Windows
Analysis Report
LwNdQo4zIk.exe
Overview
General Information
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- LwNdQo4zIk.exe (PID: 6072 cmdline:
C:\Users\u ser\Deskto p\LwNdQo4z Ik.exe MD5: 3CCD6B369EB1DDE57D181E7550BD7268) - rundll32.exe (PID: 1568 cmdline:
"C:\Window s\system32 \rundll32. exe" "C:\U sers\user\ AppData\Lo cal\Temp\P yupydeoe.t mp",Uprspr haot MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - WerFault.exe (PID: 5192 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 568 -s 960 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
|
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Code function: | 0_2_004A7759 | |
Source: | Code function: | 0_2_004AB9D1 | |
Source: | Code function: | 0_2_004B01AF | |
Source: | Code function: | 0_2_004B035E | |
Source: | Code function: | 0_2_004B056E | |
Source: | Code function: | 0_2_004BA67F | |
Source: | Code function: | 0_2_004AF6E3 | |
Source: | Code function: | 0_2_004BA75C | |
Source: | Code function: | 0_2_004BA7D8 | |
Source: | Code function: | 0_2_004BA80E | |
Source: | Code function: | 0_2_004BA9DE | |
Source: | Code function: | 0_2_004C2A13 | |
Source: | Code function: | 0_2_004AFA91 | |
Source: | Code function: | 0_2_004A5B70 | |
Source: | Code function: | 0_2_004AEB1B | |
Source: | Code function: | 0_2_004A8D87 | |
Source: | Code function: | 1_2_6D51140C | |
Source: | Code function: | 1_2_6D507CD1 | |
Source: | Code function: | 1_2_6D500CD9 | |
Source: | Code function: | 1_2_6D4F9484 | |
Source: | Code function: | 1_2_6D500486 | |
Source: | Code function: | 1_2_6D50AF62 | |
Source: | Code function: | 1_2_6D4F3F01 | |
Source: | Code function: | 1_2_6D4E8F2B | |
Source: | Code function: | 1_2_6D4F279D | |
Source: | Code function: | 1_2_6D4E46B5 | |
Source: | Code function: | 1_2_6D4FE812 | |
Source: | Code function: | 1_2_6D509035 | |
Source: | Code function: | 1_2_6D4EC080 | |
Source: | Code function: | 1_2_6D4F1A58 | |
Source: | Code function: | 1_2_6D536A70 | |
Source: | Code function: | 1_2_6D4ECA64 | |
Source: | Code function: | 1_2_6D507ADA | |
Source: | Code function: | 1_2_6D4EEAE5 | |
Source: | Code function: | 1_2_6D500283 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_004B7085 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process created: |
Source: | Code function: | 0_2_004FA0B0 | |
Source: | Code function: | 0_2_004B4115 | |
Source: | Code function: | 0_2_004AB2C2 | |
Source: | Code function: | 0_2_004C13A5 | |
Source: | Code function: | 0_2_004DE3A7 | |
Source: | Code function: | 0_2_004A067F | |
Source: | Code function: | 0_2_004DD9E8 | |
Source: | Code function: | 1_2_6D51213A | |
Source: | Code function: | 1_2_6D4ECA64 | |
Source: | Code function: | 1_2_6D52822C |
Source: | Dropped File: |
Source: | Static PE information: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Code function: | 0_2_004B1333 |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_004F71C1 | |
Source: | Code function: | 0_2_004F0472 | |
Source: | Code function: | 0_2_004D6561 | |
Source: | Code function: | 0_2_004D867A | |
Source: | Code function: | 0_2_004EB891 | |
Source: | Code function: | 0_2_004A7A9F | |
Source: | Code function: | 0_2_004EAA73 | |
Source: | Code function: | 0_2_004F5B00 | |
Source: | Code function: | 0_2_004ABA8F | |
Source: | Code function: | 0_2_0046FFC0 | |
Source: | Code function: | 0_2_004C907D | |
Source: | Code function: | 0_2_004C947A | |
Source: | Code function: | 0_2_00491087 | |
Source: | Code function: | 0_2_004F30B2 | |
Source: | Code function: | 0_2_0047E101 | |
Source: | Code function: | 0_2_004A5090 | |
Source: | Code function: | 0_2_004AC0BA | |
Source: | Code function: | 0_2_004941DE | |
Source: | Code function: | 0_2_0049B298 | |
Source: | Code function: | 0_2_0046D29E | |
Source: | Code function: | 0_2_00498104 | |
Source: | Code function: | 0_2_004C50AC | |
Source: | Code function: | 0_2_0046F14E | |
Source: | Code function: | 0_2_0047B1AC | |
Source: | Code function: | 0_2_004D3029 | |
Source: | Code function: | 0_2_00480022 | |
Source: | Code function: | 0_2_004CD295 | |
Source: | Code function: | 0_2_004B8038 | |
Source: | Code function: | 0_2_004740C1 | |
Source: | Code function: | 0_2_004B7084 | |
Source: | Code function: | 0_2_004D110A |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Last function: |
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Thread delayed: | Jump to behavior |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_004ADA35 |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | 2 Process Injection | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 2 Process Injection | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Rundll32 | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 22 Software Packing | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 3 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
49% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
50% | ReversingLabs | Win32.Trojan.Lazy | ||
64% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.ZPACK.Gen2 | Download File | ||
100% | Avira | HEUR/AGEN.1215478 | Download File | ||
100% | Avira | HEUR/AGEN.1215478 | Download File |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|
IP |
---|
192.168.2.1 |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 778226 |
Start date and time: | 2023-01-05 08:42:09 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 36s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | LwNdQo4zIk.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 18 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal84.evad.winEXE@4/5@0/1 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.20
- Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
- Not all processes where analyzed, report is missing behavior information
Time | Type | Description |
---|---|---|
08:43:03 | API Interceptor | |
08:43:16 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_8e16aed3aa5676a94a41f4f83e9862e56aba6f4_82810a17_1425c040\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9238031503162372 |
Encrypted: | false |
SSDEEP: | 96:LPFHcXy6iX0iLoy1j95ax7JRFpXIW/a/z+HbHg/BQAS/YyNl4ttPMLUE+im2kMnj:LNcHiX0oXO5jed+C8/u7sZS274ItWc |
MD5: | 1BFEB11058C8F0BB373CB6CF153A0778 |
SHA1: | 263132033BE2FBF13326D18014ED6CBA5679F552 |
SHA-256: | 694A8F25313033647A0C215339A032A3940384A34D0E7D447C59E36756EBEEEA |
SHA-512: | CDB59ECE2D4485EBD8222FE367BFDD6F1546421A09F44DA4F22E05512417ABF72660048006E577AF13B70A9AA18E176599FD0057E1C925E83B8D253A3441B0BB |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 99428 |
Entropy (8bit): | 1.6906140255429625 |
Encrypted: | false |
SSDEEP: | 384:aoicjB5LbBGIyA59HVt1L62vdK7NUar8N4T43BK2ui:aYVbBGTYtVfLRdK7No3BFu |
MD5: | 50780291C9621B13A4FF8623A2BBE2BB |
SHA1: | 5A73D82C6DBF3E863F6AC117D9DE94D8CAAC23A2 |
SHA-256: | 0C7A8AD55D77C57B7A192A76445261FFDDD8DD3896D429D08B878962E3246F2D |
SHA-512: | 2836EAA3E4558D345BAA04D466A04CA9CC6CEBF35DEA0A513DE9BDEA27ECCA0A346BAD5A0F310C8B67D40A74A11DEFC9D8DAFDBE85279C92E56BD539C228D9C6 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5888 |
Entropy (8bit): | 3.7191879909123386 |
Encrypted: | false |
SSDEEP: | 96:RtIU6o7r3GLt3inf06gY8QuSfGEapBCaM4Ur89bcnsfUN0m:Rrl7r3GLNif06gYTuS6Cprr89bcnsfUb |
MD5: | 6ADF754C003723A03EE3A377256262C0 |
SHA1: | 10F5D103CACFDC38016B3A8D8CA16BEB0687476E |
SHA-256: | CAA6CF56E6C7847994B0CEB900043FEC303314BD9FAACEE1B16464656D5FD1C4 |
SHA-512: | E620B88362E1B03905FEDF5C8670901D1E3BF2FCF317043BDD7646E7D8DC4E1B368F0E00B058DC71F0F56A33B7184D78D75654BBAF76C1E41F24F75FCC36B283 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4616 |
Entropy (8bit): | 4.436378949362253 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsYJgtWI98W4kWgc8sqYjw8fm8M4JCdsTFMFK+q8/4FfySy4SrS6d:uITfeHW49grsqYBJxFbhFryDW6d |
MD5: | BD57B1779CA954969A44C07B14C99F29 |
SHA1: | 5EFB3672ACAB54E84E6D9CBFF14EE6F534631DC6 |
SHA-256: | 122D9C4B8656D30AB71091F342FA7A541AFF9B1822D6306404344BCEEEBB4C66 |
SHA-512: | 3726035D23C0F86A97513B3875AEAF9001F85615C85F963EFB2802C6A543EED535BC64E96E1BC374B3FB1486AB71D3AC7CEA2DFCF0D70AC626B0424E1E72BC70 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\LwNdQo4zIk.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 803328 |
Entropy (8bit): | 6.89627808323015 |
Encrypted: | false |
SSDEEP: | 24576:l8Jr+SgWH5UB/VdYQ/N7WqpWaQxYZYBsFn:OJrSBYqLY |
MD5: | C50C2F17112B6C6B0892CB2C1F502108 |
SHA1: | 3DD1444384BF790F5AA90AE95EF7745FA4CFAF72 |
SHA-256: | 20DC61C5456EA5756F432AEBECF74660ACEBF5ACE0F7C8D1B360757ED79075D8 |
SHA-512: | BFBFC3A13816A12E25C373F6739215B9DFF559FECFDF26C3358A452BDC833B6EAA64BBAE316F4B29B9E9CE802E9F50C66B533C8C3C1B372025A7F0B7D8B452F1 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.853487844881012 |
TrID: |
|
File name: | LwNdQo4zIk.exe |
File size: | 1034752 |
MD5: | 3ccd6b369eb1dde57d181e7550bd7268 |
SHA1: | aee399e263c838570c00133feab275b81009e12a |
SHA256: | f5717aef9a4323816387603920b652a94ac0d9cedef36391cedd9cdcbfef7f60 |
SHA512: | 00bd3bb981e2a5bd4c30241025f352e9e528d76300e67fcdbe89ee9e12ecbba73b291aebd9b73f73a8aaa32e2a8b2d1b4d49796cdc11a1b891a313cf0a9dcc03 |
SSDEEP: | 24576:RFOWvM7bZBFpXlDpRjJ5JAXVm359Ov9UIrczuX:RguWRNpRjJPgAp9ucz |
TLSH: | B7251201329194A7C1CA6A3C4930E7F02D7FBCF29D7CE187EB643A1E9E706B14A55687 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................;.Y.......Z.......L.......................K.......[.......^.....Rich............................PE..L....7.b... |
Icon Hash: | 9062e090c6e73144 |
Entrypoint: | 0x40600e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x620337B3 [Wed Feb 9 03:40:35 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 7bca87c7309353055aed194207c93e99 |
Instruction |
---|
call 00007FB8E8AE26A9h |
jmp 00007FB8E8ADCFCEh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov edx, dword ptr [esp+0Ch] |
mov ecx, dword ptr [esp+04h] |
test edx, edx |
je 00007FB8E8ADD1BBh |
xor eax, eax |
mov al, byte ptr [esp+08h] |
test al, al |
jne 00007FB8E8ADD168h |
cmp edx, 00000100h |
jc 00007FB8E8ADD160h |
cmp dword ptr [0050CFACh], 00000000h |
je 00007FB8E8ADD157h |
jmp 00007FB8E8AE275Dh |
push edi |
mov edi, ecx |
cmp edx, 04h |
jc 00007FB8E8ADD183h |
neg ecx |
and ecx, 03h |
je 00007FB8E8ADD15Eh |
sub edx, ecx |
mov byte ptr [edi], al |
add edi, 01h |
sub ecx, 01h |
jne 00007FB8E8ADD148h |
mov ecx, eax |
shl eax, 08h |
add eax, ecx |
mov ecx, eax |
shl eax, 10h |
add eax, ecx |
mov ecx, edx |
and edx, 03h |
shr ecx, 02h |
je 00007FB8E8ADD158h |
rep stosd |
test edx, edx |
je 00007FB8E8ADD15Ch |
mov byte ptr [edi], al |
add edi, 01h |
sub edx, 01h |
jne 00007FB8E8ADD148h |
mov eax, dword ptr [esp+08h] |
pop edi |
ret |
mov eax, dword ptr [esp+04h] |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
push edi |
push esi |
mov esi, dword ptr [ebp+0Ch] |
mov ecx, dword ptr [ebp+10h] |
mov edi, dword ptr [ebp+08h] |
mov eax, ecx |
mov edx, ecx |
add eax, esi |
cmp edi, esi |
jbe 00007FB8E8ADD15Ah |
cmp edi, eax |
jc 00007FB8E8ADD2FAh |
cmp ecx, 00000100h |
jc 00007FB8E8ADD171h |
cmp dword ptr [0050CFACh], 00000000h |
je 00007FB8E8ADD168h |
push edi |
push esi |
and edi, 0Fh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x16dec | 0x3c | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10d000 | 0xbcb0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1220 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x43a0 | 0x40 | .text |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x1d4 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x16850 | 0x16a00 | False | 0.5431198204419889 | data | 6.3410785244090935 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x18000 | 0xf4fb4 | 0xd9e00 | False | 0.9918356461560528 | data | 7.991407419226785 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x10d000 | 0xbcb0 | 0xbe00 | False | 0.38569078947368424 | data | 4.2370546659086274 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
AFX_DIALOG_LAYOUT | 0x1160a0 | 0x2 | data | ||
AFX_DIALOG_LAYOUT | 0x116098 | 0x2 | data | ||
AFX_DIALOG_LAYOUT | 0x1160a8 | 0x2 | data | ||
AFX_DIALOG_LAYOUT | 0x1160b0 | 0x2 | data | ||
AFX_DIALOG_LAYOUT | 0x1160b8 | 0x2 | data | ||
RT_CURSOR | 0x1160c0 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | ||
RT_CURSOR | 0x116208 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | ||
RT_CURSOR | 0x116338 | 0xf0 | Device independent bitmap graphic, 24 x 48 x 1, image size 0 | ||
RT_CURSOR | 0x116428 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
RT_CURSOR | 0x117500 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | ||
RT_ICON | 0x10d6e0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Serbian | Italy |
RT_ICON | 0x10dda8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Serbian | Italy |
RT_ICON | 0x10e310 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Serbian | Italy |
RT_ICON | 0x10f3b8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Serbian | Italy |
RT_ICON | 0x10f860 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Serbian | Italy |
RT_ICON | 0x110708 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Serbian | Italy |
RT_ICON | 0x110fb0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Serbian | Italy |
RT_ICON | 0x111678 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Serbian | Italy |
RT_ICON | 0x111be0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Serbian | Italy |
RT_ICON | 0x114188 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Serbian | Italy |
RT_ICON | 0x115230 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Serbian | Italy |
RT_ICON | 0x115bb8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Serbian | Italy |
RT_STRING | 0x117f18 | 0xea | data | Serbian | Italy |
RT_STRING | 0x118008 | 0x348 | data | Serbian | Italy |
RT_STRING | 0x118350 | 0x682 | data | Serbian | Italy |
RT_STRING | 0x1189d8 | 0x2d8 | data | Serbian | Italy |
RT_GROUP_CURSOR | 0x1161f0 | 0x14 | data | ||
RT_GROUP_CURSOR | 0x117da8 | 0x14 | data | ||
RT_GROUP_CURSOR | 0x1174d0 | 0x30 | data | ||
RT_GROUP_ICON | 0x116020 | 0x76 | data | Serbian | Italy |
RT_GROUP_ICON | 0x10f820 | 0x3e | data | Serbian | Italy |
RT_VERSION | 0x117dc0 | 0x154 | Encore not stripped - version 79 |
DLL | Import |
---|---|
KERNEL32.dll | GetConsoleAliasW, GetModuleHandleW, CreateDirectoryExW, ReadConsoleInputW, GetTempPathW, GetSystemDirectoryW, RemoveDirectoryW, OutputDebugStringA, GetProcAddress, LocalAlloc, GetBinaryTypeA, SearchPathA, VerifyVersionInfoA, SetProcessPriorityBoost, EndUpdateResourceA, FindNextFileW, FindFirstVolumeA, LocalShrink, GlobalFlags, _llseek, UpdateResourceA, CreateActCtxW, CopyFileW, AddConsoleAliasW, CreateMutexA, GetCurrentActCtx, GetDiskFreeSpaceA, MoveFileW, GetLogicalDriveStringsA, SetEvent, MoveFileExA, CreateMailslotA, WriteConsoleInputA, TerminateThread, GetCurrentProcess, RtlCaptureContext, InterlockedCompareExchange, GetFileTime, lstrcatA, FindFirstFileW, FreeEnvironmentStringsA, SetErrorMode, InterlockedExchangeAdd, MoveFileWithProgressA, GetTickCount, SetLastError, GetPrivateProfileStructW, VerSetConditionMask, LoadLibraryA, GetLastError, DeleteFileA, GetStartupInfoW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleA, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RaiseException, VirtualAlloc, HeapReAlloc, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile, HeapSize, CloseHandle, CreateFileA |
GDI32.dll | SetBrushOrgEx |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Serbian | Italy |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 08:42:57 |
Start date: | 05/01/2023 |
Path: | C:\Users\user\Desktop\LwNdQo4zIk.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1034752 bytes |
MD5 hash: | 3CCD6B369EB1DDE57D181E7550BD7268 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 1 |
Start time: | 08:43:03 |
Start date: | 05/01/2023 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1020000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 3 |
Start time: | 08:43:07 |
Start date: | 05/01/2023 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc90000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Execution Graph
Execution Coverage: | 1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 21.7% |
Total number of Nodes: | 23 |
Total number of Limit Nodes: | 2 |
Graph
Function 004A7759 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 259encryptionCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004AB9D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79encryptionCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004EC46C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 98processCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0046FE63 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 90libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0046F519 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004C978E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004A6D6C Relevance: 1.3, APIs: 1, Instructions: 21COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004FA970 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004A067F Relevance: 24.4, Strings: 19, Instructions: 654COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004DE3A7 Relevance: 23.1, Strings: 18, Instructions: 612COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004B4115 Relevance: 22.1, Strings: 17, Instructions: 851COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004AB2C2 Relevance: 12.8, Strings: 10, Instructions: 320COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004B035E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62encryptionCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004A5B70 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004AFA91 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004B7085 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004AEB1B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110encryptionCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004B01AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50encryptionCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004B1333 Relevance: 2.5, Strings: 2, Instructions: 49COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004ADA35 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004FA0B0 Relevance: .5, Instructions: 515COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004BA67F Relevance: .0, Instructions: 29COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004BA75C Relevance: .0, Instructions: 16COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004BA7D8 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004C2A13 Relevance: .0, Instructions: 10COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004BA80E Relevance: .0, Instructions: 6COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004EC93E Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 265fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00492F36 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 354libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0049974A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 234libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00486F48 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 133libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00473115 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 200libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004903D6 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0049867D Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 151libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004CD000 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 202networkCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004B972C Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 200libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00496469 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 196libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00476352 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 165libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0046C96E Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 144libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0049CB8D Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 142libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00488A4B Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 133libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00475E7F Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 130libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00498E2D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 170libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00482FD0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 132libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0047BF59 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 96libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0047AD6D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 125libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004950EA Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 108libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004C7683 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 93windowCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00485E5B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 88libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0048A63F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 165libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0047D746 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 135libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004C45D3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 127registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004B3F6D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00494069 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004BD943 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90processCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0047A4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 0.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 17 |
Total number of Limit Nodes: | 0 |
Graph
Function 6D4E89AE Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 361libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4EA423 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 172libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D52C036 Relevance: 1.3, APIs: 1, Instructions: 21COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4E658E Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 372libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4F0621 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 291libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4F656E Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 226libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4FBD3A Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 365libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4F24D5 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 155libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D500E0F Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 224libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D50928C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4ED63A Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 226libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4FCABA Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 201libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4F7A96 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D5015DF Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 174libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4E83ED Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 299libraryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4E437D Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4E94ED Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4F4563 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4F9B93 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 144libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4F2EF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6D4F1889 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |