Edit tour
Windows
Analysis Report
Wow.exe
Overview
General Information
| Sample name: | Wow.exe |
| Analysis ID: | 1546274 |
| MD5: | 5758d89ed392e2190c44c5183a6d23a3 |
| SHA1: | f397a538e6d7ecd362768303feb2d43d90227c31 |
| SHA256: | bf644876709c591acc17c0da8cdf1814edcc9f1e6bc109a8c0d5c38c79dc953c |
| Infos: | |
 | |
Detection
| Score: | 7 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 60% |
Signatures
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Classification
- System is w10x64
Wow.exe (PID: 6500 cmdline: "C:\Users\ user\Deskt op\Wow.exe " MD5: 5758D89ED392E2190C44C5183A6D23A3)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-31T17:50:48.530175+0100 | 2022930 | 1 | A Network Trojan was detected | 4.175.87.197 | 443 | 192.168.2.4 | 49732 | TCP |
| 2024-10-31T17:51:32.810345+0100 | 2022930 | 1 | A Network Trojan was detected | 4.175.87.197 | 443 | 192.168.2.4 | 56997 | TCP |
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00771D10 | |
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00869760 | |
| Source: | Code function: | 0_2_008706E0 | |
| Source: | Code function: | 0_2_004640A0 | |
| Source: | Code function: | 0_2_004181B0 | |
| Source: | Code function: | 0_2_004102B2 | |
| Source: | Code function: | 0_2_004186F2 | |
| Source: | Code function: | 0_2_00870B80 | |
| Source: | Code function: | 0_2_00418C34 | |
| Source: | Code function: | 0_2_004250D0 | |
| Source: | Code function: | 0_2_00859160 | |
| Source: | Code function: | 0_2_004152D3 | |
| Source: | Code function: | 0_2_004192F4 | |
| Source: | Code function: | 0_2_00779370 | |
| Source: | Code function: | 0_2_0088D420 | |
| Source: | Code function: | 0_2_0041167D | |
| Source: | Code function: | 0_2_00729740 | |
| Source: | Code function: | 0_2_00425850 | |
| Source: | Code function: | 0_2_00891A79 | |
| Source: | Code function: | 0_2_00509DD0 | |
| Source: | Code function: | 0_2_00425DE0 | |
| Source: | Code function: | 0_2_00925EE0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00434CE0 | |
| Source: | Code function: | 0_2_0077D710 | |
| Source: | Code function: | 0_2_004294C0 | |
| Source: | Key opened: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00869E00 | |
| Source: | Code function: | 0_2_0077D710 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00771D10 | |
| Source: | Code function: | 0_2_0040C684 | |
| Source: | Code function: | 0_2_0077D710 | |
| Source: | Code function: | 0_2_00770FA0 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_0040C684 | |
| Source: | Code function: | 0_2_004111C6 | |
| Source: | Code function: | 0_2_00414E28 | |
| Source: | Code function: | 0_2_007712D0 | |
| Source: | Code function: | 0_2_0077CF70 | |
| Source: | Code function: | 0_2_00771D10 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 21 Input Capture | 1 System Time Discovery | Remote Services | 21 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 3 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 14 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1546274 |
| Start date and time: | 2024-10-31 17:49:33 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 44s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Wow.exe |
| Detection: | CLEAN |
| Classification: | clean7.winEXE@1/0@0/0 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Wow.exe, PID 6500 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: Wow.exe
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.731616867141346 |
| TrID: |
|
| File name: | Wow.exe |
| File size: | 7'699'456 bytes |
| MD5: | 5758d89ed392e2190c44c5183a6d23a3 |
| SHA1: | f397a538e6d7ecd362768303feb2d43d90227c31 |
| SHA256: | bf644876709c591acc17c0da8cdf1814edcc9f1e6bc109a8c0d5c38c79dc953c |
| SHA512: | a9373f5d0f266d17291e56c7300ef71fa446c2a14a92e0c41dc65954fe8c8ddfe15682b3c7d8141e078cc80603a9ad19e2b4a723631ef8f2cee234d97bbca0c8 |
| SSDEEP: | 98304:iSWhGvPwsP+Wc36vu00ovRwqZPNprDEYtUb17TLFkGrNQtT+W50hld:ifgTyovRwqZPNBwb1vNQl+d |
| TLSH: | 6B769ED1F540C137E9E201B6D6BE6FB9487D9637032E34D32AD428545EA0AE33A3539B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K...........................................#.......-.......)...(4..K...(4..2...(4..L...(4......(4..............(4......Rich... |
 | |
| Icon Hash: | 1f7d6c6c69290907 |
| Entrypoint: | 0x401000 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4C2452FE [Fri Jun 25 06:55:58 2010 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | b7fc31b6422013c5f943a1da91692ed3 |
| Instruction |
|---|
| call 00007F18A5141820h |
| jmp 00007F18A4DDEE26h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push 00000000h |
| push FFFFFFFFh |
| push 009E0E14h |
| push eax |
| call 00007F18A51418B0h |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| test eax, eax |
| je 00007F18A4DD43A1h |
| push 00000000h |
| push FFFFFFFFh |
| push 009E0E18h |
| push eax |
| call 00007F18A51418ECh |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov eax, ecx |
| xor ecx, ecx |
| mov dword ptr [eax], 009E0E24h |
| mov dword ptr [eax+04h], ecx |
| mov dword ptr [eax+08h], ecx |
| mov dword ptr [eax+0Ch], ecx |
| mov dword ptr [eax+10h], ecx |
| mov dword ptr [eax+14h], FFFFFFFFh |
| ret |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ecx+08h] |
| mov edx, dword ptr [ebp+08h] |
| cmp edx, eax |
| push ebx |
| push esi |
| lea esi, dword ptr [ecx+08h] |
| push edi |
| mov edi, dword ptr [ebp+0Ch] |
| jc 00007F18A4DD439Eh |
| mov ebx, dword ptr [ecx+0Ch] |
| add ebx, eax |
| lea eax, dword ptr [edx+edi] |
| cmp eax, ebx |
| jbe 00007F18A4DD43B7h |
| mov ebx, dword ptr [ebp+14h] |
| mov eax, dword ptr [ecx] |
| push ebx |
| mov ebx, dword ptr [ebp+10h] |
| push ebx |
| lea ebx, dword ptr [ecx+0Ch] |
| push ebx |
| push esi |
| lea esi, dword ptr [ecx+04h] |
| push esi |
| push edi |
| push edx |
| mov edx, dword ptr [eax+0Ch] |
| call edx |
| test eax, eax |
| jne 00007F18A4DD4399h |
| pop edi |
| pop esi |
| pop ebx |
| pop ebp |
| retn 0010h |
| pop edi |
| pop esi |
| mov eax, 00000001h |
| pop ebx |
| pop ebp |
| retn 0010h |
| int3 |
| int3 |
| int3 |
| int3 |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x6b5630 | 0x49 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6b2d10 | 0x168 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x9d3000 | 0x29ad0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5e0b10 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x6aef70 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x5df000 | 0x79c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5dd3b3 | 0x5dd400 | 32ec01576b5be7e96e8a66ff009806e9 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x5df000 | 0xd6679 | 0xd6800 | ae02da553ee17cc7903e5796456f7c31 | False | 0.3668187281468531 | data | 5.931940019079788 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x6b6000 | 0x31a508 | 0x78e00 | 1fca65a45c4e2f9ed8349d6d68e1691b | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .zdata | 0x9d1000 | 0x1000 | 0x1000 | 620f0b67a91f7f74151bc5be745b7110 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x9d2000 | 0x19 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x9d3000 | 0x29ad0 | 0x29c00 | 6fbbb45aaf830b355c3f5e0e879588c6 | False | 0.6604310909431138 | data | 7.230200693559073 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| BLIZZARDCOMPONENT | 0x9d3608 | 0xc8 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.68 |
| DATA | 0x9d36d0 | 0x17a7a | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 1.0003715553720713 | ||
| DATA | 0x9eb14c | 0xc7c | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | 0.2687734668335419 | ||
| DATA | 0x9ebdc8 | 0xc34 | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | Chinese | Taiwan | 0.2762483994878361 |
| DATA | 0x9ec9fc | 0xc7c | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | German | Germany | 0.2687734668335419 |
| DATA | 0x9ed678 | 0xc7c | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | English | United States | 0.2687734668335419 |
| DATA | 0x9ee2f4 | 0xc7c | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | Spanish | Spain | 0.2687734668335419 |
| DATA | 0x9eef70 | 0xc7c | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | French | France | 0.2687734668335419 |
| DATA | 0x9efbec | 0xc50 | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | Korean | North Korea | 0.28109137055837563 |
| DATA | 0x9efbec | 0xc50 | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | Korean | South Korea | 0.28109137055837563 |
| DATA | 0x9f083c | 0xc7c | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | Russian | Russia | 0.2690863579474343 |
| DATA | 0x9f14b8 | 0xc34 | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | Chinese | China | 0.27560819462227915 |
| DATA | 0x9f20ec | 0xc7c | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | English | Great Britain | 0.2687734668335419 |
| DATA | 0x9f2d68 | 0xc7c | XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators | Spanish | Mexico | 0.2687734668335419 |
| RT_CURSOR | 0x9f39e4 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | English | United States | 0.1266233766233766 |
| RT_BITMAP | 0x9f3b18 | 0x26c | Device independent bitmap graphic, 20 x 43 x 4, image size 516 | English | United States | 0.15806451612903225 |
| RT_ICON | 0x9f3d84 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | 0.6967842323651452 | ||
| RT_ICON | 0x9f632c | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.6967842323651452 |
| RT_ICON | 0x9f88d4 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | 0.7680581613508443 | ||
| RT_ICON | 0x9f997c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.7680581613508443 |
| RT_ICON | 0x9faa24 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | 0.805327868852459 | ||
| RT_ICON | 0x9fb3ac | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States | 0.805327868852459 |
| RT_ICON | 0x9fbd34 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | 0.8617021276595744 | ||
| RT_ICON | 0x9fc19c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.8617021276595744 |
| RT_GROUP_CURSOR | 0x9fc604 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_ICON | 0x9fc618 | 0x3e | data | English | United States | 0.8064516129032258 |
| RT_GROUP_ICON | 0x9fc658 | 0x3e | data | 0.8064516129032258 | ||
| RT_VERSION | 0x9fc698 | 0x38c | PGP symmetric key encrypted data - Plaintext or unencrypted data | English | United States | 0.45044052863436124 |
| RT_MANIFEST | 0x9fca24 | 0x56 | ASCII text, with CRLF line terminators | English | United States | 1.0232558139534884 |
| None | 0x9fca7c | 0x54 | b.out segmented executable V2.3 86 | English | United States | 1.0952380952380953 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetEnvironmentVariableA, CompareStringA, FlushFileBuffers, CloseHandle, CreateFileA, GetTimeZoneInformation, GetConsoleOutputCP, DeleteCriticalSection, OpenFile, DeviceIoControl, OpenFileMappingA, CreateFileMappingA, MapViewOfFile, WriteConsoleA, WaitForMultipleObjectsEx, WriteFileEx, ReadFileEx, GetOverlappedResult, CancelIo, GetWindowsDirectoryA, GetSystemDirectoryA, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, TlsGetValue, TlsAlloc, RtlUnwind, SetStdHandle, GetFileType, SetHandleCount, GetLastError, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleA, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetStartupInfoA, GetProcessHeap, HeapAlloc, GetVersionExA, HeapFree, GetCommandLineA, ConvertThreadToFiber, CreateFiberEx, DeleteFiber, GetDateFormatA, GetTimeFormatA, GetStringTypeA, LCMapStringA, GetConsoleMode, GetConsoleCP, SetFilePointer, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetCurrentThread, HeapDestroy, HeapCreate, VirtualFree, GetLocaleInfoA, HeapReAlloc, VirtualAlloc, GetOEMCP, GetACP, InitializeCriticalSection, LoadLibraryA, InterlockedExchange, FreeLibrary, EnterCriticalSection, LeaveCriticalSection, RaiseException, HeapSize, Sleep, VirtualQuery, UnmapViewOfFile, GetDriveTypeA, ExitThread, GetFullPathNameA, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, VirtualProtect, LocalFree, FlushInstructionCache, GetQueuedCompletionStatus, CreateIoCompletionPort, GetCommandLineW, GlobalMemoryStatusEx, GetPriorityClass, SetPriorityClass, IsBadWritePtr, OpenThread, SuspendThread, GetThreadContext, Thread32First, Thread32Next, lstrcpynA, IsBadReadPtr, MulDiv, SwitchToFiber, GetSystemInfo, SetEvent, WaitForSingleObject, CreateSemaphoreA, ReleaseSemaphore, GlobalMemoryStatus, ResumeThread, TerminateThread, SetThreadPriority, GetThreadPriority, GetProcessAffinityMask, SignalObjectAndWait, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, SizeofResource, LockResource, LoadResource, FindResourceExA, QueryPerformanceFrequency, Module32First, Module32Next, GetDiskFreeSpaceA, ReadFile, CreateThread, GetFileAttributesExA, GetFileSize, GetFileAttributesA, MoveFileA, DeleteFileA, CreateEventA, OpenEventA, GetComputerNameA, GetTempPathA, CreateToolhelp32Snapshot, SetThreadAffinityMask, WaitForSingleObjectEx, CreateProcessA, DuplicateHandle, SetCurrentDirectoryA, GetCurrentDirectoryA, FindClose, FindNextFileA, FindFirstFileA, GetDiskFreeSpaceExA, GetShortPathNameA, CreateDirectoryA, RemoveDirectoryA, SetEndOfFile, SetFileAttributesA, SetFileTime, ResetEvent, WaitForMultipleObjects, SetProcessAffinityMask, GetLocalTime, FormatMessageA, GetExitCodeProcess, GetVersion, OutputDebugStringA, CreateMutexA, ReleaseMutex |
| OPENGL32.dll | glGenTextures, glEnable, glTexParameteri, glReadPixels, wglGetProcAddress, wglDeleteContext, wglMakeCurrent, wglCreateContext, glBindTexture, glTexImage2D, glDeleteTextures, glDisable, glGetError, glGetIntegerv, glGetString, glCopyTexSubImage2D, glCopyTexImage2D, wglGetCurrentDC, glCullFace, glBlendFunc, glMatrixMode, glPolygonOffset, wglGetCurrentContext, glColorPointer, glTexCoordPointer, glScissor, glClipPlane, glPolygonMode, glViewport, glDepthRange, glDepthMask, glColorMask, glTexGeni, glNormalPointer, glVertexPointer, glLightf, glLightfv, glLightModelfv, glColor4fv, glMaterialfv, glLoadIdentity, glLoadMatrixf, glFogf, glFogi, glPixelStorei, glColorMaterial, glLightModeli, glTexGenfv, glPointSize, glFrontFace, glDepthFunc, glFogfv, glAlphaFunc, glMaterialf, glTexSubImage2D, glClear, glClearColor, wglSwapLayerBuffers, glFinish, glDrawArrays, glDrawElements, glLineWidth, glTexEnviv, glHint, glTexEnvi, glTexEnvf, glTexEnvfv, glEnableClientState, glDisableClientState, glGetFloatv |
| VERSION.dll | GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA |
| IMM32.dll | ImmGetConversionStatus, ImmGetContext, ImmGetCompositionStringA, ImmAssociateContext, ImmSetConversionStatus, ImmAssociateContextEx, ImmNotifyIME, ImmGetCandidateListA, ImmReleaseContext |
| WININET.dll | InternetReadFileExA, InternetCloseHandle, HttpQueryInfoA, InternetSetOptionA, InternetConnectA, InternetOpenA, HttpSendRequestA, InternetSetCookieA, HttpOpenRequestA, InternetCrackUrlA, InternetSetStatusCallback, InternetSetStatusCallbackA |
| WS2_32.dll | WSACancelAsyncRequest, WSAAsyncGetHostByName, WSACleanup, accept, select, WSAGetLastError, WSAStartup, setsockopt, getsockopt, socket, closesocket, __WSAFDIsSet, connect, listen, bind, htons, htonl, gethostbyname, ntohs, getsockname, recv, getpeername, send, inet_addr, WSACloseEvent, WSACreateEvent, WSAEventSelect, WSAEnumNetworkEvents, sendto, recvfrom, inet_ntoa, ioctlsocket |
| DINPUT8.dll | DirectInput8Create |
| USER32.dll | GetParent, CloseClipboard, OpenClipboard, SetCapture, GetForegroundWindow, MessageBeep, GetKeyState, FillRect, IsDialogMessageA, TranslateAcceleratorA, GetKeyboardLayout, EmptyClipboard, SendInput, SystemParametersInfoA, GetAsyncKeyState, ClientToScreen, InvertRect, VkKeyScanA, DrawTextExA, CharLowerBuffA, GetDesktopWindow, GetActiveWindow, PostMessageA, IsIconic, IsZoomed, PostQuitMessage, SetFocus, KillTimer, SetTimer, WaitForInputIdle, MapVirtualKeyA, LoadBitmapA, GetMessageA, PeekMessageA, TranslateMessage, DispatchMessageA, wsprintfA, IsWindow, IsWindowVisible, MessageBoxA, LoadStringA, SetCursor, GetCursorPos, ScreenToClient, GetClientRect, LoadImageA, LoadCursorA, MapWindowPoints, BeginPaint, EndPaint, AdjustWindowRectEx, GetSystemMetrics, ShowWindow, ChangeDisplaySettingsExA, SetWindowPos, GetWindowRect, ClipCursor, GetWindowPlacement, SendMessageA, MoveWindow, SetClipboardData, ReleaseCapture, DefWindowProcA, RegisterClassExA, CreateWindowExA, GetDC, ReleaseDC, DestroyWindow, UnregisterClassA, EnumDisplaySettingsA, EnumDisplayDevicesA, MonitorFromPoint, GetMonitorInfoA, MsgWaitForMultipleObjects |
| GDI32.dll | ChoosePixelFormat, CreateBitmap, TranslateCharsetInfo, GetStockObject, SelectObject, DeleteObject, SetBkColor, GetDeviceGammaRamp, CreateSolidBrush, SetBkMode, GetPixelFormat, SetDeviceGammaRamp, DescribePixelFormat, SetTextColor, SetPixelFormat, DeleteDC, StretchBlt, BitBlt, CreateCompatibleDC, OffsetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, CreateRectRgn, Rectangle, CreateFontIndirectA, GetObjectA, SetMapMode, GdiFlush, CreateDIBSection |
| ADVAPI32.dll | CryptReleaseContext, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegCloseKey, RegOpenKeyExA, RegQueryValueExA, RegFlushKey, RegSetValueExA, RegCreateKeyExA, GetUserNameA, RegEnumKeyA, CryptGenRandom, CryptAcquireContextA, RegOpenKeyA |
| SHELL32.dll | FindExecutableA, ShellExecuteA |
| DivxDecoder.dll | SetOutputFormat, DivxDecode, UnInitializeDivxDecoder, InitializeDivxDecoder |
| WINMM.dll | waveOutPrepareHeader, waveInReset, waveInClose, waveInOpen, waveInStart, waveInGetNumDevs, waveOutGetNumDevs, waveInGetDevCapsA, waveInUnprepareHeader, waveInPrepareHeader, waveInAddBuffer, waveOutGetPosition, waveOutReset, waveOutWrite, waveOutUnprepareHeader, waveOutOpen, waveOutClose, waveOutGetDevCapsA, timeKillEvent, timeSetEvent, mciSendCommandA, timeGetTime |
| MSACM32.dll | acmStreamSize, acmStreamPrepareHeader, acmStreamConvert, acmStreamUnprepareHeader, acmFormatSuggest, acmStreamOpen |
| SETUPAPI.dll | SetupDiGetClassDevsA, SetupDiGetDeviceInterfaceDetailA, SetupDiEnumDeviceInterfaces, SetupDiDestroyDeviceInfoList, SetupDiGetDeviceRegistryPropertyA, SetupDiEnumDeviceInfo |
| HID.DLL | HidD_GetSerialNumberString, HidD_GetHidGuid, HidD_SetFeature, HidD_GetPreparsedData, HidD_GetAttributes, HidP_GetCaps, HidD_GetProductString, HidD_FreePreparsedData |
| ole32.dll | PropVariantClear, CoCreateInstance, CoTaskMemFree, CoUninitialize, CLSIDFromString, CoInitialize |
| Name | Ordinal | Address |
|---|---|---|
| AssertAndCrash | 1 | 0x8c51d0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
| Chinese | Taiwan |  |
| German | Germany |  |
| Spanish | Spain |  |
| French | France |  |
| Korean | North Korea |  |
| Korean | South Korea |  |
| Russian | Russia |  |
| Chinese | China |  |
| English | Great Britain |  |
| Spanish | Mexico |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 31, 2024 17:50:53.449666977 CET | 53 | 62327 | 1.1.1.1 | 192.168.2.4 |
| Target ID: | 0 |
| Start time: | 12:50:28 |
| Start date: | 31/10/2024 |
| Path: | C:\Users\user\Desktop\Wow.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 7'699'456 bytes |
| MD5 hash: | 5758D89ED392E2190C44C5183A6D23A3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
Function 00771D10 Relevance: 60.2, APIs: 24, Strings: 10, Instructions: 672filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004111C6 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008706E0 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00770FA0 Relevance: 2.5, APIs: 2, Instructions: 26memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00891A79 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00859160 Relevance: 1.7, Strings: 1, Instructions: 408COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00870B80 Relevance: .7, Instructions: 712COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004250D0 Relevance: .7, Instructions: 672COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00779370 Relevance: .6, Instructions: 612COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425DE0 Relevance: .4, Instructions: 414COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00925EE0 Relevance: .4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425850 Relevance: .4, Instructions: 374COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004640A0 Relevance: .3, Instructions: 287COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00729740 Relevance: .3, Instructions: 264COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0088D420 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077CA70 Relevance: 40.4, APIs: 7, Strings: 16, Instructions: 116libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00451470 Relevance: 38.9, APIs: 13, Strings: 9, Instructions: 358networkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D1DC Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 156fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077DB10 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 186threadinjectionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00450BF0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 113threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CC02 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 112libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007711C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 92fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077E040 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 53threadlibrarysynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00771B80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00770580 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CA35 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 142libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E4F40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 61sleepsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00771800 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 28threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077D210 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 101stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0077DE30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00774410 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 101sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 007700A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CDC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56networksynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006C0BA0 Relevance: 9.2, APIs: 6, Instructions: 225COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0086CB00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004508B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00868C70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438560 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00890B5D Relevance: 7.6, APIs: 5, Instructions: 98COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DE70 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00774360 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00459050 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00459400 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00461430 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00771A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00868CE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00771070 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044CDF0 Relevance: 6.3, APIs: 5, Instructions: 58COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0088DAC0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E4FD0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428F60 Relevance: 6.1, APIs: 4, Instructions: 51threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DF16 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008D1DF0 Relevance: 6.0, APIs: 4, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00451420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00775190 Relevance: 5.1, APIs: 4, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CD80 Relevance: 5.0, APIs: 4, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|