Windows
Analysis Report
01885599.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 01885599.exe (PID: 6936 cmdline:
C:\Users\u ser\Deskto p\01885599 .exe MD5: A29C587C678826F4A44CF6A2A78599F1) - 01885599.exe (PID: 6956 cmdline:
C:\Users\u ser\Deskto p\01885599 .exe MD5: A29C587C678826F4A44CF6A2A78599F1) - explorer.exe (PID: 3528 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
- vbjjhwi (PID: 6476 cmdline:
C:\Users\u ser\AppDat a\Roaming\ vbjjhwi MD5: A29C587C678826F4A44CF6A2A78599F1) - vbjjhwi (PID: 6468 cmdline:
C:\Users\u ser\AppDat a\Roaming\ vbjjhwi MD5: A29C587C678826F4A44CF6A2A78599F1)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
Click to see the 5 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | URL Reputation: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00403870 |
Networking |
---|
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior |
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_004118DE | |
Source: | Code function: | 0_2_0040A4AA | |
Source: | Code function: | 0_2_0041251A | |
Source: | Code function: | 0_2_004132E1 | |
Source: | Code function: | 0_2_0041139A |
Source: | Code function: |
Source: | Code function: | 0_2_007F0110 | |
Source: | Code function: | 1_2_0040180C | |
Source: | Code function: | 1_2_00401818 | |
Source: | Code function: | 1_2_00401822 | |
Source: | Code function: | 1_2_00401826 | |
Source: | Code function: | 1_2_00401834 | |
Source: | Code function: | 5_2_00820110 | |
Source: | Code function: | 6_2_0040180C | |
Source: | Code function: | 6_2_00401818 | |
Source: | Code function: | 6_2_00401822 | |
Source: | Code function: | 6_2_00401826 | |
Source: | Code function: | 6_2_00401834 |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Command line argument: | 0_2_00403FE0 | |
Source: | Command line argument: | 0_2_00403FE0 | |
Source: | Command line argument: | 0_2_00403FE0 | |
Source: | Command line argument: | 0_2_00403FE0 | |
Source: | Command line argument: | 0_2_00403FE0 | |
Source: | Command line argument: | 0_2_00403FE0 |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_0040745C | |
Source: | Code function: | 0_2_00403771 | |
Source: | Code function: | 0_2_007F19B7 | |
Source: | Code function: | 0_2_007F19B7 | |
Source: | Code function: | 0_2_007F19B7 | |
Source: | Code function: | 1_2_00401217 | |
Source: | Code function: | 1_2_00401217 | |
Source: | Code function: | 1_2_00401217 | |
Source: | Code function: | 5_2_008219B7 | |
Source: | Code function: | 5_2_008219B7 | |
Source: | Code function: | 5_2_008219B7 | |
Source: | Code function: | 6_2_00401217 | |
Source: | Code function: | 6_2_00401217 | |
Source: | Code function: | 6_2_00401217 |
Source: | Code function: | 0_2_0040D6B0 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File deleted: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Binary or memory string: |
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior | ||
Source: | Key enumerated: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00403870 |
Source: | System information queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging |
---|
Source: | System information queried: | Jump to behavior | ||
Source: | System information queried: | Jump to behavior |
Source: | Code function: | 0_2_0040533B |
Source: | Code function: | 0_2_0040D6B0 |
Source: | Code function: | 0_2_007F0042 | |
Source: | Code function: | 5_2_00820042 |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_004084CF | |
Source: | Code function: | 0_2_0040D9F8 | |
Source: | Code function: | 0_2_0040533B | |
Source: | Code function: | 0_2_004063C4 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | File created: | Jump to dropped file |
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Code function: | 0_2_007F0110 |
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00410F37 |
Source: | Code function: | 0_2_0040963C |
Source: | Code function: | 0_2_00403870 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 512 Process Injection | 11 Masquerading | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 12 Virtualization/Sandbox Evasion | LSASS Memory | 421 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 2 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 1 Exploitation for Client Execution | Logon Script (Windows) | Logon Script (Windows) | 512 Process Injection | Security Account Manager | 12 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 112 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Deobfuscate/Decode Files or Information | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Hidden Files and Directories | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 3 Obfuscated Files or Information | Cached Domain Credentials | 1 Remote System Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 12 Software Packing | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | 14 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | 1 File Deletion | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
37% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
41% | ReversingLabs | |||
37% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
22% | Virustotal | Browse | ||
19% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | URL Reputation | malware | ||
0% | URL Reputation | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
host-file-host6.com | 194.50.153.68 | true | true |
| unknown |
host-host-file8.com | unknown | unknown | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
194.50.153.68 | host-file-host6.com | United Kingdom | 198526 | GAZ-IS-ASRU | true |
Joe Sandbox Version: | 37.1.0 Beryl |
Analysis ID: | 876999 |
Start date and time: | 2023-05-28 10:42:06 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 33s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 1 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | 01885599.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@6/3@4/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
- Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
- Report size getting too big, too many NtEnumerateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
10:43:38 | API Interceptor | |
10:43:39 | Task Scheduler |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
194.50.153.68 | Get hash | malicious | SmokeLoader | Browse |
| |
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
host-file-host6.com | Get hash | malicious | SmokeLoader | Browse |
| |
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
GAZ-IS-ASRU | Get hash | malicious | SmokeLoader | Browse |
| |
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC Stealer, SmokeLoader | Browse |
| ||
Get hash | malicious | Amadey, Djvu, Fabookie, SmokeLoader | Browse |
| ||
Get hash | malicious | Amadey, Babuk, Djvu, Fabookie, SmokeLoader | Browse |
| ||
Get hash | malicious | Amadey, Babuk, Djvu, Fabookie, SmokeLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar | Browse |
| ||
Get hash | malicious | Amadey, Djvu, Fabookie, SmokeLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 985 |
Entropy (8bit): | 5.225141189452099 |
Encrypted: | false |
SSDEEP: | 24:YqHZ6T06MhmimH6CUXyhm/mYbNdB6hmUmYz0JahmDmYbxdB6hm1mY7KTdB6hmuXA:YqHZ6T06McLHDUXyceYbNdUcZYz0Jack |
MD5: | 094FB5672ED4D4990DF33BE15CE2CB40 |
SHA1: | 2BF77D89C6637F478893D63DFC809808C835A839 |
SHA-256: | 19FEE75854625F0D51FE350049FE33EB16CB40E728C9BAADB232CA3E449DECA3 |
SHA-512: | A542CF7E0BE301B8BB2E369B0750D0C93941E02D044BFA840A28FBBEDD3F3EAF2D4E0F01ED0B3F836C916D0F0B79EEDD084DBE941A6424947C4EFE87AF38B304 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 290304 |
Entropy (8bit): | 6.587235509794249 |
Encrypted: | false |
SSDEEP: | 3072:X6JOiohJ19MbvuzdRE45nLtn5gFTti91:yOiY9T10FTti |
MD5: | A29C587C678826F4A44CF6A2A78599F1 |
SHA1: | 92EA36730FA1F19300A27EBBB4D1359E7B8A16DE |
SHA-256: | B3FBCFD775B7C9BFC5B58F5DF13EB8FBEB4844D98756F8FCA41B63F060AE5132 |
SHA-512: | 72CB4A67885C7E2167F98365F209FB0F757FB978ACBB55099D5A8B768DDE4158071DF3BD6D6CD808255A45FFE24040D86715A673EAEB386B1412918B2C65DDED |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\explorer.exe |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 6.587235509794249 |
TrID: |
|
File name: | 01885599.exe |
File size: | 290304 |
MD5: | a29c587c678826f4a44cf6a2a78599f1 |
SHA1: | 92ea36730fa1f19300a27ebbb4d1359e7b8a16de |
SHA256: | b3fbcfd775b7c9bfc5b58f5df13eb8fbeb4844d98756f8fca41b63f060ae5132 |
SHA512: | 72cb4a67885c7e2167f98365f209fb0f757fb978acbb55099d5a8b768dde4158071df3bd6d6cd808255a45ffe24040d86715a673eaeb386b1412918b2c65dded |
SSDEEP: | 3072:X6JOiohJ19MbvuzdRE45nLtn5gFTti91:yOiY9T10FTti |
TLSH: | F154185382A13C55EA668B768E1FC6F8761EB6718F5D3769321CBA1F08B00B2D173B11 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...|.......|.......|...H...EX..k...b.......|...c...|...c...|...c...Richb...................PE..L.... Ib........... |
Icon Hash: | 554541494945691d |
Entrypoint: | 0x404e59 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x62492001 [Sun Apr 3 04:18:09 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 2d9ed3462f8a74bfd1231e2e9de56b43 |
Instruction |
---|
call 00007F66CCCE3613h |
jmp 00007F66CCCDECADh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov ecx, dword ptr [esp+04h] |
test ecx, 00000003h |
je 00007F66CCCDEE56h |
mov al, byte ptr [ecx] |
add ecx, 01h |
test al, al |
je 00007F66CCCDEE80h |
test ecx, 00000003h |
jne 00007F66CCCDEE21h |
add eax, 00000000h |
lea esp, dword ptr [esp+00000000h] |
lea esp, dword ptr [esp+00000000h] |
mov eax, dword ptr [ecx] |
mov edx, 7EFEFEFFh |
add edx, eax |
xor eax, FFFFFFFFh |
xor eax, edx |
add ecx, 04h |
test eax, 81010100h |
je 00007F66CCCDEE1Ah |
mov eax, dword ptr [ecx-04h] |
test al, al |
je 00007F66CCCDEE64h |
test ah, ah |
je 00007F66CCCDEE56h |
test eax, 00FF0000h |
je 00007F66CCCDEE45h |
test eax, FF000000h |
je 00007F66CCCDEE34h |
jmp 00007F66CCCDEDFFh |
lea eax, dword ptr [ecx-01h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-02h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-03h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-04h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 20h |
mov eax, dword ptr [ebp+08h] |
push esi |
push edi |
push 00000008h |
pop ecx |
mov esi, 004012D8h |
lea edi, dword ptr [ebp-20h] |
rep movsd |
mov dword ptr [ebp-08h], eax |
mov eax, dword ptr [ebp+0Ch] |
pop edi |
mov dword ptr [ebp-04h], eax |
pop esi |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x287f8 | 0x64 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x270000 | 0x19398 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x28a000 | 0xddc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1220 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x3150 | 0x40 | .text |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x1d4 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x282ba | 0x28400 | False | 0.7868788819875776 | data | 7.581715328183715 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x2a000 | 0x245844 | 0x1e00 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x270000 | 0x19398 | 0x19400 | False | 0.37933168316831684 | data | 4.266178948669026 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x28a000 | 0x3338 | 0x3400 | False | 0.22581129807692307 | data | 2.522522475741166 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x270730 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | ||
RT_ICON | 0x2715d8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | ||
RT_ICON | 0x271e80 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | ||
RT_ICON | 0x274428 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
RT_ICON | 0x2754d0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | ||
RT_ICON | 0x275988 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | ||
RT_ICON | 0x276830 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | ||
RT_ICON | 0x2770d8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | ||
RT_ICON | 0x277640 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | ||
RT_ICON | 0x279be8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
RT_ICON | 0x27ac90 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | ||
RT_ICON | 0x27b618 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | ||
RT_ICON | 0x27bae8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | ||
RT_ICON | 0x27c990 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | ||
RT_ICON | 0x27d238 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | ||
RT_ICON | 0x27d900 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | ||
RT_ICON | 0x27de68 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | ||
RT_ICON | 0x280410 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
RT_ICON | 0x2814b8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | ||
RT_ICON | 0x281988 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | ||
RT_ICON | 0x282830 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | ||
RT_ICON | 0x2830d8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | ||
RT_ICON | 0x283640 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | ||
RT_ICON | 0x285be8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | ||
RT_ICON | 0x286c90 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | ||
RT_ICON | 0x287618 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | ||
RT_STRING | 0x287d20 | 0x664 | data | ||
RT_STRING | 0x288388 | 0x59e | data | ||
RT_STRING | 0x288928 | 0x29a | data | ||
RT_STRING | 0x288bc8 | 0x248 | data | ||
RT_STRING | 0x288e10 | 0x582 | data | ||
RT_GROUP_ICON | 0x287a80 | 0x68 | data | ||
RT_GROUP_ICON | 0x275938 | 0x4c | data | ||
RT_GROUP_ICON | 0x281920 | 0x68 | data | ||
RT_GROUP_ICON | 0x27ba80 | 0x68 | data | ||
RT_VERSION | 0x287ae8 | 0x238 | data |
DLL | Import |
---|---|
KERNEL32.dll | GetModuleHandleW, IsBadReadPtr, GetConsoleAliasesLengthA, WaitForMultipleObjectsEx, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, AttachConsole, SleepEx, VirtualAlloc, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, GetCurrentThreadId, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, GetLongPathNameA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle |
USER32.dll | CharLowerBuffA |
GDI32.dll | GetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW |
ADVAPI32.dll | MapGenericMask |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 28, 2023 10:43:38.398670912 CEST | 49684 | 80 | 192.168.2.4 | 194.50.153.68 |
May 28, 2023 10:43:38.423293114 CEST | 80 | 49684 | 194.50.153.68 | 192.168.2.4 |
May 28, 2023 10:43:38.423527002 CEST | 49684 | 80 | 192.168.2.4 | 194.50.153.68 |
May 28, 2023 10:43:38.424354076 CEST | 49684 | 80 | 192.168.2.4 | 194.50.153.68 |
May 28, 2023 10:43:38.424403906 CEST | 49684 | 80 | 192.168.2.4 | 194.50.153.68 |
May 28, 2023 10:43:38.448726892 CEST | 80 | 49684 | 194.50.153.68 | 192.168.2.4 |
May 28, 2023 10:43:38.449038982 CEST | 80 | 49684 | 194.50.153.68 | 192.168.2.4 |
May 28, 2023 10:43:38.546303988 CEST | 80 | 49684 | 194.50.153.68 | 192.168.2.4 |
May 28, 2023 10:43:38.546607018 CEST | 49684 | 80 | 192.168.2.4 | 194.50.153.68 |
May 28, 2023 10:43:38.547754049 CEST | 49684 | 80 | 192.168.2.4 | 194.50.153.68 |
May 28, 2023 10:43:38.572189093 CEST | 80 | 49684 | 194.50.153.68 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 28, 2023 10:43:38.250626087 CEST | 57417 | 53 | 192.168.2.4 | 8.8.8.8 |
May 28, 2023 10:43:38.373370886 CEST | 53 | 57417 | 8.8.8.8 | 192.168.2.4 |
May 28, 2023 10:43:38.559854984 CEST | 50982 | 53 | 192.168.2.4 | 8.8.8.8 |
May 28, 2023 10:43:39.579572916 CEST | 50982 | 53 | 192.168.2.4 | 8.8.8.8 |
May 28, 2023 10:43:40.626518011 CEST | 50982 | 53 | 192.168.2.4 | 8.8.8.8 |
May 28, 2023 10:43:42.625973940 CEST | 53 | 50982 | 8.8.8.8 | 192.168.2.4 |
May 28, 2023 10:43:43.618988991 CEST | 53 | 50982 | 8.8.8.8 | 192.168.2.4 |
May 28, 2023 10:43:44.670767069 CEST | 53 | 50982 | 8.8.8.8 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
May 28, 2023 10:43:43.619714975 CEST | 192.168.2.4 | 8.8.8.8 | cff7 | (Port unreachable) | Destination Unreachable |
May 28, 2023 10:43:44.673737049 CEST | 192.168.2.4 | 8.8.8.8 | cff7 | (Port unreachable) | Destination Unreachable |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
May 28, 2023 10:43:38.250626087 CEST | 192.168.2.4 | 8.8.8.8 | 0x1116 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
May 28, 2023 10:43:38.559854984 CEST | 192.168.2.4 | 8.8.8.8 | 0x1637 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
May 28, 2023 10:43:39.579572916 CEST | 192.168.2.4 | 8.8.8.8 | 0x1637 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
May 28, 2023 10:43:40.626518011 CEST | 192.168.2.4 | 8.8.8.8 | 0x1637 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
May 28, 2023 10:43:38.373370886 CEST | 8.8.8.8 | 192.168.2.4 | 0x1116 | No error (0) | 194.50.153.68 | A (IP address) | IN (0x0001) | false | ||
May 28, 2023 10:43:42.625973940 CEST | 8.8.8.8 | 192.168.2.4 | 0x1637 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
May 28, 2023 10:43:43.618988991 CEST | 8.8.8.8 | 192.168.2.4 | 0x1637 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false | |
May 28, 2023 10:43:44.670767069 CEST | 8.8.8.8 | 192.168.2.4 | 0x1637 | Server failure (2) | none | none | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49684 | 194.50.153.68 | 80 | C:\Windows\explorer.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 28, 2023 10:43:38.424354076 CEST | 0 | OUT | |
May 28, 2023 10:43:38.424403906 CEST | 0 | OUT | |
May 28, 2023 10:43:38.546303988 CEST | 1 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 10:42:57 |
Start date: | 28/05/2023 |
Path: | C:\Users\user\Desktop\01885599.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 290304 bytes |
MD5 hash: | A29C587C678826F4A44CF6A2A78599F1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 1 |
Start time: | 10:42:57 |
Start date: | 28/05/2023 |
Path: | C:\Users\user\Desktop\01885599.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 290304 bytes |
MD5 hash: | A29C587C678826F4A44CF6A2A78599F1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 3 |
Start time: | 10:43:02 |
Start date: | 28/05/2023 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff618f60000 |
File size: | 3933184 bytes |
MD5 hash: | AD5296B280E8F522A8A897C96BAB0E1D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 5 |
Start time: | 10:43:39 |
Start date: | 28/05/2023 |
Path: | C:\Users\user\AppData\Roaming\vbjjhwi |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 290304 bytes |
MD5 hash: | A29C587C678826F4A44CF6A2A78599F1 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Target ID: | 6 |
Start time: | 10:43:40 |
Start date: | 28/05/2023 |
Path: | C:\Users\user\AppData\Roaming\vbjjhwi |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 290304 bytes |
MD5 hash: | A29C587C678826F4A44CF6A2A78599F1 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Function 007F0110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004037B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38librarymemoryloaderCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004033B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040960C Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004090E1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403790 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403870 Relevance: 96.6, APIs: 38, Strings: 17, Instructions: 392synchronizationCOMMON
C-Code - Quality: 74% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041251A Relevance: 20.0, APIs: 4, Strings: 7, Instructions: 793COMMONCrypto
C-Code - Quality: 57% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040533B Relevance: 7.6, APIs: 5, Instructions: 58COMMON
C-Code - Quality: 85% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004084CF Relevance: 1.5, APIs: 1, Instructions: 4COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 007F0042 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403957 Relevance: 80.8, APIs: 34, Strings: 12, Instructions: 339filestringsynchronizationCOMMON
C-Code - Quality: 72% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403660 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 76threadCOMMON
C-Code - Quality: 77% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 75% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004091D6 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMON
C-Code - Quality: 92% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004056F3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
C-Code - Quality: 89% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040B6F0 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
C-Code - Quality: 89% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406A51 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
C-Code - Quality: 39% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 19% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040E78B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
C-Code - Quality: 65% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 73% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040E677 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040BE5C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
C-Code - Quality: 90% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 86% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 23% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 17% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 17% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 20% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00820110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 23% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 17% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 17% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 20% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |