Windows
Analysis Report
SHIPMENTDOCUMENTSPDF.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64native
- SHIPMENTDOCUMENTSPDF.exe (PID: 6764 cmdline:
"C:\Users\ user\Deskt op\SHIPMEN TDOCUMENTS PDF.exe" MD5: DB995BCBC1B1FFE95CBDE7F316B577BC)
- cleanup
{"C2 url": "goodies.dynamic-dns.net", "port": 5200}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | ||
Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
Click to see the 5 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | ||
Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
Click to see the 25 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Code function: | 2_2_0312A632 | |
Source: | Code function: | 2_2_0312CAFC | |
Source: | Code function: | 2_2_0312CF58 | |
Source: | Code function: | 2_2_0312CC54 | |
Source: | Code function: | 2_2_0312CCB4 | |
Source: | Code function: | 2_2_0312B15E |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Directory created: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 2_2_0312FF27 | |
Source: | Code function: | 2_2_03129DF6 |
Source: | Code function: | 2_2_0313002B |
Networking |
---|
Source: | URLs: |
Source: | Code function: | 2_2_031227D3 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 2_2_031227D3 |
Source: | Code function: | 2_2_0312902E |
Source: | Code function: | 2_2_031289D5 |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 2_2_007D0E50 | |
Source: | Code function: | 2_2_0077EE20 | |
Source: | Code function: | 2_2_0077F730 | |
Source: | Code function: | 2_2_03131BF8 | |
Source: | Code function: | 2_2_02731537 |
Source: | Section loaded: | Jump to behavior |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 2_2_0312F619 |
Source: | Classification label: |
Source: | Code function: | 2_2_0077C250 |
Source: | Code function: | 2_2_0312D508 |
Source: | Code function: | 2_2_031320B8 |
Source: | Code function: | 2_2_0077EBA0 |
Source: | File created: | Jump to behavior |
Source: | Static file information: |
Source: | Directory created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 2_2_031211A4 | |
Source: | Code function: | 2_2_031211CC | |
Source: | Code function: | 2_2_02720AE3 | |
Source: | Code function: | 2_2_02720B0B | |
Source: | Code function: | 2_2_02733EA3 |
Source: | Static PE information: |
Source: | Code function: | 2_2_0312F51D |
Source: | Code function: | 2_2_0312D418 |
Source: | Code function: | 2_2_031227D3 |
Source: | Code function: | 2_2_0312A6C8 | |
Source: | Code function: | 2_2_0312AC0A |
Source: | Code function: | 2_2_0312D508 |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Thread sleep count: | Jump to behavior |
Source: | Code function: | 2_2_0312DA5B |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Evaded block: | graph_2-57950 |
Source: | API coverage: |
Source: | Code function: | 2_2_007D520F |
Source: | Code function: | 2_2_0312FF27 | |
Source: | Code function: | 2_2_03129DF6 |
Source: | Code function: | 2_2_0313002B |
Source: | Binary or memory string: |
Source: | Code function: | 2_2_00784490 |
Source: | Code function: | 2_2_007D520F |
Source: | Code function: | 2_2_0312F51D |
Source: | Code function: | 2_2_00776870 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 2_2_007DA290 | |
Source: | Code function: | 2_2_03130619 | |
Source: | Code function: | 2_2_03130620 | |
Source: | Code function: | 2_2_0313094E | |
Source: | Code function: | 2_2_0273028D | |
Source: | Code function: | 2_2_02720467 | |
Source: | Code function: | 2_2_027384B1 | |
Source: | Code function: | 2_2_0272FF58 | |
Source: | Code function: | 2_2_0272FF5F |
Source: | Code function: | 2_2_00784490 | |
Source: | Code function: | 2_2_00784740 | |
Source: | Code function: | 2_2_00782EB0 | |
Source: | Code function: | 2_2_0079B370 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Code function: | 2_2_031279E8 | |
Source: | Code function: | 2_2_03131FD8 |
Source: | Code function: | 2_2_031320B8 |
Source: | Code function: | 2_2_031318BA |
Source: | Code function: | 2_2_0312F56D |
Source: | Code function: | 2_2_0312F93F |
Source: | Code function: | 2_2_00784870 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 2_2_0312A29A | |
Source: | Code function: | 2_2_0312A29A | |
Source: | Code function: | 2_2_0312A29A |
Source: | Code function: | 2_2_0312C1B2 | |
Source: | Code function: | 2_2_0312C1B2 |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 21 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Service Execution | 1 Create Account | 1 Access Token Manipulation | 1 Deobfuscate/Decode Files or Information | 21 Input Capture | 1 System Service Discovery | Remote Desktop Protocol | 21 Input Capture | Exfiltration Over Bluetooth | 2 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | 1 Windows Service | 1 Windows Service | 2 Obfuscated Files or Information | 1 Credentials In Files | 2 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | 11 Process Injection | 1 Software Packing | NTDS | 14 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 21 Security Software Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 2 Masquerading | Cached Domain Credentials | 1 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Virtualization/Sandbox Evasion | DCSync | 1 Process Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Access Token Manipulation | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | 11 Process Injection | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | 1 Hidden Users | Network Sniffing | Process Discovery | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
58% | Virustotal | Browse | ||
24% | Metadefender | Browse | ||
62% | ReversingLabs | Win32.Trojan.AveMariaRat | ||
100% | Avira | TR/AD.MortyStealer.vctqk |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Patched.Ren.Gen3 | Download File | ||
100% | Avira | TR/Redcap.ghjpt | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | Virustotal | Browse | ||
100% | Avira URL Cloud | phishing |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 598602 |
Start date and time: | 2022-03-28 18:37:46 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | SHIPMENTDOCUMENTSPDF.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Run name: | Suspected Instruction Hammering |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.expl.evad.winEXE@1/0@0/0 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe
- Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, ctldl.windowsupdate.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
File type: | |
Entropy (8bit): | 3.945070832085131 |
TrID: |
|
File name: | SHIPMENTDOCUMENTSPDF.exe |
File size: | 2554880 |
MD5: | db995bcbc1b1ffe95cbde7f316b577bc |
SHA1: | 95049e53f64a1b5050d697d88ccc8bf62d58e3f6 |
SHA256: | bb95fa20a55260f729584b7932c7dba208dcc5b0a7597be447a72e481e0dcb09 |
SHA512: | c09beeab2ab7c7b65d92547f1559409012a2b1f787b4d399d8c745bf16ed2178261c64ae089582123b0111a385ba6c7d698091fe4ce72ab8af1f17a40214f120 |
SSDEEP: | 12288:3BEnRe1ljhm1xvNkPJziiPuumDNWnr3Q5WOVI6L4qj7neunRxHfk7D4pa7+oJb:+o1ld8r2JUNJ5WOVI6L7jr/ |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M5h4.T.g.T.g.T.gf0.f.T.gf0.f.T.gf0.f.T.g.#.f.T.g.#.f.T.g.#.f:T.gf0.f.T.gf0.f.T.g.T.g.T.g.#.f.T.g.#.g.T.g.#.f.T.gRich.T.g....... |
Icon Hash: | 00828e8e8686b000 |
Entrypoint: | 0x4010af |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x620E49BC [Thu Feb 17 13:12:28 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 05bdc6a6adf04eca38d0953caca5e0fa |
Instruction |
---|
jmp 00007F21008CDD81h |
jmp 00007F210094BFACh |
jmp 00007F2100920537h |
jmp 00007F21008CEBB2h |
jmp 00007F2100955B1Dh |
jmp 00007F21008D3F78h |
jmp 00007F21008D9B53h |
jmp 00007F21008B0E9Eh |
jmp 00007F21008C2BD9h |
jmp 00007F21008C2024h |
jmp 00007F210095390Fh |
jmp 00007F21008D517Ah |
jmp 00007F210090F5C5h |
jmp 00007F21008CDD00h |
jmp 00007F21008F6E6Bh |
jmp 00007F21008C16E6h |
jmp 00007F21008F1A71h |
jmp 00007F21008B0E0Ch |
jmp 00007F21008FC737h |
jmp 00007F210092663Eh |
jmp 00007F210090591Dh |
jmp 00007F21008FC2C8h |
jmp 00007F21008D1BB3h |
jmp 00007F21008D4C8Eh |
jmp 00007F2100905BA9h |
jmp 00007F21009123E4h |
jmp 00007F210092729Fh |
jmp 00007F2100910E7Ah |
jmp 00007F21008D1995h |
jmp 00007F210090FF10h |
jmp 00007F21008D199Bh |
jmp 00007F21009344D6h |
jmp 00007F21008F6C11h |
jmp 00007F21008D1D0Ch |
jmp 00007F21008B34A7h |
jmp 00007F21008B0852h |
jmp 00007F21008F145Dh |
jmp 00007F21008CB668h |
jmp 00007F21008D4C63h |
jmp 00007F210095167Eh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x26b43c | 0xc8 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x26f000 | 0x43c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x270000 | 0x6004 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xfdeb0 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xfea0c | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xfdee8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x26b000 | 0x43c | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xd1f14 | 0xd2000 | False | 0.273263113839 | data | 5.42725734583 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0xd3000 | 0x2e7dc | 0x2e800 | False | 0.167485719086 | data | 3.57125252786 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x102000 | 0x168e58 | 0x165000 | False | 0.111753490459 | data | 1.96106010749 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.idata | 0x26b000 | 0x15f0 | 0x1600 | False | 0.334339488636 | data | 4.55588507155 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.tls | 0x26d000 | 0x309 | 0x400 | False | 0.021484375 | data | 0.0111738187212 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.00cfg | 0x26e000 | 0x10e | 0x200 | False | 0.03515625 | data | 0.110557131259 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x26f000 | 0x43c | 0x600 | False | 0.182291666667 | data | 2.14297088193 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x270000 | 0x7d11 | 0x7e00 | False | 0.57902405754 | data | 5.74904151788 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_MANIFEST | 0x26f170 | 0x17d | XML 1.0 document text | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | HeapFree, HeapSize, GetProcessHeap, InitializeCriticalSectionEx, DeleteCriticalSection, Sleep, VirtualAlloc, VirtualProtect, FindResourceExW, LoadResource, LockResource, SizeofResource, FindResourceW, MultiByteToWideChar, WideCharToMultiByte, FreeConsole, AcquireSRWLockExclusive, AssignProcessToJobObject, CloseHandle, CompareStringW, ConnectNamedPipe, CreateDirectoryW, CreateEventW, HeapReAlloc, GetProcessId, GetProcessTimes, GetQueuedCompletionStatus, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDefaultLCID, GetSystemDirectoryW, IsValidLocale, IsWow64Process, K32GetPerformanceInfo, K32GetProcessMemoryInfo, K32QueryWorkingSetEx, ReadConsoleW, ReadFile, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, SetStdHandle, HeapQueryInformation, SetEnvironmentVariableW, FreeEnvironmentStringsW, HeapAlloc, HeapDestroy, SetLastError, GetLastError, RaiseException, GetProcessHeaps, DecodePointer, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, WriteConsoleW, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, GetLocaleInfoW, CreateFileW, LCMapStringW, GetTimeFormatW, GetDateFormatW, GetCurrentThread, WriteFile, HeapValidate, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, IsDebuggerPresent, OutputDebugStringW, EnterCriticalSection, LeaveCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, GetModuleHandleW, GetProcAddress, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetSystemInfo, VirtualQuery |
USER32.dll | GetActiveWindow, SetProcessWindowStation, TranslateMessage, UnregisterClassW, SendMessageTimeoutW, MessageBoxW, SetProcessDPIAware, UnregisterClassA |
ADVAPI32.dll | GetKernelObjectSecurity, GetAce, FreeSid, EventWrite, EventUnregister, GetLengthSid |
ole32.dll | CoTaskMemRealloc, CoTaskMemFree, CoInitialize, CoUninitialize, CoCreateInstance |
OLEAUT32.dll | SysAllocString, VariantCopy, SysAllocStringLen, SysFreeString, SafeArrayDestroy, VariantInit, VariantClear, VariantChangeType |
SHLWAPI.dll | PathMatchSpecW |
USERENV.dll | DestroyEnvironmentBlock, CreateEnvironmentBlock |
VERSION.dll | VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW |
WINMM.dll | timeGetTime |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 2 |
Start time: | 20:39:38 |
Start date: | 28/03/2022 |
Path: | C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x750000 |
File size: | 2554880 bytes |
MD5 hash: | DB995BCBC1B1FFE95CBDE7F316B577BC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Execution Graph
Execution Coverage: | 1.1% |
Dynamic/Decrypted Code Coverage: | 97% |
Signature Coverage: | 0.8% |
Total number of Nodes: | 372 |
Total number of Limit Nodes: | 16 |
Graph
Function 0075DE20 Relevance: 84.3, APIs: 6, Strings: 42, Instructions: 295windowmemorysleepCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03133457 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188registrystringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0313290F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138comCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031299A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38libraryCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0272002D Relevance: 7.9, APIs: 5, Instructions: 392memoryCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03125CE2 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03131E21 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03131D0C Relevance: 3.0, APIs: 2, Instructions: 14sleepCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03121085 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031231D4 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03123335 Relevance: 1.5, APIs: 1, Instructions: 25stringCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031258D3 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312FDA5 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03133058 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03125558 Relevance: 1.5, APIs: 1, Instructions: 12networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312F71F Relevance: 1.5, APIs: 1, Instructions: 8COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03130969 Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03132C91 Relevance: 1.3, APIs: 1, Instructions: 46COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03125E22 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03129FCE Relevance: 1.3, APIs: 1, Instructions: 9COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03125EB4 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03125EA5 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031289D5 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286keyboardCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312902E Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312C1B2 Relevance: 35.2, Strings: 28, Instructions: 218COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312A29A Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312AC0A Relevance: 30.2, APIs: 5, Strings: 12, Instructions: 406filestringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312D508 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312DA5B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031279E8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97injectionmemorythreadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03129DF6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03131FD8 Relevance: 13.6, APIs: 9, Instructions: 81injectionmemorythreadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031318BA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312CF58 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031320B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312A632 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312F51D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0077F730 Relevance: 6.3, Strings: 4, Instructions: 1315COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 007D520F Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00784490 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312F56D Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00782EB0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0077EE20 Relevance: 5.6, Strings: 4, Instructions: 573COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031227D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0313002B Relevance: 4.6, APIs: 3, Instructions: 90COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0079B370 Relevance: 4.6, APIs: 3, Instructions: 81COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0077EBA0 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312F619 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 007D0E50 Relevance: 4.4, Strings: 3, Instructions: 602COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312FF27 Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312D418 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0077C250 Relevance: 1.6, APIs: 1, Instructions: 79comCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00784740 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00776870 Relevance: 1.3, APIs: 1, Instructions: 46memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 027384B1 Relevance: .1, Instructions: 93COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312F93F Relevance: .1, Instructions: 89COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02720467 Relevance: .1, Instructions: 80COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02731537 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03131BF8 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 007DA290 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0272FF5F Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03130620 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0273028D Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0313094E Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0272FF58 Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03130619 Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312B67E Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031295AA Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214windowstringregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312A0D8 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03131AB9 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90sleepregistrystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031330C9 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 122filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031330D5 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312882F Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03128E66 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312E3FA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 237registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03131136 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 278fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312D58D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312DCB2 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00783310 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 50libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312C4A8 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 371fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03129ADF Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 229fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312F80E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 130comCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03131F13 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312C118 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0313273A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 175comCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03122961 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108processthreadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0076BA30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312B559 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312D49C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031319C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registrystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03125CA3 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03125F6A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03132D0A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03127948 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64sleepprocessmemoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03131855 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03127CB7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031257FB Relevance: 9.1, APIs: 6, Instructions: 75networksynchronizationCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312562F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151networkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03122CEC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03130B2A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03131936 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55memorystringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312CE83 Relevance: 8.8, APIs: 7, Instructions: 35COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03129D9A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312EF4F Relevance: 7.7, APIs: 5, Instructions: 192COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312EE9A Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312990A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03130C79 Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312B627 Relevance: 7.5, APIs: 5, Instructions: 25COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312B9A9 Relevance: 7.5, APIs: 5, Instructions: 25COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312FA42 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03133273 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03133702 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00769B70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0079AC30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312F4CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03130C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312D17D Relevance: 6.3, APIs: 5, Instructions: 92COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00774CA0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312F69F Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 031247EA Relevance: 6.0, APIs: 4, Instructions: 46COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312FBFC Relevance: 6.0, APIs: 4, Instructions: 37COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312EA89 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 007747A0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 30memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312FCB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312DE1F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0312D9B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03132FD7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |