Windows
Analysis Report
m8ufsTLLOU.exe
Overview
General Information
Sample name: | m8ufsTLLOU.exerenamed because original name is a hash value |
Original sample name: | a94bc986375eba0f2b06f3729a2fd7d6.exe |
Analysis ID: | 1538172 |
MD5: | a94bc986375eba0f2b06f3729a2fd7d6 |
SHA1: | 671fca5809281dd3d7f7d5feb834dbfb89815a85 |
SHA256: | d377fa4fdb43913ef01b5b09bec79760416a7d4dfe472ab52b65d2e95af10c98 |
Tags: | 32exetrojan |
Infos: | |
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- m8ufsTLLOU.exe (PID: 6812 cmdline:
"C:\Users\ user\Deskt op\m8ufsTL LOU.exe" MD5: A94BC986375EBA0F2B06F3729A2FD7D6) - cmd.exe (PID: 1352 cmdline:
cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5924 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
{"Type": "Shell Reverse Tcp", "IP": "188.166.177.132", "Port": 443}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_a6e956c9 | Identifies the API address lookup function leverage by metasploit shellcode | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_004048F9 |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_004061F2 | |
Source: | Code function: | 0_2_0040809F | |
Source: | Code function: | 0_2_004080CA | |
Source: | Code function: | 0_2_00402D5B | |
Source: | Code function: | 0_2_004061F2 | |
Source: | Code function: | 0_2_00407626 | |
Source: | Code function: | 0_2_004061F2 | |
Source: | Code function: | 0_2_004092E7 | |
Source: | Code function: | 0_2_00409412 | |
Source: | Code function: | 0_2_00401B67 | |
Source: | Code function: | 0_2_00404777 | |
Source: | Code function: | 0_2_00405BD3 |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process created: | Jump to behavior |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 2 Software Packing | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
84% | ReversingLabs | Win32.Trojan.CryptZMarte | ||
100% | Avira | TR/Patched.Gen2 | ||
100% | Joe Sandbox ML |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
188.166.177.132 | unknown | Netherlands | 14061 | DIGITALOCEAN-ASNUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1538172 |
Start date and time: | 2024-10-20 18:01:10 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 41s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | m8ufsTLLOU.exerenamed because original name is a hash value |
Original Sample Name: | a94bc986375eba0f2b06f3729a2fd7d6.exe |
Detection: | MAL |
Classification: | mal96.troj.winEXE@4/0@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: m8ufsTLLOU.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
188.166.177.132 | Get hash | malicious | Metasploit | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
DIGITALOCEAN-ASNUS | Get hash | malicious | Metasploit | Browse |
| |
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
File type: | |
Entropy (8bit): | 6.331771244967971 |
TrID: |
|
File name: | m8ufsTLLOU.exe |
File size: | 73'802 bytes |
MD5: | a94bc986375eba0f2b06f3729a2fd7d6 |
SHA1: | 671fca5809281dd3d7f7d5feb834dbfb89815a85 |
SHA256: | d377fa4fdb43913ef01b5b09bec79760416a7d4dfe472ab52b65d2e95af10c98 |
SHA512: | 0d4e71839476f456d04bc09e52b39a130f96895a24c1e7fd32be89afb7989e35331da1c83469b5bef8e20fd4e09764b4006487d4b7c50ba1304d795bb14bc931 |
SSDEEP: | 1536:IAjswZVy6cdzdzuY8S31NdGadtY7CMb+KR0Nc8QsJq39:pjsw1k8KG0Y7Ce0Nc8QsC9 |
TLSH: | 3773BF43E9C42431D1A2127D277536BAAA75F5F63611C19A398CCEF5DBC1CF0A2293C6 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L....c.J........... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x4011a3 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4AA5630C [Mon Sep 7 19:46:20 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 481f47bbb2c9c21e108d65f52b04c448 |
Instruction |
---|
inc eax |
stc |
std |
inc eax |
salc |
inc ebx |
cdq |
wait |
cld |
dec edx |
cdq |
nop |
aaa |
aaa |
dec ebx |
cld |
dec eax |
cwde |
daa |
xchg eax, ebx |
daa |
das |
nop |
aas |
dec eax |
inc eax |
wait |
cmc |
xchg eax, ebx |
inc edx |
stc |
cmc |
wait |
nop |
inc edx |
dec ecx |
daa |
cld |
dec ecx |
std |
dec eax |
stc |
daa |
lahf |
clc |
dec ebx |
xchg eax, edx |
xchg eax, ecx |
inc ebx |
salc |
inc edx |
cmc |
std |
wait |
xchg eax, edx |
xchg eax, ecx |
lahf |
cld |
inc eax |
stc |
inc eax |
std |
xchg eax, ecx |
dec edx |
wait |
cdq |
inc ebx |
cdq |
inc edx |
std |
clc |
lahf |
lahf |
xchg eax, ebx |
dec edx |
nop |
xchg eax, ebx |
stc |
wait |
dec ebx |
salc |
wait |
xchg eax, ebx |
cld |
cld |
cmc |
inc ecx |
xchg eax, ecx |
cwde |
std |
std |
nop |
aaa |
wait |
daa |
dec edx |
xchg eax, ebx |
cdq |
xchg eax, ebx |
aas |
inc edx |
lahf |
aas |
aaa |
xchg eax, ebx |
daa |
stc |
dec edx |
lahf |
inc ebx |
dec eax |
xchg eax, ecx |
aas |
xchg eax, ebx |
aas |
inc edx |
cdq |
xchg eax, ecx |
cld |
aaa |
xchg eax, ebx |
dec ecx |
wait |
nop |
aas |
salc |
dec ebx |
aaa |
xchg eax, edx |
inc ecx |
stc |
das |
nop |
dec ecx |
nop |
aas |
salc |
cdq |
inc eax |
cmc |
wait |
wait |
aas |
inc ecx |
dec eax |
cmc |
xchg eax, edx |
cmc |
stc |
dec ecx |
cmc |
jmp 00007FA17CCD29D3h |
pop ds |
push ecx |
jmp far fword ptr [ebp+6Ch] |
rol dword ptr [eax+00h], FFFFFFA3h |
movsd |
add al, ah |
add bh, al |
add eax, 0040D010h |
push eax |
ret |
add byte ptr [eax], al |
jmp 00007FA17D53279Dh |
xchg eax, esp |
inc ebp |
push edx |
mov edx, 00413840h |
lahf |
ror byte ptr [edx-7E8D77F8h], 1 |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc76c | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x15000 | 0x7c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xc1e0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x1e0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa966 | 0xb000 | dda628ade71c4d1ad292dafa212a2151 | False | 0.8198686079545454 | data | 7.0313797670833535 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0xfe6 | 0x1000 | 25d7ceee3aa85bb3e8c5174736f6f830 | False | 0.46142578125 | DOS executable (COM, 0x8C-variant) | 5.318390353744998 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xd000 | 0x705c | 0x4000 | 283b5f792323d57b9db4d2bcc46580f8 | False | 0.25634765625 | Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0 | 4.407841023203495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x15000 | 0x7c8 | 0x1000 | c13a9413aea7291b6fc85d75bfcde381 | False | 0.197998046875 | data | 1.958296025171192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x15060 | 0x768 | data | English | United States | 0.40189873417721517 |
DLL | Import |
---|---|
MSVCRT.dll | _iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp |
KERNEL32.dll | PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree |
ADVAPI32.dll | FreeSid, AllocateAndInitializeSid |
WSOCK32.dll | getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError |
WS2_32.dll | WSARecv, WSASend |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 20, 2024 18:02:00.224315882 CEST | 49730 | 443 | 192.168.2.4 | 188.166.177.132 |
Oct 20, 2024 18:02:00.224426985 CEST | 443 | 49730 | 188.166.177.132 | 192.168.2.4 |
Oct 20, 2024 18:02:00.224534988 CEST | 49730 | 443 | 192.168.2.4 | 188.166.177.132 |
Oct 20, 2024 18:02:00.323576927 CEST | 49730 | 443 | 192.168.2.4 | 188.166.177.132 |
Oct 20, 2024 18:02:00.323626041 CEST | 443 | 49730 | 188.166.177.132 | 192.168.2.4 |
Oct 20, 2024 18:02:00.323688030 CEST | 443 | 49730 | 188.166.177.132 | 192.168.2.4 |
Oct 20, 2024 18:02:00.323699951 CEST | 49730 | 443 | 192.168.2.4 | 188.166.177.132 |
Oct 20, 2024 18:02:00.323729038 CEST | 443 | 49730 | 188.166.177.132 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 12:01:59 |
Start date: | 20/10/2024 |
Path: | C:\Users\user\Desktop\m8ufsTLLOU.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 73'802 bytes |
MD5 hash: | A94BC986375EBA0F2B06F3729A2FD7D6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 12:01:59 |
Start date: | 20/10/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 12:01:59 |
Start date: | 20/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 1% |
Dynamic/Decrypted Code Coverage: | 13.8% |
Signature Coverage: | 0% |
Total number of Nodes: | 58 |
Total number of Limit Nodes: | 2 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401A5F Relevance: 1.4, APIs: 1, Instructions: 170memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004048F9 Relevance: .0, Instructions: 13COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|