Windows
Analysis Report
Bzw4UJiXNj.exe
Overview
General Information
Sample name: | Bzw4UJiXNj.exerenamed because original name is a hash value |
Original sample name: | 4b61a3d79a892267bf6e76a54e188cc0.exe |
Analysis ID: | 1528625 |
MD5: | 4b61a3d79a892267bf6e76a54e188cc0 |
SHA1: | e1dc7ad66e65bf5ca6701eb224d11761c56b1288 |
SHA256: | 6bff92bd6fb84f1a453ead8ef017b6ae42a78b7fbbbd6414ec8a9cd669bf3b05 |
Tags: | 64exetrojan |
Infos: | |
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- Bzw4UJiXNj.exe (PID: 3632 cmdline:
"C:\Users\ user\Deskt op\Bzw4UJi XNj.exe" MD5: 4B61A3D79A892267BF6E76A54E188CC0)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_24338919 | Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). | unknown |
|
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00007FF646DAB190 | |
Source: | Code function: | 0_2_00007FF646D940BC | |
Source: | Code function: | 0_2_00007FF646DBFCA0 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: |
Source: | Code function: | 0_2_00007FF646D8C2F0 |
Source: | Code function: | 0_2_00007FF646DB0754 | |
Source: | Code function: | 0_2_00007FF646D8F930 | |
Source: | Code function: | 0_2_00007FF646D94928 | |
Source: | Code function: | 0_2_00007FF646D9A4AC | |
Source: | Code function: | 0_2_00007FF646DA3484 | |
Source: | Code function: | 0_2_00007FF646DAB190 | |
Source: | Code function: | 0_2_00007FF646D85E24 | |
Source: | Code function: | 0_2_00007FF646DA1F20 | |
Source: | Code function: | 0_2_00007FF646DACE88 | |
Source: | Code function: | 0_2_00007FF646DBC838 | |
Source: | Code function: | 0_2_00007FF646D84840 | |
Source: | Code function: | 0_2_00007FF646DC2550 | |
Source: | Code function: | 0_2_00007FF646D876C0 | |
Source: | Code function: | 0_2_00007FF646DA53F0 | |
Source: | Code function: | 0_2_00007FF646D9B534 | |
Source: | Code function: | 0_2_00007FF646DA21D0 | |
Source: | Code function: | 0_2_00007FF646D9F180 | |
Source: | Code function: | 0_2_00007FF646D8A310 | |
Source: | Code function: | 0_2_00007FF646D8C2F0 | |
Source: | Code function: | 0_2_00007FF646D87288 | |
Source: | Code function: | 0_2_00007FF646D9126C | |
Source: | Code function: | 0_2_00007FF646DC2080 | |
Source: | Code function: | 0_2_00007FF646DA8DF4 | |
Source: | Code function: | 0_2_00007FF646DB0754 | |
Source: | Code function: | 0_2_00007FF646DA2D58 | |
Source: | Code function: | 0_2_00007FF646D9AF18 | |
Source: | Code function: | 0_2_00007FF646DB8C1C | |
Source: | Code function: | 0_2_00007FF646DA4B98 | |
Source: | Code function: | 0_2_00007FF646D9BB90 | |
Source: | Code function: | 0_2_00007FF646D95B60 | |
Source: | Code function: | 0_2_00007FF646DB89A0 | |
Source: | Code function: | 0_2_00007FF646DA3964 | |
Source: | Code function: | 0_2_00007FF646D9C96C | |
Source: | Code function: | 0_2_00007FF646DC5AF8 | |
Source: | Code function: | 0_2_00007FF646D81AA4 | |
Source: | Code function: | 0_2_00007FF646DA2AB0 | |
Source: | Code function: | 0_2_00007FF646DBFA94 | |
Source: | Code function: | 0_2_00007FF646D91A48 |
Source: | Binary or memory string: |
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00007FF646D8B6D8 |
Source: | Code function: | 0_2_00007FF646DA8624 |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF646DC5157 | |
Source: | Code function: | 0_2_00007FF646DC5167 |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | File Volume queried: | Jump to behavior |
Source: | Code function: | 0_2_00007FF646DAB190 | |
Source: | Code function: | 0_2_00007FF646D940BC | |
Source: | Code function: | 0_2_00007FF646DBFCA0 |
Source: | Code function: | 0_2_00007FF646DB16A4 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 0_2_00007FF646DB76D8 |
Source: | Code function: | 0_2_00007FF646DC0D20 |
Source: | Code function: | 0_2_00007FF646DB76D8 | |
Source: | Code function: | 0_2_00007FF646DB3354 | |
Source: | Code function: | 0_2_00007FF646DB2510 | |
Source: | Code function: | 0_2_00007FF646DB3170 |
Source: | Code function: | 0_2_00007FF646DAB190 |
Source: | Code function: | 0_2_00007FF646DC58E0 |
Source: | Code function: | 0_2_00007FF646DAA2CC |
Source: | Code function: | 0_2_00007FF646DB0754 |
Source: | Code function: | 0_2_00007FF646D951A4 |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 3 Software Packing | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 12 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 25 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
67% | ReversingLabs | Win64.Trojan.CryptZMarte | ||
69% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Patched.Gen2 | ||
100% | Joe Sandbox ML | |||
84% | ReversingLabs | Win32.Backdoor.Swrort | ||
82% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1528625 |
Start date and time: | 2024-10-08 05:08:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Bzw4UJiXNj.exerenamed because original name is a hash value |
Original Sample Name: | 4b61a3d79a892267bf6e76a54e188cc0.exe |
Detection: | MAL |
Classification: | mal96.troj.winEXE@1/3@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Process: | C:\Users\user\Desktop\Bzw4UJiXNj.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 73802 |
Entropy (8bit): | 6.32292825214426 |
Encrypted: | false |
SSDEEP: | 1536:IPoaiZ2dMsk7otVGNvoBGZ063+GsWOVMb+KR0Nc8QsJq39:W1c2dZtM68063fee0Nc8QsC9 |
MD5: | 07E1BC43F53A20F738039F5BD8D081EC |
SHA1: | 8F6C6DD58009C7E87BCBE565D2D1702D77E70BA2 |
SHA-256: | 62E57F61112880D6D11D3FD7E0FB6BEA47215A5041BD66B170BCE4EF4CE8BF60 |
SHA-512: | E3BD6A8F983AF417E2BD67BCCD6EBCF949C36A9115EBB1179BE96BEE9C43FB4B164D55BC3A67ED471450CE58E1664938A81DFAE1BF919846BFC52056168F405A |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Bzw4UJiXNj.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 67646 |
Entropy (8bit): | 4.599798862733515 |
Encrypted: | false |
SSDEEP: | 384:J55555555555555555555555555555555555555555555555555555555555555V:/vmmmmmuRb+PtPdOvJ |
MD5: | 26C3AA5599218EB4B32C5A042F099320 |
SHA1: | 5443FDA4FEC6F022B46DC54A73CAC835ECFD1B87 |
SHA-256: | 17C8F8D74D73C1106E25CE25AEDE9408BEA3766E9B05B333DC3EA3DBCEB03C5C |
SHA-512: | C90A9204749EC0C234E7DFEA93D12F199BFA275C11E55B2EACA23195E240E552DA1E085518C4025B0233A09640A870B3F0A051DF6CBF760DA910154982325CE1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Bzw4UJiXNj.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10713 |
Entropy (8bit): | 7.50179523733628 |
Encrypted: | false |
SSDEEP: | 192:YzQMA0Eh3B9aSl7Kq+ZmpImcQORPMJ6aUbbRMQMzwySd5mIOumCU4B:YcN9j7KqNljJ5Ujmib |
MD5: | 1304E793E5FFC4A9508DD9D334F45BE4 |
SHA1: | 05ABC3179625C6863828A5CFA5AD2A19AAE372D2 |
SHA-256: | E6C42A78E2A0A76DA607F8A3338A779670336B56100B92A618896D4209ED7DD8 |
SHA-512: | 2A62FDA3ACA049E6A7C1ED31FA0A858D6B0F12F1F840E2D51CF75F3312B1421F7EFC02E32FF034E7DAB07BDC9A772820E685215AA42240F16241D26ECA9001A9 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.694905962044059 |
TrID: |
|
File name: | Bzw4UJiXNj.exe |
File size: | 536'027 bytes |
MD5: | 4b61a3d79a892267bf6e76a54e188cc0 |
SHA1: | e1dc7ad66e65bf5ca6701eb224d11761c56b1288 |
SHA256: | 6bff92bd6fb84f1a453ead8ef017b6ae42a78b7fbbbd6414ec8a9cd669bf3b05 |
SHA512: | 4970d37d95accc39709886f45125a3059e58c4dc91dee46591737ad0279efb8f395625fff67a0daa30a6f8b29f79af13aeadf71c2b9f18844a2883e004b06884 |
SSDEEP: | 12288:wyveQB/fTHIGaPkKEYzURNAwbAg6c0tY0BfYM:wuDXTIGaPhEYzUzA0L0thBfV |
TLSH: | 95B44A35EA9414B5F3FAD538945A8503E27D3C0DC228766A12F022661FF7B778B2B319 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\ |
Icon Hash: | 0b03084c4e4e0383 |
Entrypoint: | 0x140032ee0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66409723 [Sun May 12 10:17:07 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 2 |
File Version Major: | 5 |
File Version Minor: | 2 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 2 |
Import Hash: | b1c5b1beabd90d9fdabd1df0779ea832 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007FAE50B99F78h |
dec eax |
add esp, 28h |
jmp 00007FAE50B9990Fh |
int3 |
int3 |
dec eax |
mov eax, esp |
dec eax |
mov dword ptr [eax+08h], ebx |
dec eax |
mov dword ptr [eax+10h], ebp |
dec eax |
mov dword ptr [eax+18h], esi |
dec eax |
mov dword ptr [eax+20h], edi |
inc ecx |
push esi |
dec eax |
sub esp, 20h |
dec ebp |
mov edx, dword ptr [ecx+38h] |
dec eax |
mov esi, edx |
dec ebp |
mov esi, eax |
dec eax |
mov ebp, ecx |
dec ecx |
mov edx, ecx |
dec eax |
mov ecx, esi |
dec ecx |
mov edi, ecx |
inc ecx |
mov ebx, dword ptr [edx] |
dec eax |
shl ebx, 04h |
dec ecx |
add ebx, edx |
dec esp |
lea eax, dword ptr [ebx+04h] |
call 00007FAE50B98D93h |
mov eax, dword ptr [ebp+04h] |
and al, 66h |
neg al |
mov eax, 00000001h |
sbb edx, edx |
neg edx |
add edx, eax |
test dword ptr [ebx+04h], edx |
je 00007FAE50B99AA3h |
dec esp |
mov ecx, edi |
dec ebp |
mov eax, esi |
dec eax |
mov edx, esi |
dec eax |
mov ecx, ebp |
call 00007FAE50B9BAB7h |
dec eax |
mov ebx, dword ptr [esp+30h] |
dec eax |
mov ebp, dword ptr [esp+38h] |
dec eax |
mov esi, dword ptr [esp+40h] |
dec eax |
mov edi, dword ptr [esp+48h] |
dec eax |
add esp, 20h |
inc ecx |
pop esi |
ret |
int3 |
int3 |
int3 |
dec eax |
sub esp, 48h |
dec eax |
lea ecx, dword ptr [esp+20h] |
call 00007FAE50B88323h |
dec eax |
lea edx, dword ptr [00025747h] |
dec eax |
lea ecx, dword ptr [esp+20h] |
call 00007FAE50B9AB72h |
int3 |
jmp 00007FAE50BA0D54h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x597a0 | 0x34 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x597d4 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x70000 | 0x154f4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x6a000 | 0x306c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x86000 | 0x970 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x536c0 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x53780 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x4b3f0 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x48000 | 0x508 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x588bc | 0x120 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4676e | 0x46800 | f06bb06e02377ae8b223122e53be35c2 | False | 0.5372340425531915 | data | 6.47079645411382 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x48000 | 0x128c4 | 0x12a00 | 2de06d4a6920a6911e64ff20000ea72f | False | 0.4499003775167785 | data | 5.273999097784603 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x5b000 | 0xe75c | 0x1a00 | 0dbdb901a7d477980097e42e511a94fb | False | 0.28275240384615385 | data | 3.2571023907881185 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x6a000 | 0x306c | 0x3200 | b0ce0f057741ad2a4ef4717079fa34e9 | False | 0.483359375 | data | 5.501810413666288 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.didat | 0x6e000 | 0x360 | 0x400 | 1fcc7b1d7a02443319f8fcc2be4ca936 | False | 0.2578125 | data | 3.0459938492946015 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
_RDATA | 0x6f000 | 0x15c | 0x200 | 3f331ec50f09ba861beaf955b33712d5 | False | 0.408203125 | data | 3.3356393424384843 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x70000 | 0x154f4 | 0x15600 | 3fc741d3ed0e5cdaebe6cc1c5f34a0a3 | False | 0.1883109466374269 | data | 5.3514803031072535 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x86000 | 0x970 | 0xa00 | 77a9ddfc47a5650d6eebbcc823e39532 | False | 0.52421875 | data | 5.336289720085303 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
PNG | 0x70554 | 0xb45 | PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced | English | United States | 1.0027729636048528 |
PNG | 0x7109c | 0x15a9 | PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced | English | United States | 0.9363390441839495 |
RT_ICON | 0x72648 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 15118 x 15118 px/m | 0.06374955637051934 | ||
RT_DIALOG | 0x82e70 | 0x286 | data | English | United States | 0.5092879256965944 |
RT_DIALOG | 0x830f8 | 0x13a | data | English | United States | 0.60828025477707 |
RT_DIALOG | 0x83234 | 0xec | data | English | United States | 0.6991525423728814 |
RT_DIALOG | 0x83320 | 0x12e | data | English | United States | 0.5927152317880795 |
RT_DIALOG | 0x83450 | 0x338 | data | English | United States | 0.45145631067961167 |
RT_DIALOG | 0x83788 | 0x252 | data | English | United States | 0.5757575757575758 |
RT_STRING | 0x839dc | 0x1e2 | data | English | United States | 0.3900414937759336 |
RT_STRING | 0x83bc0 | 0x1cc | data | English | United States | 0.4282608695652174 |
RT_STRING | 0x83d8c | 0x1b8 | data | English | United States | 0.45681818181818185 |
RT_STRING | 0x83f44 | 0x146 | data | English | United States | 0.5153374233128835 |
RT_STRING | 0x8408c | 0x46c | data | English | United States | 0.3454063604240283 |
RT_STRING | 0x844f8 | 0x166 | data | English | United States | 0.49162011173184356 |
RT_STRING | 0x84660 | 0x152 | data | English | United States | 0.5059171597633136 |
RT_STRING | 0x847b4 | 0x10a | data | English | United States | 0.49624060150375937 |
RT_STRING | 0x848c0 | 0xbc | data | English | United States | 0.6329787234042553 |
RT_STRING | 0x8497c | 0x1c0 | data | English | United States | 0.5178571428571429 |
RT_STRING | 0x84b3c | 0x250 | data | English | United States | 0.44256756756756754 |
RT_GROUP_ICON | 0x84d8c | 0x14 | data | 1.15 | ||
RT_MANIFEST | 0x84da0 | 0x753 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.3957333333333333 |
DLL | Import |
---|---|
KERNEL32.dll | LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA |
OLEAUT32.dll | SysAllocString, SysFreeString, VariantClear |
gdiplus.dll | GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 23:08:55 |
Start date: | 07/10/2024 |
Path: | C:\Users\user\Desktop\Bzw4UJiXNj.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff646d80000 |
File size: | 536'027 bytes |
MD5 hash: | 4B61A3D79A892267BF6E76A54E188CC0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 12% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 28.2% |
Total number of Nodes: | 2000 |
Total number of Limit Nodes: | 26 |
Graph
Function 00007FF646DAB190 Relevance: 127.4, APIs: 62, Strings: 10, Instructions: 1421windowfilesleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DACE88 Relevance: 66.7, APIs: 27, Strings: 10, Instructions: 1963windowfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D8F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D84840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D85E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA1F20 Relevance: .3, Instructions: 337COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA3484 Relevance: .3, Instructions: 302COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D94928 Relevance: .1, Instructions: 136COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D998DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DAF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DAF0A4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D924C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DAB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBD90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB1558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D97FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBFA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBD94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D8C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DC2550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D91A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB76D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBFA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DC2080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DC5AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB8C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB89A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA3964 Relevance: .9, Instructions: 931COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D876C0 Relevance: .9, Instructions: 893COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA53F0 Relevance: .9, Instructions: 891COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9BB90 Relevance: .6, Instructions: 587COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA4B98 Relevance: .6, Instructions: 578COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D87288 Relevance: .3, Instructions: 294COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA2D58 Relevance: .3, Instructions: 268COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9AF18 Relevance: .2, Instructions: 244COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D8A310 Relevance: .2, Instructions: 230COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9B534 Relevance: .2, Instructions: 181COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA21D0 Relevance: .1, Instructions: 137COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA2AB0 Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DC58E0 Relevance: .0, Instructions: 32COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB3354 Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D8D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB2A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D96A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DAA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBE650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DAAE90 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DAF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB57EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D94F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB72EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB1604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D97918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB5CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB4F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D8CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DAFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DAFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBBFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D93AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBF414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DC56D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DAFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB80F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DC1758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB66A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DC4360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBDB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBD440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D8E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBE1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D99408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBC2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DA9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D99638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DBEB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646DB4078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF646D9A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|