr 6, 2025 09:31:28.422461987 CEST | 1.1.1.1 | 192.168.2.5 | 0x426e | No error (0) | 85.17.31.82 | A (IP address) | IN (0x0001) | false | ||
Apr 6, 2025 09:31:28.422461987 CEST | 1.1.1.1 | 192.168.2.5 | 0x426e | No error (0) | 85.17.31.122 | A (IP address) | IN (0x0001) | false | ||
Apr 6, 2025 09:31:28.422461987 CEST | 1.1.1.1 | 192.168.2.5 | 0x426e | No error (0) | 178.162.203.202 | A (IP address) | IN (0x0001) | false | ||
Apr 6, 2025 09:31:28.422461987 CEST | 1.1.1.1 | 192.168.2.5 | 0x426e | No error (0) | 178.162.203.211 | A (IP address) | IN (0x0001) | false | ||
Apr 6, 2025 09:31:28.422461987 CEST | 1.1.1.1 | 192.168.2.5 | 0x426e | No error (0) | 178.162.203.226 | A (IP address) | IN (0x0001) | false | ||
Apr 6, 2025 09:31:28.422461987 CEST | 1.1.1.1 | 192.168.2.5 | 0x426e | No error (0) | 178.162.217.107 | A (IP address) | IN (0x0001) | false | ||
Apr 6, 2025 09:31:28.422461987 CEST | 1.1.1.1 | 192.168.2.5 | 0x426e | No error (0) | 5.79.71.205 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 03:31:26 |
Start date: | 06/04/2025 |
Path: | C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 25'208'853 bytes |
MD5 hash: | 4194BA809C07479D0B6C3681D218661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 03:31:32 |
Start date: | 06/04/2025 |
Path: | C:\Windows\SysWOW64\WinH83.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7ff7e2000000 |
File size: | 50'382'421 bytes |
MD5 hash: | C7B758D198A32EF2BA4112EF346C74BA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 03:31:32 |
Start date: | 06/04/2025 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x220000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 03:31:32 |
Start date: | 06/04/2025 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x220000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 11.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 26.6% |
Total number of Nodes: | 571 |
Total number of Limit Nodes: | 8 |
Graph
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004023A0 Relevance: 126.7, APIs: 66, Strings: 6, Instructions: 745threadstringnetworkCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401860 Relevance: 43.9, APIs: 15, Strings: 10, Instructions: 165libraryloadermemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 8.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 541 |
Total number of Limit Nodes: | 6 |
Graph
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401860 Relevance: 43.9, APIs: 15, Strings: 10, Instructions: 165libraryloadermemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|