Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 2360 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 52F3D33B2CE1AE6640A20E19506B7ACB)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Code function: | 0_2_00403B58 |
Source: | Static PE information: |
Source: | DNS traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_00411CFB | |
Source: | Code function: | 0_2_004360B3 | |
Source: | Code function: | 0_2_00437135 | |
Source: | Code function: | 0_2_004341AD | |
Source: | Code function: | 0_2_0042D2E3 | |
Source: | Code function: | 0_2_004345E2 | |
Source: | Code function: | 0_2_00436625 | |
Source: | Code function: | 0_2_0041E68F | |
Source: | Code function: | 0_2_004338A1 | |
Source: | Code function: | 0_2_00424950 | |
Source: | Code function: | 0_2_00434A17 | |
Source: | Code function: | 0_2_00437B4C | |
Source: | Code function: | 0_2_0041DC2B | |
Source: | Code function: | 0_2_0042DCCB | |
Source: | Code function: | 0_2_00425C8F | |
Source: | Code function: | 0_2_00433D95 | |
Source: | Code function: | 0_2_00426F5F |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00406633 |
Source: | Code function: | 0_2_00405D6E |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | Command line argument: | 0_2_00412753 | |
Source: | Command line argument: | 0_2_00412753 | |
Source: | Command line argument: | 0_2_00412753 | |
Source: | Command line argument: | 0_2_00412753 | |
Source: | Command line argument: | 0_2_00412753 | |
Source: | Command line argument: | 0_2_00412753 | |
Source: | Command line argument: | 0_2_00412753 | |
Source: | Command line argument: | 0_2_00412753 | |
Source: | Command line argument: | 0_2_00412753 | |
Source: | Command line argument: | 0_2_0042E7A0 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | Code function: | 0_2_004261F8 | |
Source: | Code function: | 0_2_00439B37 |
Source: | Code function: | 0_2_00425C8F |
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-31674 |
Source: | Code function: | 0_2_004265DC |
Source: | Code function: | 0_2_0042EC02 |
Source: | Code function: | 0_2_00425B2B |
Source: | Code function: | 0_2_004278D8 | |
Source: | Code function: | 0_2_004278A7 |
Source: | Code function: | 0_2_0042687D |
Source: | Code function: | 0_2_0042F095 | |
Source: | Code function: | 0_2_0042F249 | |
Source: | Code function: | 0_2_0042F20C | |
Source: | Code function: | 0_2_004263F6 | |
Source: | Code function: | 0_2_00435614 | |
Source: | Code function: | 0_2_004358C8 | |
Source: | Code function: | 0_2_00435888 | |
Source: | Code function: | 0_2_00435945 | |
Source: | Code function: | 0_2_004359C8 | |
Source: | Code function: | 0_2_00435BBD | |
Source: | Code function: | 0_2_00435CE7 | |
Source: | Code function: | 0_2_00435D94 | |
Source: | Code function: | 0_2_00435E68 |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00424662 |
Source: | Code function: | 0_2_004038C5 |
Source: | Code function: | 0_2_0040A723 |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 3 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 1 Account Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 System Owner/User Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 34 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
50% | ReversingLabs | Win32.PUA.ITorrent |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
cdn.itorrent.bz | unknown | unknown | false | unknown | |
s.itorrent.bz | unknown | unknown | false | unknown | |
info.pillowkidguest.ru | unknown | unknown | false | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1522716 |
Start date and time: | 2024-09-30 15:53:47 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 47s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | MAL |
Classification: | mal48.winEXE@1/1@11/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: file.exe
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\7ec63eecc011967c28496572961d2a7c_9e146be9-c76a-4720-bcdb-53011b87bd06
Download File
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 47 |
Entropy (8bit): | 1.168829563685559 |
Encrypted: | false |
SSDEEP: | 3:/lSll/:AV |
MD5: | FEEA5AAD375F1E916BF7E620A6DCD75B |
SHA1: | 94894605A205FFA9C0FD5D9BE23603C2AFEA3CF9 |
SHA-256: | D94B1765B6165ACCEA18A12F7DD87FA28A6964E8B3C709967B82DFF961DFF216 |
SHA-512: | E8A16FF53A2904A6BF0C20910ADF544BF73D7370B012C57A2CA05FC40C7DBFF9622691DF99310E6F131E203B49EAF525737A38CDFCDE817A4B601F71B10861E2 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 6.584703533786841 |
TrID: |
|
File name: | file.exe |
File size: | 409'072 bytes |
MD5: | 52f3d33b2ce1ae6640a20e19506b7acb |
SHA1: | 09833b92ef643b687fc0e51c7bc6316011e30604 |
SHA256: | 0d42c76532e1f811ba1e34911976f04fa2616dbe9af1f6f9cdf75193ad9f482b |
SHA512: | f42ec9e70e823b9e8730a501d07c6c0a058a115799719ec903c1c872727278df0a6a2e794a9c1b7b0eb2cb054966e1d77e145772f9c81a4d603bcbced89a82c6 |
SSDEEP: | 12288:eBTKRTSs8TSQS9VfUn04DBxGJK9iYH3yNMZEbikDT:YKRES/65uCKT |
TLSH: | 1C948C217789D075E0625132DE19A71525FEBC752F728B4B73D83F1E2AB11B0A239B22 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P....p..P....p..P....N..P....q.sP...(...P...P...Q...(...P....t..P....J..P...P...P....O..P..Rich.P................. |
Icon Hash: | 1b694cccccc83317 |
Entrypoint: | 0x4250c2 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x56DF32AA [Tue Mar 8 20:14:34 2016 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 630e143197957138e0ff0c79adca7372 |
Signature Valid: | false |
Signature Issuer: | CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB |
Signature Validation Error: | A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file |
Error Number: | -2146762495 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | E91699A3735D838CB43DCF145A19BDD0 |
Thumbprint SHA-1: | 83F7D7E1F123E5B027EB3AEE47C6F544A197D18E |
Thumbprint SHA-256: | FD967613856DC0712693AF97D0F90901C05F682EE02E8589BF8E85004E3DF500 |
Serial: | 138718A754F2731D87CEDDCB1E570C6C |
Instruction |
---|
call 00007EFCD8DC0DEDh |
jmp 00007EFCD8DB9EB4h |
int3 |
int3 |
int3 |
int3 |
mov ecx, dword ptr [esp+08h] |
mov eax, dword ptr [esp+04h] |
push edi |
push ebx |
push esi |
cmp dword ptr [00454BA0h], 01h |
jc 00007EFCD8DBA204h |
ja 00007EFCD8DBA133h |
movzx edx, byte ptr [ecx] |
mov ebx, edx |
shl edx, 08h |
or edx, ebx |
je 00007EFCD8DBA11Fh |
movd xmm3, edx |
pshuflw xmm3, xmm3, 00h |
movlhps xmm3, xmm3 |
pxor xmm0, xmm0 |
mov esi, ecx |
or edi, FFFFFFFFh |
movzx ebx, byte ptr [ecx] |
add ecx, 01h |
test ebx, ebx |
je 00007EFCD8DBA04Fh |
test ecx, 0000000Fh |
jne 00007EFCD8DBA020h |
movdqa xmm2, dqword ptr [ecx] |
pcmpeqb xmm2, xmm0 |
pmovmskb ebx, xmm2 |
test ebx, ebx |
jne 00007EFCD8DBA037h |
mov edi, 0000000Fh |
movd edx, xmm3 |
mov ebx, 00000FFFh |
and ebx, eax |
cmp ebx, 00000FF0h |
jnbe 00007EFCD8DBA059h |
movdqu xmm1, dqword ptr [eax] |
pxor xmm2, xmm2 |
pcmpeqb xmm2, xmm1 |
pcmpeqb xmm1, xmm3 |
por xmm1, xmm2 |
pmovmskb ebx, xmm1 |
add eax, 10h |
test ebx, ebx |
je 00007EFCD8DBA004h |
bsf ebx, ebx |
sub eax, 10h |
add eax, ebx |
movzx ebx, byte ptr [eax] |
test ebx, ebx |
je 00007EFCD8DBA09Ch |
add eax, 01h |
cmp dl, bl |
jne 00007EFCD8DB9FEEh |
mov edx, eax |
lea ecx, dword ptr [esi+01h] |
mov ebx, 00000FFFh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4d9d4 | 0xf0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5a000 | 0x101e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x62a00 | 0x13f0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x48e70 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3f000 | 0x3fc | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x3df35 | 0x3e000 | d67fca22046da497bc4b28da073a9d5d | False | 0.570769279233871 | data | 6.654122576566693 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3f000 | 0x10086 | 0x10200 | c00f28a76406e71d7f9c92121b80ac66 | False | 0.3649012839147287 | DOS executable (COM, 0x8C-variant) | 4.727771105703194 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x50000 | 0x9c60 | 0x4200 | f61727bebeb83ca9d4b8c254e486090d | False | 0.16844223484848486 | data | 2.558325233753619 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x5a000 | 0x101e0 | 0x10200 | ee0e6d6bbdffc0ad2b719bb1beb37532 | False | 0.516124636627907 | data | 6.453843363709768 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
PNG | 0x5a2dc | 0x2b44 | PNG image data, 244 x 65, 8-bit/color RGBA, non-interlaced | English | Great Britain | 1.000993138317082 |
PNG | 0x5ce20 | 0x110c | PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced | English | Great Britain | 1.0025206232813932 |
TEXT | 0x5df2c | 0x65ee | Unicode text, UTF-8 text, with very long lines (936), with CRLF line terminators | English | United States | 0.22005058634168775 |
RT_BITMAP | 0x6451c | 0x105a | Device independent bitmap graphic, 37 x 37 x 24, image size 4146, resolution 2834 x 2834 px/m | English | United States | 0.5217391304347826 |
RT_ICON | 0x65578 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m | English | United States | 0.7189716312056738 |
RT_ICON | 0x659e0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m | English | United States | 0.6430327868852459 |
RT_ICON | 0x66368 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m | English | United States | 0.5302532833020638 |
RT_ICON | 0x67410 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m | English | United States | 0.45435684647302904 |
RT_GROUP_ICON | 0x699b8 | 0x3e | data | English | United States | 0.8064516129032258 |
RT_VERSION | 0x699f8 | 0x250 | data | English | United States | 0.48817567567567566 |
RT_MANIFEST | 0x69c48 | 0x596 | ASCII text | English | United States | 0.4258741258741259 |
DLL | Import |
---|---|
gdiplus.dll | GdipAlloc, GdipFree, GdipCloneImage, GdipGetImageEncodersSize, GdipGetImageEncoders, GdipLoadImageFromStream, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdiplusShutdown, GdiplusStartup, GdipDrawImageRectI, GdipDeleteGraphics, GdipCreateFromHDC, GdipSaveImageToStream, GdipBitmapUnlockBits, GdipCreateBitmapFromScan0, GdipGetImagePixelFormat, GdipBitmapLockBits, GdipGetImageWidth, GdipGetImageHeight |
KERNEL32.dll | GetModuleHandleW, LocalFlags, WriteFile, OpenProcess, Sleep, FormatMessageW, GetFileAttributesW, CreateFileW, MultiByteToWideChar, FlushFileBuffers, GetTempPathW, GetFileSizeEx, GetLastError, SetLastError, RegisterWaitForSingleObject, LocalAlloc, CreateFileMappingW, CreateEventW, WaitForMultipleObjects, lstrcmpiW, GetCurrentThreadId, DuplicateHandle, ReleaseMutex, CloseHandle, DeleteFileW, GetCurrentProcessId, UnregisterWaitEx, LocalFree, MulDiv, GetComputerNameW, GetSystemDirectoryW, GetVolumeInformationW, InterlockedDecrement, InterlockedExchange, ResetEvent, WideCharToMultiByte, FindResourceExW, LoadResource, LockResource, SizeofResource, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, VerSetConditionMask, VerifyVersionInfoW, GetModuleFileNameW, MoveFileW, SetEvent, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetVersionExW, ExpandEnvironmentStringsA, GetFileAttributesA, GetExitCodeProcess, InitializeCriticalSectionAndSpinCount, RaiseException, DecodePointer, RtlUnwind, GetCommandLineW, LoadLibraryExW, GetProcAddress, ExitThread, CreateThread, GetSystemTimeAsFileTime, IsProcessorFeaturePresent, IsDebuggerPresent, EncodePointer, HeapAlloc, HeapFree, ExitProcess, GetModuleHandleExW, GetStdHandle, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, GetProcessHeap, TlsSetValue, TlsFree, GetStartupInfoW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetFileType, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, InterlockedCompareExchange, WaitForSingleObject, SetFilePointerEx, InterlockedIncrement, UnmapViewOfFile, MapViewOfFile, CreateMutexW, GetConsoleMode, GetConsoleCP, OutputDebugStringW, HeapReAlloc, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetStringTypeW, SetStdHandle, WriteConsoleW, InitializeCriticalSection |
USER32.dll | PostMessageW, LoadBitmapW, FillRect, GetDlgItem, LoadIconW, AdjustWindowRect, MoveWindow, UpdateWindow, MessageBoxW, DrawTextExW, SetCursor, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, PostQuitMessage, BeginPaint, GetMessageW, FindWindowW, GetWindowTextW, GetSysColorBrush, GetSysColor, GetClientRect, GetWindowRect, SetWindowLongW, RegisterClassW, GetWindowLongW, SetWindowTextW, DestroyIcon, GetIconInfo, SendMessageW, GetDC, ReleaseDC, GetSystemMetrics, DestroyWindow, RemovePropW, RegisterWindowMessageW, SetTimer, KillTimer, DrawTextW, EndPaint, TranslateMessage, RegisterClassExW, ShowWindow, SendMessageTimeoutW, IsWindow, CreateWindowExW, CallWindowProcW, DefWindowProcW, DispatchMessageW, EnableWindow |
GDI32.dll | SetBkMode, GetDeviceCaps, GetObjectW, CreateFontW, SetBkColor, DeleteObject, SelectObject, DeleteDC, GetStockObject, CreateCompatibleDC, BitBlt, SetTextColor, GetCharWidth32W |
ADVAPI32.dll | CryptAcquireContextW, RegQueryValueExW, RegEnumKeyExA, RegQueryInfoKeyW, RegOpenKeyA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, CryptHashData, ConvertSidToStringSidW, CryptDestroyHash, CryptCreateHash, LookupAccountNameW, CryptGetHashParam, CryptReleaseContext |
SHELL32.dll | ShellExecuteW, ShellExecuteExW, SHGetFolderPathW, SHGetFileInfoW |
ole32.dll | CreateStreamOnHGlobal, CoTaskMemFree, CoInitializeEx, CoUninitialize, GetHGlobalFromStream, CoCreateInstance |
OLEAUT32.dll | VarI4FromStr, VarUI8FromStr |
WINHTTP.dll | WinHttpQueryDataAvailable, WinHttpReceiveResponse, WinHttpWriteData, WinHttpSetTimeouts, WinHttpReadData, WinHttpCrackUrl, WinHttpOpenRequest, WinHttpOpen, WinHttpQueryOption, WinHttpSetStatusCallback, WinHttpQueryHeaders, WinHttpCloseHandle, WinHttpConnect, WinHttpSendRequest, WinHttpSetOption |
urlmon.dll | ObtainUserAgentString |
SHLWAPI.dll | StrCmpNA, PathAppendW, AssocQueryStringW, AssocQueryStringA, StrCmpNW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | Great Britain | |
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 30, 2024 15:55:18.855915070 CEST | 64116 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 30, 2024 15:55:19.281646013 CEST | 61754 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 30, 2024 15:55:19.289067030 CEST | 52087 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 30, 2024 15:55:19.555239916 CEST | 53 | 61754 | 1.1.1.1 | 192.168.2.8 |
Sep 30, 2024 15:55:19.857218981 CEST | 64116 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 30, 2024 15:55:20.287462950 CEST | 52087 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 30, 2024 15:55:20.855289936 CEST | 64116 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 30, 2024 15:55:21.277146101 CEST | 52087 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 30, 2024 15:55:22.870874882 CEST | 64116 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 30, 2024 15:55:23.299746037 CEST | 52087 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 30, 2024 15:55:26.886384010 CEST | 64116 | 53 | 192.168.2.8 | 1.1.1.1 |
Sep 30, 2024 15:55:27.292579889 CEST | 52087 | 53 | 192.168.2.8 | 1.1.1.1 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 30, 2024 15:55:18.855915070 CEST | 192.168.2.8 | 1.1.1.1 | 0xa4a6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 15:55:19.281646013 CEST | 192.168.2.8 | 1.1.1.1 | 0xb116 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 15:55:19.289067030 CEST | 192.168.2.8 | 1.1.1.1 | 0x7673 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 15:55:19.857218981 CEST | 192.168.2.8 | 1.1.1.1 | 0xa4a6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 15:55:20.287462950 CEST | 192.168.2.8 | 1.1.1.1 | 0x7673 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 15:55:20.855289936 CEST | 192.168.2.8 | 1.1.1.1 | 0xa4a6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 15:55:21.277146101 CEST | 192.168.2.8 | 1.1.1.1 | 0x7673 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 15:55:22.870874882 CEST | 192.168.2.8 | 1.1.1.1 | 0xa4a6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 15:55:23.299746037 CEST | 192.168.2.8 | 1.1.1.1 | 0x7673 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 15:55:26.886384010 CEST | 192.168.2.8 | 1.1.1.1 | 0xa4a6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 30, 2024 15:55:27.292579889 CEST | 192.168.2.8 | 1.1.1.1 | 0x7673 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 30, 2024 15:55:19.555239916 CEST | 1.1.1.1 | 192.168.2.8 | 0xb116 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 09:55:18 |
Start date: | 30/09/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 409'072 bytes |
MD5 hash: | 52F3D33B2CE1AE6640A20E19506B7ACB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 7.5% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 14.3% |
Total number of Nodes: | 1971 |
Total number of Limit Nodes: | 53 |
Graph
Function 00411CFB Relevance: 49.7, APIs: 14, Strings: 14, Instructions: 693windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00412753 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 331windowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403B58 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 125encryptionCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406633 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 146comCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041444F Relevance: 40.7, APIs: 18, Strings: 5, Instructions: 426windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402979 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 345memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040FDC7 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004108DA Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 161windowregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F5FF Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 200windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413C38 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 160windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040FAAE Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413A48 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404396 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 212memoryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004103D1 Relevance: 10.7, APIs: 7, Instructions: 186COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407617 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413F0D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84windowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414117 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401D74 Relevance: 9.1, APIs: 6, Instructions: 90registrysynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414A14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34windowtimeCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401C0E Relevance: 7.6, APIs: 5, Instructions: 63memorysynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004138C8 Relevance: 7.5, APIs: 5, Instructions: 28COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040DD05 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55windowtimeCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403A22 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F549 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040377E Relevance: 6.1, APIs: 4, Instructions: 62COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004013BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040205C Relevance: 4.6, APIs: 3, Instructions: 79sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040459F Relevance: 4.6, APIs: 3, Instructions: 72memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040FCD4 Relevance: 4.5, APIs: 3, Instructions: 25windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413768 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004100DC Relevance: 3.1, APIs: 2, Instructions: 125COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040DEF8 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405283 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403832 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040215F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E49D Relevance: 3.0, APIs: 2, Instructions: 44COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041390D Relevance: 3.0, APIs: 2, Instructions: 35COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405242 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E071 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00410666 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404113 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004027DC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004028EE Relevance: 1.5, APIs: 1, Instructions: 40COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F3B5 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004082E8 Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413719 Relevance: 1.5, APIs: 1, Instructions: 32windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00410615 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408227 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406203 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004012C9 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040347D Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041E68F Relevance: 11.5, Strings: 9, Instructions: 269COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00435CE7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A723 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004278A7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00425B2B Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004345E2 Relevance: .3, Instructions: 345COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00434A17 Relevance: .3, Instructions: 341COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004341AD Relevance: .3, Instructions: 331COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00433D95 Relevance: .3, Instructions: 323COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00424950 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040EB3A Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 439windowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405F17 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 197windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040AB8E Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 266registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414265 Relevance: 19.6, APIs: 13, Instructions: 140COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040AF75 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040DDAF Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042A4CD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 204COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406291 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 162comCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040500B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004014A5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E169 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59synchronizationCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041589C Relevance: 12.1, APIs: 8, Instructions: 64memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E6B3 Relevance: 10.6, APIs: 7, Instructions: 105COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00428BC6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00424B05 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00424BDA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E7E9 Relevance: 9.1, APIs: 6, Instructions: 115windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E5C8 Relevance: 9.1, APIs: 6, Instructions: 87COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414086 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040FC49 Relevance: 9.1, APIs: 6, Instructions: 53windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413E0C Relevance: 9.1, APIs: 6, Instructions: 53windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041C8F3 Relevance: 7.9, APIs: 5, Instructions: 411COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F4C2 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00435533 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402DB8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44sleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E952 Relevance: 6.2, APIs: 4, Instructions: 164COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439661 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402EBF Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040754F Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004031BB Relevance: 6.1, APIs: 4, Instructions: 72COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004139DC Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004039A5 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004015BA Relevance: 6.0, APIs: 4, Instructions: 40fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F470 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413BE5 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040352D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004233B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|