Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 6644 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 6AECFC2EDE0F22D0ADD919214DE21A83) - conhost.exe (PID: 6624 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WerFault.exe (PID: 3492 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 644 -s 508 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | Code function: | 0_2_004093C8 | |
Source: | Code function: | 0_2_00429570 | |
Source: | Code function: | 0_2_0041E578 | |
Source: | Code function: | 0_2_00408DFC | |
Source: | Code function: | 0_2_0041DF90 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_00408090 | |
Source: | Code function: | 0_2_0042CAC4 | |
Source: | Code function: | 0_2_0040FCAC |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_004151D0 |
Source: | Code function: | 0_2_0042EF38 |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Code function: | 0_2_004323A5 | |
Source: | Code function: | 0_2_0042F108 | |
Source: | Code function: | 0_2_0041AA36 | |
Source: | Code function: | 0_2_004119FA | |
Source: | Code function: | 0_2_0041E1BA | |
Source: | Code function: | 0_2_0041A395 | |
Source: | Code function: | 0_2_00411ABE | |
Source: | Code function: | 0_2_0042EB58 | |
Source: | Code function: | 0_2_0042DBE1 | |
Source: | Code function: | 0_2_004174C5 | |
Source: | Code function: | 0_2_0042B58A | |
Source: | Code function: | 0_2_004276DD | |
Source: | Code function: | 0_2_00427757 | |
Source: | Code function: | 0_2_00411DD8 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | API coverage: |
Source: | Code function: | 0_2_004093C8 | |
Source: | Code function: | 0_2_00429570 | |
Source: | Code function: | 0_2_0041E578 | |
Source: | Code function: | 0_2_00408DFC | |
Source: | Code function: | 0_2_0041DF90 |
Source: | Code function: | 0_2_00409C44 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-17292 |
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_004056AC |
Source: | Code function: | 0_2_00409500 | |
Source: | Code function: | 0_2_0041B8F0 | |
Source: | Code function: | 0_2_00419880 | |
Source: | Code function: | 0_2_004089A0 | |
Source: | Code function: | 0_2_00419A68 | |
Source: | Code function: | 0_2_0041B374 | |
Source: | Code function: | 0_2_00416CE4 | |
Source: | Code function: | 0_2_00416D30 | |
Source: | Code function: | 0_2_0041AD3C |
Source: | Code function: | 0_2_0041B8F0 |
Source: | Code function: | 0_2_0040A8B6 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 26 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
55% | ReversingLabs | Win32.Trojan.Ulise | ||
100% | Avira | TR/Redcap.cafuo |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false |
| unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1522718 |
Start date and time: | 2024-09-30 15:57:11 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | MAL |
Classification: | mal60.winEXE@3/6@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.168.117.173
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: file.exe
Time | Type | Description |
---|---|---|
09:58:17 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_71e4f97fcad7bd8af59197fe7fdb89b6f66cc6a_89969336_9d5f8a6b-4665-44cb-89ec-0ff41a3c22d9\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7305092461365446 |
Encrypted: | false |
SSDEEP: | 192:CA8uPXwTevTPrl0Wj7YcI3jcqzuiFGZ24IO8TVBGi:CU4TwTqWfYbj5zuiFGY4IO8XGi |
MD5: | 9A8F37BED9E0D1534555FACB5261FD8D |
SHA1: | 352030F9CF0AF0A1B9CF7B2C7D822C6B0BFEA5F3 |
SHA-256: | FF59C87BA5217CAB39282508CBFB26EF492CD556CD65E0F7B02DC6323D624EA8 |
SHA-512: | C772124B2A0490A04BE241633D0CBAB4836CE1DA721F176CBDB99EA7091C113240201EDF1E43E50EA6D26AA99B04C19E517A8BD60CFAEB554F9336E340CCE920 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 35816 |
Entropy (8bit): | 1.948888161259869 |
Encrypted: | false |
SSDEEP: | 192:Mg3lq6tH8JtOvmNWZ9enGQbw6QxxwF7eMF:vAwJo8sDfQ4F |
MD5: | 6993E53FAD2C8694ADDD52A170291DCA |
SHA1: | E255C3E55F3390413B1D3F7FB172F7AE24130A97 |
SHA-256: | CE51CFC36F3AC132D29601E9AAC40EF74C329F5047F1A4686B2F5B58B1F8C0C0 |
SHA-512: | D71988624D96E8D17F8B42CD0453156F6D9D3DAC0DF48509F6BAAB082355468635D7A21D47ECAA48221015B1B8019DEDE0D900EF864DB5418BEA6B2205736AC5 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8264 |
Entropy (8bit): | 3.6892511934779812 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJICk6m/6Y9KSU9bxegmfBv9WJ1xpr789bX8sf8dm:R6lXJs6m6YQSU9bxegmfz4gXPfL |
MD5: | A531809040B905FEFB23FBEFA9A2E208 |
SHA1: | 8B839BFBEC0D4899AD98E521011F164275423412 |
SHA-256: | D228E00BBE93DA19E797B0872089D3DD561E45772FFC097ACFB458573E2D8F4D |
SHA-512: | AD77EB181E999EE29CE7F4C458120E9F62DDDDEBA8E5822A6766F9F4C32D92A579857B4FAF1EBF9762DC65B671B27D18A2844828BD90800D36A63CF7923BEEE7 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4537 |
Entropy (8bit): | 4.429274436238106 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsYJg77aI9/DrEWpW8VYpYm8M4J6upFSO+q8FjD1F8bVhed:uIjfeI75Drd7VFJCOMubVhed |
MD5: | 7C5D100DCBC06AEE4B6364E25A98F08D |
SHA1: | BA89B082D5556A159B7154DE3CAF25BE9DF07632 |
SHA-256: | 0C2A2958A076B746957038D660A61B6BB1FAAB6C06C90E387E9A17028CDFDE5E |
SHA-512: | CFBF2F9E687460E2592CE1E5381711A9857D3EF78C66B97751AEB181755810C9573FED8718DE0AAC1CCA172FA84087B2AEA281971BC60FE830F111958AC93854 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.4653700044436 |
Encrypted: | false |
SSDEEP: | 6144:vIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbo:AXD94+WlLZMM6YFH1+o |
MD5: | 647395672846865397B1707BCAF045E9 |
SHA1: | CD10C1592B1110D5457E3916DED3621089ACCA49 |
SHA-256: | C6D0D2E18C11C86B6E17FFF3DB74EC687B693F8DF1F492E8DA47635AA1B6D98F |
SHA-512: | 70FA31E8E20B2E5F2C3A59B0AFB03EBF69EC6DB3401AC070A6493CC14BA9127AC09FB953C9F7E6313A7F8DD52EF197A1509F32652857A460D10DFB088CEF705C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 94 |
Entropy (8bit): | 4.362817182138386 |
Encrypted: | false |
SSDEEP: | 3:YX7/FCp7/FaBktRNVFDe8yLALwqQFNV0owvn:YXBA1tRHFixLAsXUowvn |
MD5: | 9D70D97D77237FF5E8E515812D35A794 |
SHA1: | B12CF9D743825BA7552E6530CD3284D268901D1E |
SHA-256: | E28851B7C00C0007E12E148A3669BDDBDA4F5436BA6D8F8CDBEF866F0FD639E3 |
SHA-512: | 391F283B27A1B04C08CEA56577A2A7551D33287A9C7F84C75DE9DC1490A2105D01B66D10E7B4BF982BE234EDE6EE5656712D8E915BF3119810E3A91829C02946 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.342809552882167 |
TrID: |
|
File name: | file.exe |
File size: | 247'808 bytes |
MD5: | 6aecfc2ede0f22d0add919214de21a83 |
SHA1: | c2c87ef0d333c4c56cdc2dcb52fd4d7c4902b2ec |
SHA256: | 64aa700db7bb8d9f836e59ce259a47bce371dc0c60cba660ce51edef945d679d |
SHA512: | 4431cbe661c002b003d03707873c83cf45d72e4d6a55fc429983ef9fbfb94bf8a151776afddb4aa33d9e70d4a657b879e813d5ce248ed32bfe0f69e42702e71a |
SSDEEP: | 3072:EFnAqcUJYKwCRmkuMRub1hKjTBp9q81sAarKzRVk0UwwQFFwBhY7m0R4uvV+sWVX:EFA9D3Cb5BvVurKzR6Ql7PR4uvV+sWVX |
TLSH: | A1344B21F6B04C77FCA0363C48B5AE20A83FBF612935585A5AD5CE0DCDA87516C24B6F |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x432408 |
Entrypoint Section: | .itext |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x63FD37C5 [Mon Feb 27 23:07:49 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | a23e906a3949b729caf5252cca3e2436 |
Instruction |
---|
push ebp |
mov ebp, esp |
mov ecx, 00000005h |
push 00000000h |
push 00000000h |
dec ecx |
jne 00007FAB687F3C2Bh |
push ebx |
push esi |
push edi |
mov eax, dword ptr [00435138h] |
mov byte ptr [eax], 00000001h |
mov eax, 0042F114h |
call 00007FAB687CB639h |
mov esi, 0044EA78h |
xor eax, eax |
push ebp |
push 0043284Ch |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
mov edx, 0044EA74h |
mov eax, 0042EB74h |
call 00007FAB687CB377h |
mov eax, dword ptr [00435070h] |
xor edx, edx |
mov dword ptr [eax], edx |
mov eax, dword ptr [00434FDCh] |
mov byte ptr [eax], 00000000h |
mov eax, dword ptr [00434E70h] |
mov byte ptr [eax], 00000001h |
mov al, 01h |
call 00007FAB687C549Bh |
mov eax, dword ptr [00435038h] |
movzx eax, word ptr [eax] |
mov edx, dword ptr [00435008h] |
mov dword ptr [edx], eax |
push 00000000h |
call 00007FAB687DBD78h |
push 00000000h |
mov eax, dword ptr [00434F1Ch] |
mov ecx, 00000001h |
mov edx, dword ptr [0041A4C8h] |
call 00007FAB687C9BA1h |
add esp, 04h |
push 00000000h |
mov eax, dword ptr [00435154h] |
mov ecx, 00000001h |
mov edx, dword ptr [0041A4F8h] |
call 00007FAB687C9B87h |
add esp, 04h |
mov dl, 01h |
mov eax, dword ptr [0042EB8Ch] |
call 00007FAB687F0530h |
mov ebx, eax |
mov cl, 01h |
mov edx, 00432868h |
mov eax, ebx |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4f000 | 0x1690 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x58000 | 0x39c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x54000 | 0x3bfc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x53000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x4f464 | 0x360 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x51000 | 0x154 | .didata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x30278 | 0x30400 | 807e6bc6e9d85fffec10d6334d0864ea | False | 0.4723324158031088 | data | 6.339345262683559 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0x32000 | 0x898 | 0xa00 | 21e2297d5d83a14b3c3e6a714602540f | False | 0.56640625 | data | 5.606376089772764 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x33000 | 0x2244 | 0x2400 | 57356af26eab43fbfb0619f07bb22c81 | False | 0.4635416666666667 | data | 4.5093245997612 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0x36000 | 0x18a80 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x4f000 | 0x1690 | 0x1800 | 2193ef0275c1f12cfd67fc09fade29dc | False | 0.3121744791666667 | data | 4.896486827036879 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didata | 0x51000 | 0x154 | 0x200 | 6de21e24620a89ab2e2905a0e4915a2b | False | 0.310546875 | data | 2.432645247523557 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x52000 | 0xc | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x53000 | 0x18 | 0x200 | 272af25f48168b97f4538cbb5693615c | False | 0.05078125 | MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "E" | 0.2108262677871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x54000 | 0x3bfc | 0x3c00 | 9cf473c658767053ad651cc6b3eac91c | False | 0.636328125 | data | 6.643887780687566 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0x58000 | 0x39c8 | 0x3a00 | 1388b5a631f83e74d554866889a09fe5 | False | 0.2848195043103448 | data | 3.6591492278320907 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_DIALOG | 0x583b8 | 0x28 | Non-ISO extended-ASCII text, with CR, NEL line terminators | 1.275 | ||
RT_DIALOG | 0x583e0 | 0x4 | ISO-8859 text, with no line terminators | 3.0 | ||
RT_DIALOG | 0x583e4 | 0x80 | data | 1.0078125 | ||
RT_STRING | 0x58464 | 0xac4 | data | 0.31712626995645865 | ||
RT_STRING | 0x58f28 | 0x6d0 | data | 0.34174311926605505 | ||
RT_STRING | 0x595f8 | 0x5d0 | data | 0.3326612903225806 | ||
RT_STRING | 0x59bc8 | 0x7e0 | data | 0.31398809523809523 | ||
RT_STRING | 0x5a3a8 | 0x310 | data | 0.3711734693877551 | ||
RT_STRING | 0x5a6b8 | 0x328 | data | 0.3910891089108911 | ||
RT_STRING | 0x5a9e0 | 0x1fc | data | 0.4862204724409449 | ||
RT_STRING | 0x5abdc | 0xc4 | data | 0.6428571428571429 | ||
RT_STRING | 0x5aca0 | 0x170 | data | 0.5597826086956522 | ||
RT_STRING | 0x5ae10 | 0x328 | data | 0.422029702970297 | ||
RT_STRING | 0x5b138 | 0x354 | data | 0.4107981220657277 | ||
RT_STRING | 0x5b48c | 0x2b8 | data | 0.4367816091954023 | ||
RT_VERSION | 0x5b744 | 0x27c | data | English | United States | 0.4481132075471698 |
None | 0x5b9c0 | 0x8 | ASCII text, with no line terminators | 2.0 |
DLL | Import |
---|---|
oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey |
user32.dll | MessageBoxA, CharNextW, LoadStringW |
kernel32.dll | Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, SwitchToThread, GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle |
kernel32.dll | GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary |
user32.dll | MessageBoxW, LoadStringW, GetUserObjectInformationW, GetThreadDesktop, GetSystemMetrics, GetProcessWindowStation, CharUpperBuffW, CharUpperW |
mpr.dll | WNetGetConnectionW, WNetCancelConnection2W, WNetAddConnection2W |
kernel32.dll | WriteFile, WriteConsoleW, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, TerminateProcess, SystemTimeToFileTime, SizeofResource, SetLocalTime, SetFilePointer, SetEvent, SetErrorMode, SetEnvironmentVariableW, SetCurrentDirectoryW, SetConsoleTitleW, SetConsoleTextAttribute, SetConsoleMode, SetConsoleCursorPosition, SetConsoleCtrlHandler, SearchPathW, ScrollConsoleScreenBufferW, ResetEvent, ReadFile, ReadConsoleW, MultiByteToWideChar, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, GetWindowsDirectoryW, GetVolumeInformationW, GetVersionExW, GetVersion, GetUserDefaultLCID, GetTimeFormatW, GetThreadLocale, GetSystemTime, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileType, GetFileSize, GetFileAttributesExW, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetEnvironmentStringsW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentDirectoryW, GetConsoleTitleW, GetConsoleScreenBufferInfo, GetConsoleOutputCP, GetConsoleMode, GetCommandLineW, GetCPInfo, GetBinaryTypeW, FreeResource, FreeLibrary, FreeEnvironmentStringsW, FormatMessageW, FlushFileBuffers, FlushConsoleInputBuffer, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FillConsoleOutputAttribute, FileTimeToSystemTime, FileTimeToLocalFileTime, ExitProcess, EnumSystemLocalesW, EnumCalendarInfoW, EnterCriticalSection, DuplicateHandle, DebugBreak, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle |
advapi32.dll | RegSetValueExW, RegSetValueW, RegQueryValueExW, RegQueryValueW, RegOpenKeyExW, RegOpenKeyW, RegEnumKeyW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey |
kernel32.dll | SetThreadUILanguage, SetEnvironmentStringsW, GetVDMCurrentDirectories |
msvcrt.dll | _ltow, _ultow, _wtol, wcstoul, wcstol, _getch, _pipe, feof, ferror, fgets, _pclose, _wpopen, fflush, _dup2, _dup, _close, _get_osfhandle, _open_osfhandle |
shell32.dll | ShellExecuteExW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 30, 2024 15:58:51.441318989 CEST | 53 | 62457 | 162.159.36.2 | 192.168.2.4 |
Sep 30, 2024 15:58:51.923090935 CEST | 53 | 60015 | 1.1.1.1 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 09:58:03 |
Start date: | 30/09/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 247'808 bytes |
MD5 hash: | 6AECFC2EDE0F22D0ADD919214DE21A83 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 09:58:04 |
Start date: | 30/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 09:58:04 |
Start date: | 30/09/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x340000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 2.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 8.6% |
Total number of Nodes: | 2000 |
Total number of Limit Nodes: | 45 |
Graph
Function 00409500 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004093C8 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409C44 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408FEC Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00432408 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 290threadCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00417DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97filewindowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042EE28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406D5C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92threadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406D54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87threadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040278C Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004095CC Relevance: 3.1, APIs: 2, Instructions: 93COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004068DA Relevance: 3.1, APIs: 2, Instructions: 68COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004096F0 Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408478 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041B374 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 380timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041B8F0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 258timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408DFC Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042EF38 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041DF90 Relevance: 6.1, APIs: 4, Instructions: 71fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429570 Relevance: 4.6, APIs: 3, Instructions: 128fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004089A0 Relevance: 4.6, APIs: 3, Instructions: 99COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041E578 Relevance: 3.1, APIs: 2, Instructions: 95fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040FCAC Relevance: 2.9, Instructions: 2860COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004151D0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00416CE4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00419A68 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00419880 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A8B6 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408090 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004056AC Relevance: .0, Instructions: 22COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00425590 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 318threadprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B8F4 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 162registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042D85C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 172fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426E30 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 197registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004044BC Relevance: 19.7, APIs: 13, Instructions: 189COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00417560 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 175threadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042DF84 Relevance: 18.2, APIs: 12, Instructions: 152COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00416D5C Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 219threadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403890 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 285windowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00427200 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 183registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041BD54 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 211timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041F544 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 160shareCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406CC4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40filewindowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402E28 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403020 Relevance: 10.9, APIs: 7, Instructions: 407COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B37C Relevance: 9.1, APIs: 6, Instructions: 134COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041E3BC Relevance: 9.1, APIs: 6, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402AA4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041E478 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004269AC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405F90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405F8E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B278 Relevance: 7.6, APIs: 5, Instructions: 104fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041E2B0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041E1C4 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004254F4 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426CB8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042685C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042D6AC Relevance: 6.1, APIs: 4, Instructions: 114COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004279E4 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408B9C Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042385C Relevance: 6.0, APIs: 4, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426B7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042753C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38libraryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|