Analysis Report zbetcheckin_tracker_propan.exe
Overview
General Information |
---|
Joe Sandbox Version: | 23.0.0 |
Analysis ID: | 48850 |
Start date: | 03.10.2018 |
Start time: | 11:14:04 |
Joe Sandbox Product: | Cloud |
Overall analysis duration: | 0h 3m 39s |
Hypervisor based Inspection enabled: | true |
Report type: | full |
Sample file name: | zbetcheckin_tracker_propan.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 x64 HVM (Office 2010, IE11, FF 50.1, Chrome 54.0, Java 1.8.0_111, Adobe Reader DC 2015.02) |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal80.bank.evad.winEXE@4/6@1/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 80 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | virustotal: | Perma Link |
Antivirus detection for unpacked file | Show sources |
Source: | Avira: | ||
Source: | Avira: |
Networking: |
---|
Creates a COM Internet Explorer object | Show sources |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | COM instance created: | Jump to behavior |
Downloads files | Show sources |
Source: | File created: | Jump to behavior |
Downloads files from webservers via HTTP | Show sources |
Source: | HTTP traffic detected: |
Performs DNS lookups | Show sources |
Source: | DNS traffic detected: |
E-Banking Fraud: |
---|
Detected Ursnif banking trojan | Show sources |
Source: | Code function: | 1_2_00401C7A |
System Summary: |
---|
Contains functionality to create processes via WMI | Show sources |
Source: | Code function: | 1_2_002D42BD | |
Source: | Code function: | 1_2_002D42BD | |
Source: | Code function: | 1_2_002D42BD | |
Source: | Binary or memory string: |
Starts Internet Explorer in hidden mode | Show sources |
Source: | Window hidden: | Jump to behavior |
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc) | Show sources |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Contains functionality to call native functions | Show sources |
Source: | Code function: | 1_2_004022EC | |
Source: | Code function: | 1_2_004018F0 | |
Source: | Code function: | 1_2_004012F6 | |
Source: | Code function: | 1_2_004027FD | |
Source: | Code function: | 1_2_0040192F | |
Source: | Code function: | 1_2_0040143E | |
Source: | Code function: | 1_2_00402749 | |
Source: | Code function: | 1_2_0040276A | |
Source: | Code function: | 1_2_0040318D | |
Source: | Code function: | 1_2_00402F20 | |
Source: | Code function: | 1_2_004027AD | |
Source: | Code function: | 1_2_002D4615 | |
Source: | Code function: | 1_2_002DE040 | |
Source: | Code function: | 1_2_002DE297 | |
Source: | Code function: | 1_2_002DE2D6 | |
Source: | Code function: | 1_1_00401800 |
Detected potential crypto function | Show sources |
Source: | Code function: | 1_2_00402F6C | |
Source: | Code function: | 1_2_002D92AC | |
Source: | Code function: | 1_2_002D2BC6 | |
Source: | Code function: | 1_2_00414449 | |
Source: | Code function: | 1_2_004160BE | |
Source: | Code function: | 1_2_00413F07 | |
Source: | Code function: | 1_2_0040E71E | |
Source: | Code function: | 1_2_0041498B | |
Source: | Code function: | 1_1_00414449 | |
Source: | Code function: | 1_1_00404A60 | |
Source: | Code function: | 1_1_0040D4F0 | |
Source: | Code function: | 1_1_004160BE | |
Source: | Code function: | 1_1_00413F07 | |
Source: | Code function: | 1_1_0040E71E | |
Source: | Code function: | 1_1_0041498B | |
Source: | Code function: | 1_1_004151B9 |
Found potential URLs in runtime VBA strings | Show sources |
Source: | VBA Memory String: | Jump to behavior | ||
Source: | VBA Memory String: | Jump to behavior | ||
Source: | VBA Memory String: | Jump to behavior | ||
Source: | VBA Memory String: | Jump to behavior | ||
Source: | VBA Memory String: | Jump to behavior | ||
Source: | VBA Memory String: | Jump to behavior |
PE file contains strange resources | Show sources |
Source: | Static PE information: | ||
Source: | Static PE information: |
Classification label | Show sources |
Source: | Classification label: |
Contains functionality to instantiate COM classes | Show sources |
Source: | Code function: | 1_2_002D5457 |
Creates files inside the user directory | Show sources |
Source: | File created: | Jump to behavior |
Creates temporary files | Show sources |
Source: | File created: | Jump to behavior |
PE file has an executable .text section and no other executable section | Show sources |
Source: | Static PE information: |
Reads ini files | Show sources |
Source: | File read: | Jump to behavior |
Reads software policies | Show sources |
Source: | Key opened: | Jump to behavior |
Sample is known by Antivirus | Show sources |
Source: | virustotal: |
Spawns processes | Show sources |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Uses an in-process (OLE) Automation server | Show sources |
Source: | Key value queried: | Jump to behavior |
Data Obfuscation: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: | Code function: | 1_1_00412282 |
Uses code obfuscation techniques (call, push, ret) | Show sources |
Source: | Code function: | 1_2_00402F6B | |
Source: | Code function: | 1_2_00407222 | |
Source: | Code function: | 1_2_002D92AB | |
Source: | Code function: | 1_1_0040D4E4 |
Hooking and other Techniques for Hiding and Protection: |
---|
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Disables application error messsages (SetErrorMode) | Show sources |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Found evasive API chain (may stop execution after checking locale) | Show sources |
Source: | Evasive API call chain: | graph_1-7457 |
Tries to detect sandboxes / dynamic malware analysis system (cursor check) | Show sources |
Source: | Code function: | 1_2_004010ED |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Sample execution stops while process was sleeping (likely an evasion) | Show sources |
Source: | Last function: |
Program exit points | Show sources |
Source: | API call chain: | graph_1-7347 |
Anti Debugging: |
---|
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: | System information queried: | Jump to behavior |
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) | Show sources |
Source: | Code function: | 1_2_004012F6 |
Contains functionality to check if a debugger is running (IsDebuggerPresent) | Show sources |
Source: | Code function: | 1_2_0040FE9A |
Contains functionality to dynamically determine API calls | Show sources |
Source: | Code function: | 1_1_00412282 |
Contains functionality to read the PEB | Show sources |
Source: | Code function: | 1_2_0025052B | |
Source: | Code function: | 1_2_00250000 | |
Source: | Code function: | 1_2_00250000 | |
Source: | Code function: | 1_2_002506F5 | |
Source: | Code function: | 1_2_002506F5 | |
Source: | Code function: | 1_2_00250AFD | |
Source: | Code function: | 1_2_00290000 | |
Source: | Code function: | 1_2_00290000 | |
Source: | Code function: | 1_2_00290408 |
Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources |
Source: | Code function: | 1_1_0040C832 |
Contains functionality to register its own exception handler | Show sources |
Source: | Code function: | 1_2_0040FE9A | |
Source: | Code function: | 1_2_00413BEE | |
Source: | Code function: | 1_1_0040CA26 | |
Source: | Code function: | 1_1_0040FE9A | |
Source: | Code function: | 1_1_00413BEE |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Contains functionality locales information (e.g. system language) | Show sources |
Source: | Code function: | 1_2_0040270C | |
Source: | Code function: | 1_2_004134B0 | |
Source: | Code function: | 1_1_004026F0 | |
Source: | Code function: | 1_1_004134B0 |
Contains functionality to query CPU information (cpuid) | Show sources |
Source: | Code function: | 1_2_002D46DF |
Contains functionality to query local / system time | Show sources |
Source: | Code function: | 1_2_002D1C3C |
Contains functionality to query the account / user name | Show sources |
Source: | Code function: | 1_2_002D46DF |
Contains functionality to query windows version | Show sources |
Source: | Code function: | 1_2_00401B9B |
Queries the cryptographic machine GUID | Show sources |
Source: | Key value queried: | Jump to behavior |
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
11:16:06 | API Interceptor | 149x Sleep call for process: zbetcheckin_tracker_propan.exe modified |
Antivirus Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
44% | virustotal | Browse | ||
11% | metadefender | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Patched.Ren.Gen | ||
100% | Avira | TR/Patched.Ren.Gen |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup |
---|
|
Created / dropped Files |
---|
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Size (bytes): | 25657 |
Entropy (8bit): | 2.176978949251122 |
Encrypted: | false |
MD5: | 55485BE3EF18BA5AD6355F9FBE25F3CC |
SHA1: | ABFF4536A8CA1C8C3066997982F831EF6C581715 |
SHA-256: | 983908AB258F0BA6C99BAF97CF34434D7704BB32E8824690C998A681E9EB2D78 |
SHA-512: | 9A9DBE0C22478908E5A6E1D230BF577625A6CC99D0F3CDC6135488D5CD8287C0910331BAC430AA30A1C2A62BE47D7B28396EE3F137AC0CC46214826342927BDC |
Malicious: | false |
Reputation: | low |
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Size (bytes): | 12917 |
Entropy (8bit): | 1.26396999706028 |
Encrypted: | false |
MD5: | 8A18599411937FBE9F25B7F5365779FE |
SHA1: | 4356788CAEB2FCB84DE904A7B168D7F696E45E17 |
SHA-256: | 1F5940FFAD29BFDBFDD1726D070CAE1F6D8A5678EA0265E793DD5106B80F9F99 |
SHA-512: | 268C6AD044318D14509FF2C6BD015A9A4F8ACA9946EDBB8F2323599A9CF0F253477D054838167AF8C6DA393339581B7ED53B32964C413953DF4F7581A489C066 |
Malicious: | false |
Reputation: | low |
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Size (bytes): | 237 |
Entropy (8bit): | 6.1480026084285395 |
Encrypted: | false |
MD5: | 9FB559A691078558E77D6848202F6541 |
SHA1: | EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 |
SHA-256: | 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 |
SHA-512: | 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B |
Malicious: | false |
Reputation: | low |
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Size (bytes): | 21592 |
Entropy (8bit): | 1.7627604255262714 |
Encrypted: | false |
MD5: | A06D7B4CA86645FD6907B1248E3B4775 |
SHA1: | 6CD6CC371A1B08EE05C14EE8513496A353569982 |
SHA-256: | 037DC37D0382D95D73B98219FEEBF099F1FDC96F8A51B71A13BAE885B9B05D50 |
SHA-512: | 7616DA33EB92F11B6270C1BF746C7E339CB67693A321176DD53E7E98E2E3D7186AC638FB3810B70891F29B775D878B9E1D845411A5220840D0815724D35AABFD |
Malicious: | false |
Reputation: | low |
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Size (bytes): | 16984 |
Entropy (8bit): | 1.5772396259895078 |
Encrypted: | false |
MD5: | 4AA3ABB003514E1CEFC4BD0847C6CBD6 |
SHA1: | 9677A883402ABFFB3D1226223956FB2302D2884D |
SHA-256: | 2226D184979E293213BED7F088811E4E8E789E3D28211568A6122DF0E50B3C71 |
SHA-512: | 14DDE72B90922243F49AC5E8BE62F4B42C91EFF2A1794D97CE169FA7D0231C1FD57F52E0A173BE3094DD94958A49E4581FE069B9E1FFB40FCFC388BDE9BDF0CC |
Malicious: | false |
Reputation: | low |
Process: | C:\Program Files\Internet Explorer\iexplore.exe |
File Type: | |
Size (bytes): | 237 |
Entropy (8bit): | 6.1480026084285395 |
Encrypted: | false |
MD5: | 9FB559A691078558E77D6848202F6541 |
SHA1: | EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 |
SHA-256: | 6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 |
SHA-512: | 0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B |
Malicious: | false |
Reputation: | low |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
doc.rendes.at | 47.254.153.156 | true | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | unknown |
Contacted IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.528337649042211 |
TrID: |
|
File name: | zbetcheckin_tracker_propan.exe |
File size: | 183296 |
MD5: | 7e17f0f35d50f49407841372f24fbd38 |
SHA1: | 921ad55a3f593239b906163cf1bb8001194822f3 |
SHA256: | 934c3445fe9d1a3d4cca4d3ec09c9191d8f9067e13e58fa0b288cb520cd40785 |
SHA512: | 8200be71fc9015e9160ce7a3f665a917e058c8ee8753c178f43cf62a519154cafd83125787b565748c9061d9fcbe3c96f65edfa2dbc01c17f0e20f540386a1d1 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(.."l..ql..ql..qK0.q...qK0.q:..q...qe..ql..q...qK0.qp..qK0.qm..qr..qm..qRichl..q........................PE..L....v.[........... |
File Icon |
---|
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40ca12 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5BB076BF [Sun Sep 30 07:09:51 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 65787a6837f68f71463896efdbebc84c |
Entrypoint Preview |
---|
Instruction |
---|
call 00007FBDAD823FE1h |
jmp 00007FBDAD820A8Bh |
mov eax, dword ptr [esp+04h] |
mov dword ptr [00436074h], eax |
ret |
push ebp |
lea ebp, dword ptr [esp-000002A8h] |
sub esp, 00000328h |
mov eax, dword ptr [0042C4A0h] |
xor eax, ebp |
mov dword ptr [ebp+000002A4h], eax |
push esi |
mov dword ptr [ebp+00000088h], eax |
mov dword ptr [ebp+00000084h], ecx |
mov dword ptr [ebp+00000080h], edx |
mov dword ptr [ebp+7Ch], ebx |
mov dword ptr [ebp+78h], esi |
mov dword ptr [ebp+74h], edi |
mov word ptr [ebp+000000A0h], ss |
mov word ptr [ebp+00000094h], cs |
mov word ptr [ebp+70h], ds |
mov word ptr [ebp+6Ch], es |
mov word ptr [ebp+68h], fs |
mov word ptr [ebp+64h], gs |
pushfd |
pop dword ptr [ebp+00000098h] |
mov esi, dword ptr [ebp+000002ACh] |
lea eax, dword ptr [ebp+000002ACh] |
mov dword ptr [ebp+0000009Ch], eax |
mov dword ptr [ebp-28h], 00010001h |
mov dword ptr [ebp+00000090h], esi |
mov eax, dword ptr [eax-04h] |
push 00000050h |
mov dword ptr [ebp+0000008Ch], eax |
lea eax, dword ptr [ebp-80h] |
push 00000000h |
push eax |
call 00007FBDAD823FDEh |
lea eax, dword ptr [ebp-80h] |
mov dword ptr [ebp-30h], eax |
lea eax, dword ptr [ebp-28h] |
add esp, 0Ch |
mov dword ptr [ebp-80h], C000000Dh |
mov dword ptr [ebp-74h], esi |
mov dword ptr [ebp-2Ch], eax |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2ab50 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37000 | 0x1458 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x18b68 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x17000 | 0x218 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1562a | 0x15800 | False | 0.545387445494 | data | 6.51475744719 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x17000 | 0x146f6 | 0x14800 | False | 0.76806640625 | data | 6.25790724155 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x2c000 | 0xac18 | 0x1200 | False | 0.344835069444 | data | 3.39487152334 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x37000 | 0x1458 | 0x1600 | False | 0.437144886364 | data | 4.50632518873 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_CURSOR | 0x374d8 | 0x134 | data | ||
RT_CURSOR | 0x37628 | 0x134 | data | ||
RT_ICON | 0x37788 | 0x568 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x37cf0 | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_DIALOG | 0x372f0 | 0xe2 | data | ||
RT_DIALOG | 0x373d8 | 0xe2 | data | ||
RT_GROUP_CURSOR | 0x374c0 | 0x14 | Lotus 1-2-3 | ||
RT_GROUP_CURSOR | 0x37610 | 0x14 | Lotus 1-2-3 | ||
RT_GROUP_ICON | 0x37760 | 0x22 | MS Windows icon resource - 2 icons, 16x16, 256-colors | ||
RT_VERSION | 0x38158 | 0x19c | data | ||
RT_MANIFEST | 0x382f8 | 0x15a | ASCII text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
USER32.dll | DefWindowProcA, MessageBoxA, DestroyWindow, UpdateWindow, ShowWindow, GetMenu, AdjustWindowRect, EndDialog, InvalidateRect, wsprintfA, SetWindowTextA, DrawMenuBar, BeginPaint, EndPaint, IsIconic, MoveWindow, PostQuitMessage, GetWindowLongA, DialogBoxParamA, LoadStringA, EnableMenuItem, GetWindowRect, SendMessageA, SetWindowPos, PostMessageA, GetMessageA, TranslateMessage, DispatchMessageA, MessageBeep, LoadIconA, LoadCursorA, RegisterClassA, GetSystemMetrics, CreateWindowExA |
comdlg32.dll | GetOpenFileNameA |
VERSION.dll | GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW |
KERNEL32.dll | GetDateFormatA, RtlUnwind, InitializeCriticalSection, Sleep, CompareStringA, GetCurrentProcessId, InterlockedDecrement, GetCurrentThreadId, SetLastError, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, IsDebuggerPresent, GetVersionExA, CompareStringW, GlobalFindAtomW, GlobalAddAtomW, GlobalFlags, GetTickCount, GetACP, GetLocaleInfoA, RaiseException, HeapFree, HeapAlloc, GetProcessHeap, GetStartupInfoW, GetSystemTimeAsFileTime, ExitProcess, VirtualAlloc, GetProcAddress, GetModuleHandleA, GetVersion, GetCurrentProcess, WideCharToMultiByte, WriteFile, LoadLibraryA, lstrcpyA, LCMapStringW, MultiByteToWideChar, CreatePipe, GetExitCodeProcess, SetFilePointer, GetDriveTypeA, GetCurrentDirectoryA, CreateFileA, SetEnvironmentVariableW, SetEnvironmentVariableA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, IsValidLocale, EnumSystemLocalesA, GetStringTypeW, GetStringTypeA, GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, GetTimeFormatA, QueryPerformanceCounter, VirtualFree, HeapCreate, HeapDestroy, GetStartupInfoA, SetHandleCount, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, GetStdHandle, FlushFileBuffers, LCMapStringA, IsValidCodePage, GetOEMCP, GetCPInfo, VirtualQuery, GetSystemInfo, VirtualProtect, HeapSize, GetFileType, SetStdHandle, HeapReAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess |
Version Infos |
---|
Description | Data |
---|---|
InternalName | IMSG |
FileDescription | Parser |
FileVersion | 1748 |
CompanyName | loxlox |
Translation | 0x0409 0x04b0 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 3, 2018 11:16:29.028738976 CEST | 55984 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:29.415028095 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.2 |
Oct 3, 2018 11:16:29.426309109 CEST | 49233 | 80 | 192.168.2.2 | 47.254.153.156 |
Oct 3, 2018 11:16:29.427006006 CEST | 49234 | 80 | 192.168.2.2 | 47.254.153.156 |
Oct 3, 2018 11:16:29.450634956 CEST | 80 | 49233 | 47.254.153.156 | 192.168.2.2 |
Oct 3, 2018 11:16:29.450643063 CEST | 80 | 49234 | 47.254.153.156 | 192.168.2.2 |
Oct 3, 2018 11:16:29.450722933 CEST | 49233 | 80 | 192.168.2.2 | 47.254.153.156 |
Oct 3, 2018 11:16:29.450733900 CEST | 49234 | 80 | 192.168.2.2 | 47.254.153.156 |
Oct 3, 2018 11:16:29.452330112 CEST | 49233 | 80 | 192.168.2.2 | 47.254.153.156 |
Oct 3, 2018 11:16:29.476313114 CEST | 80 | 49233 | 47.254.153.156 | 192.168.2.2 |
Oct 3, 2018 11:16:32.098453045 CEST | 50783 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:32.103457928 CEST | 51303 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:32.113343000 CEST | 53 | 50783 | 8.8.8.8 | 192.168.2.2 |
Oct 3, 2018 11:16:32.118056059 CEST | 53 | 51303 | 8.8.8.8 | 192.168.2.2 |
Oct 3, 2018 11:16:32.121105909 CEST | 55522 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:32.135778904 CEST | 53 | 55522 | 8.8.8.8 | 192.168.2.2 |
Oct 3, 2018 11:16:33.461882114 CEST | 59398 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:33.471844912 CEST | 55803 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:33.476080894 CEST | 53 | 59398 | 8.8.8.8 | 192.168.2.2 |
Oct 3, 2018 11:16:33.486018896 CEST | 53 | 55803 | 8.8.8.8 | 192.168.2.2 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 3, 2018 11:16:29.028738976 CEST | 55984 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:29.415028095 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.2 |
Oct 3, 2018 11:16:32.098453045 CEST | 50783 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:32.103457928 CEST | 51303 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:32.113343000 CEST | 53 | 50783 | 8.8.8.8 | 192.168.2.2 |
Oct 3, 2018 11:16:32.118056059 CEST | 53 | 51303 | 8.8.8.8 | 192.168.2.2 |
Oct 3, 2018 11:16:32.121105909 CEST | 55522 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:32.135778904 CEST | 53 | 55522 | 8.8.8.8 | 192.168.2.2 |
Oct 3, 2018 11:16:33.461882114 CEST | 59398 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:33.471844912 CEST | 55803 | 53 | 192.168.2.2 | 8.8.8.8 |
Oct 3, 2018 11:16:33.476080894 CEST | 53 | 59398 | 8.8.8.8 | 192.168.2.2 |
Oct 3, 2018 11:16:33.486018896 CEST | 53 | 55803 | 8.8.8.8 | 192.168.2.2 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Oct 3, 2018 11:16:29.028738976 CEST | 192.168.2.2 | 8.8.8.8 | 0xd536 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Oct 3, 2018 11:16:29.415028095 CEST | 8.8.8.8 | 192.168.2.2 | 0xd536 | No error (0) | 47.254.153.156 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.2 | 49233 | 47.254.153.156 | 80 | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Oct 3, 2018 11:16:29.452330112 CEST | 1 | OUT |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 11:14:17 |
Start date: | 03/10/2018 |
Path: | C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 183296 bytes |
MD5 hash: | 7E17F0F35D50F49407841372F24FBD38 |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 11:16:07 |
Start date: | 03/10/2018 |
Path: | C:\Program Files\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13ff20000 |
File size: | 814288 bytes |
MD5 hash: | 446332D1A5576870E436B13AEB27CA8E |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 11:16:08 |
Start date: | 03/10/2018 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x260000 |
File size: | 815304 bytes |
MD5 hash: | F2831268EC600225F611DC02166EACF0 |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 12.4% |
Dynamic/Decrypted Code Coverage: | 3.1% |
Signature Coverage: | 15.6% |
Total number of Nodes: | 1406 |
Total number of Limit Nodes: | 87 |
Graph
Executed Functions |
---|
Control-flow Graph |
---|
C-Code - Quality: 98% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 75% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
C-Code - Quality: 95% |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
C-Code - Quality: 82% |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
C-Code - Quality: 86% |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 75% |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 77% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 50% |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 75% |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 91% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 87% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 73% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 73% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
C-Code - Quality: 58% |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 53% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 65% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 85% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 96% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 86% |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 38% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 86% |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 76% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 88% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Non-executed Functions |
---|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 64% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 99% |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 85% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 59% |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 76% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 58% |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 65% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 58% |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 92% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 92% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 89% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 37% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 78% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 76% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 18% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 68% |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 65% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 93% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 98% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 35% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 65% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 88% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 83% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 49% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 93% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 68% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 81% |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 81% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 41% |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|