Windows
Analysis Report
vm-uw.exe
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
vm-uw.exe (PID: 6688 cmdline:
"C:\Users\ user\Deskt op\vm-uw.e xe" MD5: 78C6129BFD81F88CFB7171CAF2D386A1) cmd.exe (PID: 5308 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Wind ows\Fonts\ systkm32\v v.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 6428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) mode.com (PID: 5272 cmdline:
mode con: cols=16 li nes=2 MD5: FB615848338231CEBC16E32A3035C3F8) PING.EXE (PID: 5252 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) csrss.exe (PID: 2832 cmdline:
C:\Windows \Fonts\sys tkm32\csrs s.exe WMPN etworkSxc C:\Windows \Fonts\sys tkm32\svch ost.exe MD5: C43D1B84143FB2561F22E1A2C8FACF53) PING.EXE (PID: 7068 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) reg.exe (PID: 6780 cmdline:
reg add HK EY_LOCAL_M ACHINE\SYS TEM\Curren tControlSe t\Services \WMPNetwor kSxc /v De scription /d "Shares Windows M edia Playe r librarie s to other networked players a nd media d evices usi ng Univers al Plug an d Play." / t reg_sz / f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) reg.exe (PID: 616 cmdline:
reg add HK EY_LOCAL_M ACHINE\SYS TEM\Curren tControlSe t\Services \WMPNetwor kSxc /v Di splayName /d "Window s Media Pl ayer Netwo rk Sharing Service." /t reg_sz /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) reg.exe (PID: 4868 cmdline:
reg add HK EY_LOCAL_M ACHINE\SYS TEM\Curren tControlSe t\Services \WMPNetwor kSxc\Param eters MD5: CDD462E86EC0F20DE2A1D781928B1B0C) reg.exe (PID: 5960 cmdline:
reg add HK EY_LOCAL_M ACHINE\SYS TEM\Curren tControlSe t\Services \WMPNetwor kSxc\Param eters /v A ppDirector y /d "C:\W indows\Fon ts\systkm3 2" /t reg_ sz /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) reg.exe (PID: 5712 cmdline:
reg add HK EY_LOCAL_M ACHINE\SYS TEM\Curren tControlSe t\Services \WMPNetwor kSxc\Param eters /v A pplication /d ""C:\P rogram Fil es (x86)\V Mware\VMwa re Worksta tion\vmwar e.exe" -x "C:\Window s\Logs\ubu \3333.vmx" " /t reg_s z /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) PING.EXE (PID: 4052 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) sc.exe (PID: 4040 cmdline:
sc start W MPNetworkS xc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) PING.EXE (PID: 6808 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) regini.exe (PID: 6748 cmdline:
regini 1.i ni MD5: C99C3BB423097FCF4990539FC1ED60E3) cmd.exe (PID: 2012 cmdline:
"C:\Window s\system32 \cmd.exe" /c "C:\Use rs\user\Ap pData\Loca l\Temp\HZ~ F6EC.tmp.b at" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 1808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) PING.EXE (PID: 1404 cmdline:
ping 127.0 .0.1 -n 2 MD5: B3624DD758CCECF93A1226CEF252CA12)
svchost.exe (PID: 5544 cmdline:
C:\Windows \Fonts\sys tkm32\svch ost.exe MD5: 4635935FC972C582632BF45C26BFCB0E)
svchost.exe (PID: 7060 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: |
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: David Burkett, @signalblur: |
Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: |
Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community: |
Source: | Author: vburov: |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00224F98 |
Networking |
---|
Source: | Process created: |
Source: | String found in binary or memory: |
Source: | Code function: | 9_2_00401070 |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_0020F8DE | |
Source: | Code function: | 0_2_001F7C90 | |
Source: | Code function: | 0_2_001E1000 | |
Source: | Code function: | 0_2_002130A0 | |
Source: | Code function: | 0_2_001FA160 | |
Source: | Code function: | 0_2_0022720E | |
Source: | Code function: | 0_2_00205306 | |
Source: | Code function: | 0_2_002175E5 | |
Source: | Code function: | 0_2_001EC600 | |
Source: | Code function: | 0_2_0022C6B9 | |
Source: | Code function: | 0_2_0022B6BC | |
Source: | Code function: | 0_2_001EE680 | |
Source: | Code function: | 0_2_001F68C0 | |
Source: | Code function: | 0_2_00215958 | |
Source: | Code function: | 0_2_002189EC | |
Source: | Code function: | 0_2_00217ADE | |
Source: | Code function: | 0_2_001E3B7E | |
Source: | Code function: | 0_2_0022DB44 | |
Source: | Code function: | 0_2_00218BEC | |
Source: | Code function: | 0_2_0022DBFE | |
Source: | Code function: | 0_2_0020DC0C | |
Source: | Code function: | 0_2_001F2C50 | |
Source: | Code function: | 0_2_00217C58 | |
Source: | Code function: | 0_2_0021FC5D | |
Source: | Code function: | 0_2_0022DD1B | |
Source: | Code function: | 0_2_00226D60 | |
Source: | Code function: | 0_2_001F3D50 | |
Source: | Code function: | 0_2_00218D8D | |
Source: | Code function: | 0_2_001F8F60 | |
Source: | Code function: | 18_2_01001493 |
Source: | Dropped File: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Classification label: |
Source: | Code function: | 0_2_001F3F50 |
Source: | Code function: | 9_2_00401000 |
Source: | Code function: | 0_2_001E2777 |
Source: | Code function: | 18_2_01001D2C |
Source: | Code function: | 18_2_01001D2C |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Process created: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File written: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_001E51C0 |
Source: | Code function: | 0_2_0021BDC9 | |
Source: | Code function: | 0_2_0022BE76 | |
Source: | Code function: | 0_2_0022BE76 | |
Source: | Code function: | 18_2_010021F4 | |
Source: | Code function: | 18_2_0100221C | |
Source: | Code function: | 18_2_0100226B |
Persistence and Installation Behavior |
---|
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Executable created and started: | Jump to behavior | ||
Source: | Executable created and started: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Registry key created: | Jump to behavior |
Source: | Registry key value modified: | Jump to behavior |
Source: | Code function: | 18_2_01001D2C |
Source: | Process created: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_001E18A0 |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 0_2_00224F98 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging |
---|
Source: | Code function: | 0_2_001E1A90 | |
Source: | Code function: | 0_2_001E1B00 |
Source: | Code function: | 0_2_001E18A0 |
Source: | Code function: | 0_2_0021BB7B |
Source: | Code function: | 0_2_001E51C0 |
Source: | Code function: | 0_2_002217B3 |
Source: | Code function: | 0_2_00225C60 |
Source: | Code function: | 0_2_0021BB7B | |
Source: | Code function: | 0_2_0021BD0E | |
Source: | Code function: | 0_2_0021AFAC | |
Source: | Code function: | 0_2_0021EF9A | |
Source: | Code function: | 18_2_0100229A |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_001E16C0 |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_0022450B |
Source: | Code function: | 0_2_002189EC |
Source: | Code function: | 0_2_001E1CE0 | |
Source: | Code function: | 0_2_001E1D80 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 1 Scripting | Valid Accounts | 1 Command and Scripting Interpreter | 34 Windows Service | 34 Windows Service | 22 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 13 Service Execution | 1 Scripting | 11 Process Injection | 1 Modify Registry | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 Remote System Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 3 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 23 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
71% | ReversingLabs | Win32.Trojan.Zusy | ||
100% | Avira | TR/Reconyc.cciah |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|
IP |
---|
127.0.0.1 |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1455404 |
Start date and time: | 2024-06-11 19:42:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 43s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 24 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | vm-uw.exe |
Detection: | MAL |
Classification: | mal96.troj.evad.winEXE@38/6@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: vm-uw.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Windows\Fonts\systkm32\csrss.exe | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
C:\Windows\Fonts\systkm32\svchost.exe | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Young Lotus | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Xmrig | Browse | |||
Get hash | malicious | ETERNALBLUE GhostRat Xmrig | Browse |
Process: | C:\Users\user\Desktop\vm-uw.exe |
File Type: | |
Category: | modified |
Size (bytes): | 132 |
Entropy (8bit): | 4.717649701325578 |
Encrypted: | false |
SSDEEP: | 3:CxK6OWR2N2+WTKCXBALW9VCSLVLx695ON2+WTKC8m:CxBR2N2RGo3CSLpA9IN2RG7m |
MD5: | 620ACF8E7B2F70716670A63E0385328C |
SHA1: | 174A65757E136944AF23DC3D02ADBAB3BEC35F0F |
SHA-256: | 2D5B93EACBB86909B2ED55D5A7C2CF2AF4C392A633342EEA3890A3A9AA9EB1C0 |
SHA-512: | C4CF92493798C25C945BA8377F450444473804619F5C8151096F10F75A03802CBE5E7EF3AC1D36DD24C8ADB4DEF781BC07FFA32EFD217513765B173EF1186962 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 74 |
Entropy (8bit): | 4.978458988199209 |
Encrypted: | false |
SSDEEP: | 3:aCdgLCgT/K/TvvKXO2EF+F4cn:mLC6/KbKXO2E8n |
MD5: | 33568E8BAAB39EF9097F9B78FE231FB1 |
SHA1: | 45C01839B0AFEF46EBFB4A884AB3FF24EF6ECD49 |
SHA-256: | E5C492B214D845AF45727327E9AECACBD9632D1AA6DCFB0308ABCDB18CA4D5E8 |
SHA-512: | F6F432C0ACED10FB60AA148939EC9EFA7830B98EAF8B4B93C16DC74E9955D712056F4462F93D668CFD4D9B7FF2CAB1A823F918EC0B4261F40933075F9A16C2DE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\vm-uw.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 18432 |
Entropy (8bit): | 5.536012760236597 |
Encrypted: | false |
SSDEEP: | 384:tD7x2ARjcLagJm8lGJ3BY+SpzV5hdfjWNwG:5hRjyppV+8dYwG |
MD5: | C43D1B84143FB2561F22E1A2C8FACF53 |
SHA1: | 3F1357007F61F02F97F0AAABB8756C6ECA2ACEBD |
SHA-256: | BBF4C224F9861B2C1F5A1364EE71E38728495B2709621763053B979BA88522F1 |
SHA-512: | 27A25AB6045498E0B7131BE58556C685DFA01596675C3AF689E61D8329E1A0EFF4128C57E202C32C69271B84F57E7425C45FB5FA132EC0F5B352F86323FFA13E |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Preview: |
Process: | C:\Users\user\Desktop\vm-uw.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8192 |
Entropy (8bit): | 5.259110186515502 |
Encrypted: | false |
SSDEEP: | 96:8ldfxd/yKaP64DMI1XT3kaiyMlH38ZldnXFADkYLyAFdfcdTbGu00C:mSP64DMI1DkHMZ36kYLxFdfcdnGu00C |
MD5: | 4635935FC972C582632BF45C26BFCB0E |
SHA1: | 7C5329229042535FE56E74F1F246C6DA8CEA3BE8 |
SHA-256: | ABD4AFD71B3C2BD3F741BBE3CEC52C4FA63AC78D353101D2E7DC4DE2725D1CA1 |
SHA-512: | 167503133B5A0EBD9F8B2971BCA120E902497EB21542D6A1F94E52AE8E5B6BDE1E4CAE1A2C905870A00D772E0DF35F808701E2CFBD26DCBB130A5573FA590060 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\Desktop\vm-uw.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1152 |
Entropy (8bit): | 5.3887292706534735 |
Encrypted: | false |
SSDEEP: | 24:e8J5DnVZ6c3Y02M6bZAcalIAI72M6MRMJMAI72M6oB2M6oQGQEOI72M6oh1EAI0f:t5D+co0c1AP8cMRe8cMcYO8cI1EAZ0Tg |
MD5: | ED936FD33024AC753E8E7BE6B4C39F69 |
SHA1: | 2A9329EDEC6273CB30DFD420BDE80A4E7675FFC7 |
SHA-256: | 038A41E1CC19BF3833333DC8997B633CF33500A13C373593408E3416447B8553 |
SHA-512: | 60C95EB51C5DEDE283581BADF970B6722013A7CB3CED4716DCC74674FDD9B75227300DB0EDB8F70DC5C760D4BB8313BEA1F9403BCE2A5B9AC9BBCD10214F6D3F |
Malicious: | true |
Preview: |
Process: | C:\Windows\Fonts\systkm32\csrss.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 181 |
Entropy (8bit): | 4.448922834861267 |
Encrypted: | false |
SSDEEP: | 3:CmXhmnXjzDZAeKXO2E77Qyd45QnBX9jgDKVgjoH/XS1FmAsoWROn:CmRmnXjP+VXO2E77/64guVJ/XSeAsLRO |
MD5: | 56A963BDFAA124C4D00843552370D1FE |
SHA1: | 66ED31AD816394CF07C7D8330C3E60927170BABD |
SHA-256: | 1AFA092248E35494CD5153C9744494C51BF93B44BDCB38C5CAFE5B4FF88F8902 |
SHA-512: | 239CA8D84138FA11F8F9E74DFE8B14A2645A87D75EFC4CB495538876E5304464DCCD36DF610288C637587E7B6DB8FF4A8A91F57FA1FE71BFAF6B289A91DDB455 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.48742080673987 |
TrID: |
|
File name: | vm-uw.exe |
File size: | 580'475 bytes |
MD5: | 78c6129bfd81f88cfb7171caf2d386a1 |
SHA1: | f626224572dea0bc2983e3b3986bd1c1af5533ce |
SHA256: | aa1ad7c508d497292d1e017b946cc381be204bd641543bcf584da286eb6f685f |
SHA512: | 38d0f61a25f015ad149765ced45ab81591ec02f9fe290c1560db9f53f9b7e6edc371eaebbcc54156006e63fe323b976bf560b9db69328f5ffe0fd9b734a9717b |
SSDEEP: | 12288:LQM9bROJmafSPZDz7qElw2KxPo0q7qzC9b/uEvtHKYTsviIR8Cufe9ZqQwExr//R:Ld9Mrf7iaNVxowGT/M |
TLSH: | 21C47C31B7A2C0B5C26D41301FA8EAB655AD7F244F610AE777C87E1A29F04E06635F36 |
File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........:.>T[.mT[.mT[.m...mY[.m...m.[.m...mN[.mT[.mV[.m.2.lW[.m.3.lF[.m.3.lL[.m.3.lz[.m.2.lU[.m]#|mP[.m]#lmE[.mT[.m.[.m.2.l.[.m.2.mU[. |
Icon Hash: | db3b74597872391b |
Entrypoint: | 0x43b6f1 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x618DE39C [Fri Nov 12 03:46:36 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | eec4c9510d1f15621b464022e8c2d408 |
Instruction |
---|
call 00007FD3BCED83E7h |
jmp 00007FD3BCED7B3Fh |
call 00007FD3BCED7CE7h |
push 00000000h |
call 00007FD3BCED7878h |
pop ecx |
test al, al |
je 00007FD3BCED7CD0h |
push 0043B811h |
call 00007FD3BCED7A22h |
pop ecx |
xor eax, eax |
ret |
push 00000007h |
call 00007FD3BCED811Fh |
int3 |
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 0044F522h |
mov eax, dword ptr fs:[00000000h] |
push eax |
push ebx |
push esi |
push edi |
mov eax, dword ptr [0046600Ch] |
xor eax, ebp |
push eax |
lea eax, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], eax |
push 00000FA0h |
push 00469220h |
call dword ptr [00450044h] |
push 004503D0h |
call dword ptr [0045003Ch] |
mov esi, eax |
test esi, esi |
jne 00007FD3BCED7CD7h |
push 0045A754h |
call dword ptr [0045003Ch] |
mov esi, eax |
test esi, esi |
je 00007FD3BCED7D52h |
push 00450414h |
push esi |
call dword ptr [0045002Ch] |
push 00450430h |
push esi |
mov ebx, eax |
call dword ptr [0045002Ch] |
push 0045044Ch |
push esi |
mov edi, eax |
call dword ptr [0045002Ch] |
mov esi, eax |
test ebx, ebx |
je 00007FD3BCED7CFAh |
test edi, edi |
je 00007FD3BCED7CF6h |
test esi, esi |
je 00007FD3BCED7CF2h |
and dword ptr [0046923Ch], 00000000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6498c | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6f000 | 0x1e274 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8e000 | 0x4e94 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5cf70 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x5d080 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x5cfe0 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x50000 | 0x284 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4e8db | 0x4ea00 | 7296a174c97dde3447454c549f28ba89 | False | 0.5489554352146264 | data | 6.653917614698595 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x50000 | 0x157de | 0x15800 | 267d5b7a634664da1012e9aa48c96ae2 | False | 0.4493095930232558 | data | 5.3004440169135085 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x66000 | 0x86c0 | 0x3000 | 548ea8cc9f1d41ead8891532908d09c7 | False | 0.18123372395833334 | DOS executable (block device driver \277DN\346@\273) | 4.487709554306666 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x6f000 | 0x1e274 | 0x1e400 | 020fad0e6b278437adb11a930d31859a | False | 0.3044211647727273 | data | 5.185160331800087 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x8e000 | 0x4e94 | 0x5000 | 0f982d8863b6d552c167374e2ffd1f4b | False | 0.58095703125 | data | 6.458158429451074 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_BITMAP | 0x70b10 | 0x405e | Device independent bitmap graphic, 93 x 280 x 8, 1 compression, image size 15414, resolution 2834 x 2834 px/m | Chinese | China | 0.7535501881296274 |
RT_ICON | 0x74b70 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | Chinese | China | 0.08867837338262477 |
RT_ICON | 0x79ff8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | Chinese | China | 0.09529995276334435 |
RT_ICON | 0x7e220 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Chinese | China | 0.12551867219917012 |
RT_ICON | 0x807c8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Chinese | China | 0.1775328330206379 |
RT_ICON | 0x81870 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Chinese | China | 0.14590163934426228 |
RT_ICON | 0x821f8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Chinese | China | 0.1799645390070922 |
RT_DIALOG | 0x82660 | 0x1dc | data | Chinese | China | 0.5903361344537815 |
RT_DIALOG | 0x8283c | 0x2f6 | data | Chinese | China | 0.449868073878628 |
RT_DIALOG | 0x82b34 | 0x150 | data | Chinese | China | 0.6398809523809523 |
RT_STRING | 0x82c84 | 0x52 | Matlab v4 mat-file (little endian) h, numeric, rows 0, columns 0 | Chinese | China | 0.7195121951219512 |
RT_STRING | 0x82cd8 | 0x1b4 | data | Chinese | China | 0.7224770642201835 |
RT_STRING | 0x82e8c | 0x176 | data | Chinese | China | 0.6417112299465241 |
RT_STRING | 0x83004 | 0x104 | data | Chinese | China | 0.8115384615384615 |
RT_STRING | 0x83108 | 0xc8 | data | Chinese | China | 0.75 |
RT_STRING | 0x831d0 | 0xb8 | data | Chinese | China | 0.8695652173913043 |
RT_STRING | 0x83288 | 0xc4 | data | Chinese | China | 0.8877551020408163 |
RT_STRING | 0x8334c | 0x148 | data | Chinese | China | 0.774390243902439 |
RT_STRING | 0x83494 | 0x1ae | data | Chinese | China | 0.7023255813953488 |
RT_STRING | 0x83644 | 0x11a | data | Chinese | China | 0.7269503546099291 |
RT_STRING | 0x83760 | 0xaa | data | Chinese | China | 0.8588235294117647 |
RT_STRING | 0x8380c | 0x22e | data | Chinese | China | 0.7795698924731183 |
RT_STRING | 0x83a3c | 0x92 | data | Chinese | China | 0.8424657534246576 |
RT_STRING | 0x83ad0 | 0x1b0 | data | Chinese | China | 0.7453703703703703 |
RT_STRING | 0x83c80 | 0x10a | data | Chinese | China | 0.793233082706767 |
RT_STRING | 0x83d8c | 0x1aa | data | Chinese | China | 0.8004694835680751 |
RT_STRING | 0x83f38 | 0x12c | data | Chinese | China | 0.8333333333333334 |
RT_STRING | 0x84064 | 0x170 | data | Chinese | China | 0.6847826086956522 |
RT_STRING | 0x841d4 | 0x98 | data | Chinese | China | 0.5723684210526315 |
RT_STRING | 0x8426c | 0x124 | data | Chinese | China | 0.6027397260273972 |
RT_STRING | 0x84390 | 0x180 | data | Chinese | China | 0.8203125 |
RT_STRING | 0x84510 | 0x258 | data | Chinese | China | 0.75 |
RT_STRING | 0x84768 | 0x13c | data | Chinese | China | 0.7468354430379747 |
RT_STRING | 0x848a4 | 0x336 | data | Chinese | China | 0.39659367396593675 |
RT_STRING | 0x84bdc | 0x16c | data | Chinese | China | 0.6813186813186813 |
RT_STRING | 0x84d48 | 0x19e | data | Chinese | China | 0.6714975845410628 |
RT_STRING | 0x84ee8 | 0x1da | data | Chinese | China | 0.729957805907173 |
RT_STRING | 0x850c4 | 0x72 | data | Chinese | China | 0.7631578947368421 |
RT_STRING | 0x85138 | 0x104 | data | Chinese | China | 0.7692307692307693 |
RT_STRING | 0x8523c | 0x150 | data | Chinese | China | 0.8184523809523809 |
RT_STRING | 0x8538c | 0x154 | data | Chinese | China | 0.7088235294117647 |
RT_STRING | 0x854e0 | 0xe2 | data | Chinese | China | 0.7168141592920354 |
RT_STRING | 0x855c4 | 0x17a | data | Chinese | China | 0.6375661375661376 |
RT_STRING | 0x85740 | 0x162 | data | Chinese | China | 0.7994350282485876 |
RT_STRING | 0x858a4 | 0x144 | data | Chinese | China | 0.7067901234567902 |
RT_STRING | 0x859e8 | 0xc4 | data | Chinese | China | 0.8469387755102041 |
RT_STRING | 0x85aac | 0x118 | data | Chinese | China | 0.7607142857142857 |
RT_STRING | 0x85bc4 | 0xbe | data | Chinese | China | 0.8210526315789474 |
RT_STRING | 0x85c84 | 0x142 | data | Chinese | China | 0.6490683229813664 |
RT_STRING | 0x85dc8 | 0xd6 | data | Chinese | China | 0.8878504672897196 |
RT_STRING | 0x85ea0 | 0x54 | data | Chinese | China | 0.7738095238095238 |
RT_STRING | 0x85ef4 | 0x1a4 | data | Chinese | China | 0.6761904761904762 |
RT_STRING | 0x86098 | 0x152 | data | Chinese | China | 0.7396449704142012 |
RT_STRING | 0x861ec | 0xfa | data | Chinese | China | 0.756 |
RT_STRING | 0x862e8 | 0x134 | data | Chinese | China | 0.7012987012987013 |
RT_STRING | 0x8641c | 0x144 | data | Chinese | China | 0.6820987654320988 |
RT_STRING | 0x86560 | 0xf4 | data | Chinese | China | 0.7172131147540983 |
RT_STRING | 0x86654 | 0x1dc | data | Chinese | China | 0.5063025210084033 |
RT_STRING | 0x86830 | 0x1ca | data | Chinese | China | 0.4497816593886463 |
RT_STRING | 0x869fc | 0x15e | data | Chinese | China | 0.6914285714285714 |
RT_STRING | 0x86b5c | 0x13a | data | Chinese | China | 0.7420382165605095 |
RT_STRING | 0x86c98 | 0x262 | data | Chinese | China | 0.5688524590163935 |
RT_STRING | 0x86efc | 0x262 | data | Chinese | China | 0.6557377049180327 |
RT_STRING | 0x87160 | 0x34 | data | Chinese | China | 0.6730769230769231 |
RT_STRING | 0x87194 | 0x16e | data | Chinese | China | 0.7021857923497268 |
RT_STRING | 0x87304 | 0x196 | data | Chinese | China | 0.6995073891625616 |
RT_STRING | 0x8749c | 0x1fc | data | Chinese | China | 0.5590551181102362 |
RT_STRING | 0x87698 | 0x28a | AmigaOS bitmap font "&Tnx\232[ Rd\226\376V\007h\032\377"", fc_YSize 13568, 12134 elements, 2nd "\213S\376V\007h1Y%\215\032\377\376V\007h\357\215\204_\362]\317~X[(W\014T", 3rd ":N\034 Kb\250R\364f\260e\035 \016T2" | Chinese | China | 0.703076923076923 |
RT_STRING | 0x87924 | 0x17e | data | Chinese | China | 0.5916230366492147 |
RT_STRING | 0x87aa4 | 0x24e | data | Chinese | China | 0.6237288135593221 |
RT_STRING | 0x87cf4 | 0xac | data | Chinese | China | 0.9941860465116279 |
RT_STRING | 0x87da0 | 0x15a | data | Chinese | China | 0.6502890173410405 |
RT_STRING | 0x87efc | 0x136 | data | Chinese | China | 0.7258064516129032 |
RT_STRING | 0x88034 | 0xec | data | Chinese | China | 0.6228813559322034 |
RT_STRING | 0x88120 | 0x1b0 | data | Chinese | China | 0.5347222222222222 |
RT_STRING | 0x882d0 | 0x198 | data | Chinese | China | 0.44362745098039214 |
RT_STRING | 0x88468 | 0x150 | data | Chinese | China | 0.8125 |
RT_STRING | 0x885b8 | 0xe8 | data | Chinese | China | 0.8060344827586207 |
RT_STRING | 0x886a0 | 0xe4 | data | Chinese | China | 0.7719298245614035 |
RT_STRING | 0x88784 | 0x124 | data | Chinese | China | 0.7397260273972602 |
RT_STRING | 0x888a8 | 0x1d0 | data | Chinese | China | 0.6896551724137931 |
RT_STRING | 0x88a78 | 0x184 | data | Chinese | China | 0.7860824742268041 |
RT_STRING | 0x88bfc | 0x18a | data | Chinese | China | 0.7030456852791879 |
RT_STRING | 0x88d88 | 0x11a | data | Chinese | China | 0.8404255319148937 |
RT_STRING | 0x88ea4 | 0x12a | data | Chinese | China | 0.714765100671141 |
RT_STRING | 0x88fd0 | 0x1e2 | data | Chinese | China | 0.7178423236514523 |
RT_STRING | 0x891b4 | 0x1ac | data | Chinese | China | 0.6542056074766355 |
RT_STRING | 0x89360 | 0x100 | data | Chinese | China | 0.9296875 |
RT_STRING | 0x89460 | 0x18e | data | Chinese | China | 0.8190954773869347 |
RT_STRING | 0x895f0 | 0x186 | AmigaOS bitmap font "~bW[&{\323~\234g ", fc_YSize 31074, 58727 elements | Chinese | China | 0.7205128205128205 |
RT_STRING | 0x89778 | 0x122 | data | Chinese | China | 0.803448275862069 |
RT_STRING | 0x8989c | 0x16e | data | Chinese | China | 0.6693989071038251 |
RT_STRING | 0x89a0c | 0x198 | data | Chinese | China | 0.6887254901960784 |
RT_STRING | 0x89ba4 | 0x40a | data | Chinese | China | 0.5667311411992263 |
RT_STRING | 0x89fb0 | 0xe8 | data | Chinese | China | 0.8232758620689655 |
RT_STRING | 0x8a098 | 0xd4 | data | Chinese | China | 0.7924528301886793 |
RT_STRING | 0x8a16c | 0xdc | data | Chinese | China | 0.7863636363636364 |
RT_STRING | 0x8a248 | 0x350 | data | Chinese | China | 0.714622641509434 |
RT_STRING | 0x8a598 | 0x90 | data | Chinese | China | 0.6666666666666666 |
RT_STRING | 0x8a628 | 0xda | Matlab v4 mat-file (little endian) \232[IN\006RwS\276\213n\177\014\377, numeric, rows 0, columns 0 | Chinese | China | 0.9495412844036697 |
RT_STRING | 0x8a704 | 0x5c | AmigaOS bitmap font "\343\211\213S\013z\217^\275_\007h", 60033 elements | Chinese | China | 0.5869565217391305 |
RT_STRING | 0x8a760 | 0x142 | data | Chinese | China | 0.8385093167701864 |
RT_STRING | 0x8a8a4 | 0xd4 | data | Chinese | China | 0.6792452830188679 |
RT_STRING | 0x8a978 | 0x2c | Matlab v4 mat-file (little endian) }Y\213S\236[(u\345]wQ, numeric, rows 0, columns 0 | Chinese | China | 0.6363636363636364 |
RT_STRING | 0x8a9a4 | 0x84 | data | Chinese | China | 0.8257575757575758 |
RT_STRING | 0x8aa28 | 0xc2 | data | Chinese | China | 0.8505154639175257 |
RT_STRING | 0x8aaec | 0x232 | data | Chinese | China | 0.5907473309608541 |
RT_STRING | 0x8ad20 | 0x38 | data | Chinese | China | 0.7321428571428571 |
RT_STRING | 0x8ad58 | 0x5c | Matlab v4 mat-file (little endian) >f:y\346\213\306~\341Oo`\006, numeric, rows 0, columns 0 | Chinese | China | 0.6413043478260869 |
RT_STRING | 0x8adb4 | 0xcc | data | Chinese | China | 0.8774509803921569 |
RT_STRING | 0x8ae80 | 0x106 | data | Chinese | China | 0.7366412213740458 |
RT_STRING | 0x8af88 | 0x9c | data | Chinese | China | 0.782051282051282 |
RT_STRING | 0x8b024 | 0x11a | data | Chinese | China | 0.8014184397163121 |
RT_STRING | 0x8b140 | 0x20c | data | Chinese | China | 0.5343511450381679 |
RT_STRING | 0x8b34c | 0x1e2 | data | Chinese | China | 0.5622406639004149 |
RT_STRING | 0x8b530 | 0x10e | data | Chinese | China | 0.837037037037037 |
RT_STRING | 0x8b640 | 0x17c | data | Chinese | China | 0.5210526315789473 |
RT_STRING | 0x8b7bc | 0x144 | data | Chinese | China | 0.6882716049382716 |
RT_STRING | 0x8b900 | 0x88 | Matlab v4 mat-file (little endian) O, numeric, rows 0, columns 0 | Chinese | China | 0.5294117647058824 |
RT_STRING | 0x8b988 | 0x146 | data | Chinese | China | 0.7699386503067485 |
RT_STRING | 0x8bad0 | 0xd8 | data | Chinese | China | 0.8888888888888888 |
RT_STRING | 0x8bba8 | 0xbe | data | Chinese | China | 0.8368421052631579 |
RT_STRING | 0x8bc68 | 0x118 | data | Chinese | China | 0.8142857142857143 |
RT_STRING | 0x8bd80 | 0x84 | data | Chinese | China | 0.8787878787878788 |
RT_STRING | 0x8be04 | 0xf0 | data | Chinese | China | 0.8 |
RT_STRING | 0x8bef4 | 0x7a | data | Chinese | China | 0.680327868852459 |
RT_STRING | 0x8bf70 | 0x78 | data | Chinese | China | 0.95 |
RT_STRING | 0x8bfe8 | 0x106 | data | Chinese | China | 0.5992366412213741 |
RT_STRING | 0x8c0f0 | 0xf6 | data | Chinese | China | 0.8617886178861789 |
RT_STRING | 0x8c1e8 | 0x190 | data | Chinese | China | 0.78 |
RT_STRING | 0x8c378 | 0xd2 | data | Chinese | China | 0.8428571428571429 |
RT_STRING | 0x8c44c | 0x106 | data | Chinese | China | 0.46564885496183206 |
RT_STRING | 0x8c554 | 0x182 | data | Chinese | China | 0.7694300518134715 |
RT_STRING | 0x8c6d8 | 0x19c | data | Chinese | China | 0.779126213592233 |
RT_STRING | 0x8c874 | 0x5a | data | Chinese | China | 0.7 |
RT_STRING | 0x8c8d0 | 0x30 | data | Chinese | China | 0.6666666666666666 |
RT_STRING | 0x8c900 | 0x66 | data | Chinese | China | 0.8235294117647058 |
RT_GROUP_ICON | 0x8c968 | 0x84 | data | Chinese | China | 0.7045454545454546 |
RT_VERSION | 0x8c9ec | 0x140 | MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79 | English | United States | 0.584375 |
RT_VERSION | 0x8cb2c | 0x284 | MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79 | Chinese | China | 0.31211180124223603 |
RT_MANIFEST | 0x8cdb0 | 0x4c1 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1157), with CRLF line terminators | English | United States | 0.4683648315529992 |
DLL | Import |
---|---|
COMCTL32.dll | InitCommonControlsEx |
SHELL32.dll | SHBrowseForFolderW, SHGetFileInfoW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, ShellExecuteW, CommandLineToArgvW |
KERNEL32.dll | HeapAlloc, LocalFree, GetProcessHeap, GetFileAttributesW, LoadLibraryW, CloseHandle, GetProcAddress, FreeLibrary, GetCurrentProcess, GetVersionExW, GetModuleHandleW, ExpandEnvironmentStringsW, InitializeCriticalSectionAndSpinCount, WaitForSingleObject, CreateProcessW, GetModuleFileNameW, GetCurrentDirectoryW, SetCurrentDirectoryW, SetFileApisToOEM, SetPriorityClass, SetThreadPriority, GetEnvironmentVariableW, GetCurrentThread, GetCommandLineW, FindResourceW, FindFirstFileW, FindNextFileW, FindClose, GetLongPathNameW, CreateFileW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetCurrentThreadId, LoadLibraryExW, WriteFile, SetFileTime, SetEndOfFile, FormatMessageW, InterlockedExchangeAdd, ReadFile, SetFilePointer, GetFileSize, ResumeThread, GetACP, GetLastError, WideCharToMultiByte, CreateDirectoryW, GetFullPathNameW, lstrlenW, RemoveDirectoryW, GetTempPathW, SetFileAttributesW, DeleteFileW, GetWindowsDirectoryW, MoveFileExW, GetTempFileNameW, MoveFileW, CreateEventW, SetEvent, ResetEvent, WaitForMultipleObjects, GetCurrentProcessId, FileTimeToSystemTime, WriteConsoleW, DecodePointer, FlushFileBuffers, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapReAlloc, HeapSize, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, FindFirstFileExW, LCMapStringW, HeapFree, MultiByteToWideChar, VirtualFree, VirtualAlloc, GetStringTypeW, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, GetStdHandle, GetFileType, RtlUnwind, RaiseException, SetLastError, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree |
USER32.dll | DispatchMessageW, SetTimer, IsDialogMessageW, TranslateMessage, LoadIconW, KillTimer, PostQuitMessage, EnableWindow, ScreenToClient, IsWindow, MessageBoxW, ShowWindow, PostMessageW, GetWindowRect, SetWindowPos, DialogBoxParamW, SendMessageW, EndDialog, SetWindowTextW, SetFocus, GetDlgItem, GetWindowTextW, IsWindowVisible, CreateDialogParamW, GetMessageW, GetDesktopWindow, LoadStringW, DestroyIcon, GetSystemMetrics |
GDI32.dll | CreateSolidBrush, DeleteObject |
ole32.dll | CoCreateInstance, CoInitializeEx, CoUninitialize, CoInitialize |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | China | |
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 13:42:56 |
Start date: | 11/06/2024 |
Path: | C:\Users\user\Desktop\vm-uw.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1e0000 |
File size: | 580'475 bytes |
MD5 hash: | 78C6129BFD81F88CFB7171CAF2D386A1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 13:42:56 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1c0000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 13:42:56 |
Start date: | 11/06/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff66e660000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 13:42:56 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1c0000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 13:42:56 |
Start date: | 11/06/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff66e660000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 13:42:56 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\mode.com |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x640000 |
File size: | 26'624 bytes |
MD5 hash: | FB615848338231CEBC16E32A3035C3F8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 7 |
Start time: | 13:42:57 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\PING.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x8c0000 |
File size: | 18'944 bytes |
MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 8 |
Start time: | 13:42:57 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\PING.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x8c0000 |
File size: | 18'944 bytes |
MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 9 |
Start time: | 13:43:00 |
Start date: | 11/06/2024 |
Path: | C:\Windows\Fonts\systkm32\csrss.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 18'432 bytes |
MD5 hash: | C43D1B84143FB2561F22E1A2C8FACF53 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 10 |
Start time: | 13:43:00 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\PING.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x8c0000 |
File size: | 18'944 bytes |
MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 11 |
Start time: | 13:43:03 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\reg.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2e0000 |
File size: | 59'392 bytes |
MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 12 |
Start time: | 13:43:03 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\reg.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2e0000 |
File size: | 59'392 bytes |
MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 13 |
Start time: | 13:43:03 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\reg.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2e0000 |
File size: | 59'392 bytes |
MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 14 |
Start time: | 13:43:03 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\reg.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2e0000 |
File size: | 59'392 bytes |
MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 15 |
Start time: | 13:43:03 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\reg.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2e0000 |
File size: | 59'392 bytes |
MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 16 |
Start time: | 13:43:03 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\PING.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x8c0000 |
File size: | 18'944 bytes |
MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 17 |
Start time: | 13:43:06 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\sc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf80000 |
File size: | 61'440 bytes |
MD5 hash: | D9D7684B8431A0D10D0E76FE9F5FFEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 18 |
Start time: | 13:43:06 |
Start date: | 11/06/2024 |
Path: | C:\Windows\Fonts\systkm32\svchost.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1000000 |
File size: | 8'192 bytes |
MD5 hash: | 4635935FC972C582632BF45C26BFCB0E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Has exited: | true |
Target ID: | 19 |
Start time: | 13:43:06 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\PING.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x8c0000 |
File size: | 18'944 bytes |
MD5 hash: | B3624DD758CCECF93A1226CEF252CA12 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 20 |
Start time: | 13:43:10 |
Start date: | 11/06/2024 |
Path: | C:\Windows\SysWOW64\regini.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6d0000 |
File size: | 41'472 bytes |
MD5 hash: | C99C3BB423097FCF4990539FC1ED60E3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 23 |
Start time: | 13:43:41 |
Start date: | 11/06/2024 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7403e0000 |
File size: | 55'320 bytes |
MD5 hash: | B7F884C1B74A263F746EE12A5F7C9F6A |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | false |
Execution Graph
Execution Coverage: | 10.5% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 5.5% |
Total number of Nodes: | 2000 |
Total number of Limit Nodes: | 42 |
Graph
Function 001E51C0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 60libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F7C90 Relevance: 7.9, APIs: 5, Instructions: 428fileCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0020F8DE Relevance: .8, Instructions: 792COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001EB123 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 279threadfileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E9B6D Relevance: 36.2, APIs: 24, Instructions: 210COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E6100 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 406synchronizationwindowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001EAC1F Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 303windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E9F25 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 275windowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F5600 Relevance: 15.4, APIs: 10, Instructions: 357COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F81F0 Relevance: 10.9, APIs: 7, Instructions: 364COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F3A90 Relevance: 7.8, APIs: 5, Instructions: 250fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F5C10 Relevance: 7.6, APIs: 5, Instructions: 102threadCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0020146A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F73F0 Relevance: 6.2, APIs: 4, Instructions: 189fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E9357 Relevance: 6.2, APIs: 4, Instructions: 164windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F5480 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118fileCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F9D50 Relevance: 4.7, APIs: 3, Instructions: 235fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F5B10 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001FA943 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0022093B Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001EAB81 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0022089B Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F8680 Relevance: 3.2, APIs: 2, Instructions: 162COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001FA0B0 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0021B1A7 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002207E7 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001FC65C Relevance: 2.3, APIs: 1, Instructions: 751COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001FD084 Relevance: 2.0, APIs: 1, Instructions: 783COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00208F27 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E9226 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E8FE7 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E6CA8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00212A40 Relevance: 1.6, APIs: 1, Instructions: 67timeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001ED8B0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F4B50 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00225D4B Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002248FD Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002231BF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001EA644 Relevance: 1.5, APIs: 1, Instructions: 23windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E6ED8 Relevance: 1.5, APIs: 1, Instructions: 23windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E713D Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E6E9E Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E6EDC Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00212940 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0020E8B6 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E5264 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00219F9D Relevance: 1.3, APIs: 1, Instructions: 53memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002195B2 Relevance: 1.3, APIs: 1, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F2C50 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 495libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F3F50 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 370windowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F3D50 Relevance: 9.2, APIs: 6, Instructions: 171fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E16C0 Relevance: 7.6, Strings: 6, Instructions: 129COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0021EF9A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001EC600 Relevance: 6.5, APIs: 4, Instructions: 515COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F8F60 Relevance: 5.2, APIs: 3, Instructions: 710COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00226D60 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00217C58 Relevance: 2.4, Strings: 1, Instructions: 1131COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0020DC0C Relevance: 1.9, Strings: 1, Instructions: 641COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002189EC Relevance: 1.7, APIs: 1, Instructions: 164COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0021BD0E Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E1CE0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00225C60 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001EE680 Relevance: .7, Instructions: 735COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0022C6B9 Relevance: .6, Instructions: 637COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E1000 Relevance: .6, Instructions: 598COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00215958 Relevance: .5, Instructions: 532COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00218D8D Relevance: .3, Instructions: 308COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00205306 Relevance: .3, Instructions: 298COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0021FC5D Relevance: .2, Instructions: 237COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002175E5 Relevance: .2, Instructions: 175COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001FA160 Relevance: .1, Instructions: 136COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00217ADE Relevance: .1, Instructions: 128COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002130A0 Relevance: .1, Instructions: 104COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00218BEC Relevance: .1, Instructions: 100COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0022DD1B Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E1B00 Relevance: .0, Instructions: 46COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E1A90 Relevance: .0, Instructions: 34COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E1D80 Relevance: .0, Instructions: 23COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E18A0 Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E4C00 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 230libraryloadersynchronizationCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00226439 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00222DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00222EDA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0022932D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00222F5E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00224A8B Relevance: 9.2, APIs: 6, Instructions: 216COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E503B Relevance: 9.1, APIs: 6, Instructions: 68windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00221838 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F1F00 Relevance: 7.8, APIs: 5, Instructions: 337COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001EA35D Relevance: 7.6, APIs: 5, Instructions: 107windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E4F3E Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0020408C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002235A9 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001F8860 Relevance: 6.3, APIs: 4, Instructions: 251stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0022629F Relevance: 6.1, APIs: 4, Instructions: 110COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E5472 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00224335 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001E607E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 002257D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 16.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 7.4% |
Total number of Nodes: | 244 |
Total number of Limit Nodes: | 5 |
Graph
Callgraph
Function 004010E0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 47serviceCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040300E Relevance: 4.6, APIs: 3, Instructions: 124COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402560 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402EDA Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 60memoryCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004012AC Relevance: 4.6, APIs: 3, Instructions: 58COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402E56 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040120D Relevance: 1.5, APIs: 1, Instructions: 35COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402675 Relevance: 1.3, APIs: 1, Instructions: 27memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401070 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30serviceCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37serviceCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 26.8% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 2.2% |
Total number of Nodes: | 138 |
Total number of Limit Nodes: | 3 |
Graph
Callgraph
Function 01001493 Relevance: 93.5, APIs: 38, Strings: 15, Instructions: 704registryprocesssleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0100204F Relevance: 13.6, APIs: 9, Instructions: 87COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01001F82 Relevance: 19.6, APIs: 13, Instructions: 85COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01002338 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40libraryloadertimeCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01001E2D Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 107stringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|