Windows
Analysis Report
0urFbKxdvL.exe
Overview
General Information
Sample name: | 0urFbKxdvL.exerenamed because original name is a hash value |
Original sample name: | 328eea4110a4b59778225e2efef7b9cfd07adfb8d189d9fa2d2e450de274659c.exe |
Analysis ID: | 1527620 |
MD5: | 0ae609594fbd4bb27287bd63bc9e9529 |
SHA1: | a506ec04296bd6fe7450c59578bd55a94f17aa65 |
SHA256: | 328eea4110a4b59778225e2efef7b9cfd07adfb8d189d9fa2d2e450de274659c |
Tags: | exeSliverFoxuser-bloated7731 |
Infos: | |
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 0urFbKxdvL.exe (PID: 6868 cmdline:
"C:\Users\ user\Deskt op\0urFbKx dvL.exe" MD5: 0AE609594FBD4BB27287BD63BC9E9529)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Code function: | 0_2_00000001400043D0 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_0000000140004570 |
Source: | Code function: | 0_2_000000014000CA3C | |
Source: | Code function: | 0_2_000000014000D684 | |
Source: | Code function: | 0_2_0000000140009CA0 | |
Source: | Code function: | 0_2_00000001400126C4 | |
Source: | Code function: | 0_2_0000000140007320 | |
Source: | Code function: | 0_2_000000014000CD28 | |
Source: | Code function: | 0_2_0000000140003990 | |
Source: | Code function: | 0_2_00000001400049C0 | |
Source: | Code function: | 0_2_000000014000E9D4 | |
Source: | Code function: | 0_2_001E0000 | |
Source: | Code function: | 0_2_001E6947 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: | 0_2_0000000140007EB0 |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_0000000140004230 |
Source: | Static PE information: |
Source: | Code function: | 0_2_001E8C4B | |
Source: | Code function: | 0_2_001E8C63 | |
Source: | Code function: | 0_2_001E8C82 | |
Source: | Code function: | 0_2_001E8C7A |
Source: | Code function: | 0_2_000000014000CA3C |
Malware Analysis System Evasion |
---|
Source: | Code function: | 0_2_000000014000112B |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Source: | Code function: | 0_2_000000014000112B |
Source: | Code function: | 0_2_0000000140009CA0 |
Source: | API coverage: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00000001400043D0 |
Source: | Code function: | 0_2_001E2917 |
Source: | Code function: | 0_2_000000014000112B |
Source: | Code function: | 0_2_000000014000B608 |
Source: | Code function: | 0_2_00000001400121B8 |
Source: | Code function: | 0_2_0000000140004230 |
Source: | Code function: | 0_2_000000014000C8BC |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_0000000140010850 |
Source: | Code function: | 0_2_000000014000F644 |
Source: | Code function: | 0_2_0000000140009CA0 |
Source: | Code function: | 0_2_0000000140010018 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Access Token Manipulation | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 24 Security Software Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 223 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
19% | Virustotal | Browse | ||
32% | ReversingLabs | Win64.Trojan.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1527620 |
Start date and time: | 2024-10-07 06:50:12 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 1 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 0urFbKxdvL.exerenamed because original name is a hash value |
Original Sample Name: | 328eea4110a4b59778225e2efef7b9cfd07adfb8d189d9fa2d2e450de274659c.exe |
Detection: | MAL |
Classification: | mal60.evad.winEXE@1/0@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Time | Type | Description |
---|---|---|
00:51:19 | API Interceptor |
File type: | |
Entropy (8bit): | 0.539544912633656 |
TrID: |
|
File name: | 0urFbKxdvL.exe |
File size: | 4'338'576 bytes |
MD5: | 0ae609594fbd4bb27287bd63bc9e9529 |
SHA1: | a506ec04296bd6fe7450c59578bd55a94f17aa65 |
SHA256: | 328eea4110a4b59778225e2efef7b9cfd07adfb8d189d9fa2d2e450de274659c |
SHA512: | d8499aea7c7678fd73516908fc6b67620f6adb226229966b346e723ca08bdbddc42bfc37babdcdfc7c4e87ff8529beb930940eaa3302bb6e1e2731347da4abd1 |
SSDEEP: | 3072:gQX30XiK1yhTwS8XjJ3T/yub0kouJidkIQhujeZw0WMTwTKVrSf5RWRtS:zH0bXllTK60kojwo0TCKVrSf5y |
TLSH: | 3E16D50363E96199F5F3AB3499B552219B737CA19E38C74E0258811DCFB3E809D39B63 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S._.2...2...2..X.&..2..X.'..2..X.$..2...Jz..2...2..22....&..2.... ..2...2~..2....%..2..Rich.2..................PE..d......^... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x14000b32c |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5EBBC909 [Wed May 13 10:16:41 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 2 |
File Version Major: | 5 |
File Version Minor: | 2 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 2 |
Import Hash: | 09e13ccaecfac7723baa55f4b7663729 |
Signature Valid: | |
Signature Issuer: | |
Signature Validation Error: | |
Error Number: | |
Not Before, Not After | |
Subject Chain | |
Version: | |
Thumbprint MD5: | |
Thumbprint SHA-1: | |
Thumbprint SHA-256: | |
Serial: |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F9A80B75418h |
dec eax |
add esp, 28h |
jmp 00007F9A80B664E5h |
int3 |
int3 |
dec eax |
lea eax, dword ptr [00009961h] |
dec eax |
mov dword ptr [ecx], eax |
dec eax |
mov eax, dword ptr [edx] |
mov byte ptr [ecx+10h], 00000000h |
dec eax |
mov dword ptr [ecx+08h], eax |
dec eax |
mov eax, ecx |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
dec eax |
and dword ptr [ecx+08h], 00000000h |
dec eax |
lea eax, dword ptr [0000993Ah] |
dec eax |
mov ebx, ecx |
dec eax |
mov dword ptr [ecx], eax |
mov byte ptr [ecx+10h], 00000000h |
call 00007F9A80B70750h |
dec eax |
mov eax, ebx |
dec eax |
add esp, 20h |
pop ebx |
ret |
int3 |
int3 |
dec eax |
lea eax, dword ptr [00009919h] |
dec eax |
mov dword ptr [ecx], eax |
jmp 00007F9A80B70812h |
int3 |
dec eax |
mov dword ptr [esp+08h], ebx |
push edi |
dec eax |
sub esp, 20h |
dec eax |
mov edi, edx |
dec eax |
mov ebx, ecx |
dec eax |
cmp ecx, edx |
je 00007F9A80B70753h |
call 00007F9A80B707F7h |
cmp byte ptr [edi+10h], 00000000h |
je 00007F9A80B70740h |
dec eax |
mov edx, dword ptr [edi+08h] |
dec eax |
mov ecx, ebx |
call 00007F9A80B70789h |
jmp 00007F9A80B7073Ah |
dec eax |
mov eax, dword ptr [edi+08h] |
dec eax |
mov dword ptr [ebx+08h], eax |
dec eax |
mov eax, ebx |
dec eax |
mov ebx, dword ptr [esp+30h] |
dec eax |
add esp, 20h |
pop edi |
ret |
dec eax |
mov dword ptr [esp+08h], ebx |
push edi |
dec eax |
sub esp, 20h |
dec eax |
lea eax, dword ptr [000098BBh] |
mov ebx, edx |
dec eax |
mov edi, ecx |
dec eax |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1bcac | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x33000 | 0xafec | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x31000 | 0x10f8 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x38a00 | 0x1b90 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3e000 | 0x67c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1a6f0 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x14000 | 0x4a8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x12f91 | 0x13000 | 1e594382c3f5e8c63dafbf83a47224d4 | False | 0.5647743626644737 | data | 6.31237259360314 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x14000 | 0x8e36 | 0x9000 | 748978ae9cc91681b00dd08b7b1c4a29 | False | 0.3344184027777778 | data | 4.318170867822159 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1d000 | 0x13b00 | 0x10800 | bbf99811d946b9122af7b8914d8d5dbe | False | 0.4825846354166667 | data | 5.627074879820151 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x31000 | 0x10f8 | 0x1200 | 5fca5de5e4fdf02465922bba040d5120 | False | 0.4516059027777778 | data | 4.842198122273491 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x33000 | 0xafec | 0xb000 | ebcc72a1b2a02881e5b0bdf5fceb886d | False | 0.13108132102272727 | data | 3.4487274625670556 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x3e000 | 0x90c | 0xa00 | f6324ad470840bca9e3b60544f950905 | False | 0.4171875 | data | 4.283178652006133 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_STRING | 0x33118 | 0xea | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | United States | 0.43162393162393164 |
RT_STRING | 0x33204 | 0xaa | data | English | United States | 0.4823529411764706 |
RT_MESSAGETABLE | 0x332b0 | 0xa944 | Matlab v4 mat-file (little endian) \306\352, rows 60000, columns 60002, imaginary | English | United States | 0.1238576571586818 |
RT_VERSION | 0x3dbf4 | 0x3f8 | data | English | United States | 0.41437007874015747 |
DLL | Import |
---|---|
KERNEL32.dll | FindFirstFileW, FindNextFileW, LocalFree, GetCurrentProcess, FormatMessageW, FileTimeToSystemTime, GetFileAttributesW, SetFilePointerEx, SetStdHandle, HeapSize, HeapReAlloc, GetConsoleMode, CreateFileW, GetFullPathNameW, GetWindowsDirectoryW, LoadLibraryW, lstrlenW, CloseHandle, FindClose, DeviceIoControl, GetLastError, GetProcAddress, GetDateFormatW, FreeLibrary, GetConsoleCP, FlushFileBuffers, OutputDebugStringW, LoadLibraryExW, LCMapStringW, WideCharToMultiByte, GetModuleHandleW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStringTypeW, GetStartupInfoW, GetFileType, RtlUnwindEx, Sleep, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetModuleFileNameW, WriteFile, GetStdHandle, GetModuleHandleExW, WriteConsoleW, ExitProcess, GetProcessHeap, MultiByteToWideChar, GetCurrentThreadId, SetLastError, GetCPInfo, GetOEMCP, GetACP, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, GetCommandLineW, EncodePointer, DecodePointer, RtlPcToFileHeader, RaiseException, IsDebuggerPresent, IsProcessorFeaturePresent, VirtualAlloc |
USER32.dll | wsprintfW, LoadStringW, CharPrevW, CharNextW |
ADVAPI32.dll | RegQueryValueExW, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenProcessToken, OpenServiceW, OpenSCManagerW, CloseServiceHandle, RegSetValueExW, RegDeleteValueW, RegCloseKey, InitiateSystemShutdownExW |
ole32.dll | CLSIDFromString, IIDFromString |
SETUPAPI.dll | CM_Get_Next_Res_Des_Ex, CM_Get_Res_Des_Data_Size_Ex, CM_Get_Res_Des_Data_Ex, CM_Get_First_Log_Conf_Ex, CM_Free_Res_Des_Handle, CM_Free_Log_Conf_Handle, SetupDiGetDriverInstallParamsW, SetupDiSetDeviceInstallParamsW, SetupDiDestroyDriverInfoList, SetupDiGetDriverInfoDetailW, SetupDiSetSelectedDriverW, SetupDiEnumDriverInfoW, SetupDiBuildDriverInfoList, SetupScanFileQueueW, SetupCloseFileQueue, SetupOpenFileQueue, SetupGetStringFieldW, SetupFindFirstLineW, SetupCloseInfFile, SetupOpenInfFileW, SetupDiGetDeviceRegistryPropertyW, SetupDiOpenDeviceInfoW, SetupDiCreateDeviceInfoListExW, CM_Reenumerate_DevNode_Ex, CM_Locate_DevNode_ExW, CM_Get_Device_Interface_List_SizeW, CM_Get_Device_Interface_ListW, CM_Get_DevNode_Status_Ex, CM_Get_Device_ID_ExW, CM_Disconnect_Machine, CM_Connect_MachineW, SetupDiClassGuidsFromNameExW, SetupDiClassNameFromGuidExW, SetupDiSetClassInstallParamsW, SetupDiGetDeviceInstallParamsW, SetupDiSetDeviceRegistryPropertyW, SetupDiOpenClassRegKeyExW, SetupDiCallClassInstaller, SetupDiGetClassDescriptionExW, SetupDiBuildClassInfoListExW, SetupDiGetINFClassW, SetupDiGetClassDevsExW, SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiCreateDeviceInfoW, SetupDiGetDeviceInfoListDetailW, SetupDiCreateDeviceInfoList, SetupCopyOEMInfW, SetupDiOpenDevRegKey |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 00:51:15 |
Start date: | 07/10/2024 |
Path: | C:\Users\user\Desktop\0urFbKxdvL.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x140000000 |
File size: | 4'338'576 bytes |
MD5 hash: | 0AE609594FBD4BB27287BD63BC9E9529 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 2.3% |
Dynamic/Decrypted Code Coverage: | 99.2% |
Signature Coverage: | 35.7% |
Total number of Nodes: | 392 |
Total number of Limit Nodes: | 7 |
Graph
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E8517 Relevance: 85.8, APIs: 2, Strings: 47, Instructions: 100memoryCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E86B7 Relevance: 84.1, APIs: 2, Strings: 46, Instructions: 101memoryCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E0E57 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E0000 Relevance: 259.4, APIs: 1, Strings: 147, Instructions: 405COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001400126C4 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 460COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140009CA0 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 260registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000000014000E9D4 Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 687COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000000014000D684 Relevance: 26.2, APIs: 17, Instructions: 711COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001400049C0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 285COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140004230 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 90libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140004570 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 89filestringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140007EB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43shutdownCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001400043D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000000014000112B Relevance: .0, Instructions: 44COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140009920 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197libraryfileloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001400061A0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359registryservicestringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140006AA0 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 92COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140009210 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 116COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140008AA0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 256timeCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140006D30 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 260stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140005C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140004710 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 164COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001400093D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 150registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140005A90 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140006BF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000000014001250C Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140013A9C Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140009810 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140005E60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140013700 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00000001400125E4 Relevance: 9.1, APIs: 6, Instructions: 67COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140012FD0 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000000140007D40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 000000014000A130 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|