Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 15.0.0 |
Analysis ID: | 19962 |
Start time: | 22:40:10 |
Joe Sandbox Product: | Cloud |
Start date: | 13.07.2016 |
Overall analysis duration: | 0h 3m 49s |
Report type: | full |
Sample file name: | blakaka (renamed file extension from none to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | XP SP3 Native, physical Machine for testing VM-aware malware (Office 2003 SP3, Acrobat Reader 9.4.0, Flash 11.2, Internet Explorer 8) |
Number of analysed new started processes analysed: | 21 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal84.evad.rans.troj.winEXE@40/7@0/0 |
HCA Information: |
|
EGA Information: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 84 | 0 - 100 | Report FP / FN |
Classification |
---|
Analysis Advice |
---|
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--" |
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook |
Signature Overview |
---|
Click to jump to signature section
Cryptography: |
---|
Uses Microsoft's Enhanced Cryptographic Provider | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_00401DAF | |
Source: C:\blakaka.exe | Code function: | 0_1_00401DAF | |
Source: C:\blakaka.exe | Code function: | 4_2_00401DAF | |
Source: C:\blakaka.exe | Code function: | 4_1_00401DAF | |
Source: C:\blakaka.exe | Code function: | 12_2_00401DAF | |
Source: C:\blakaka.exe | Code function: | 12_1_00401DAF |
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: blakaka.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: |
Found strings which match to known social media urls | Show sources |
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: | ||
Source: netsh.exe | String found in binary or memory: |
Uses ping.exe to check the status of other devices and networks | Show sources |
Source: unknown | Process created: |
Boot Survival: |
---|
Creates or modifies windows services | Show sources |
Source: C:\WINDOWS\system32\netsh.exe | Registry key created: |
Modifies existing windows services | Show sources |
Source: C:\WINDOWS\system32\netsh.exe | Registry key value modified: |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Source: C:\blakaka.exe | File created: | ||
Source: C:\WINDOWS\system32\cmd.exe | File created: |
Drops PE files to the windows directory (C:\Windows) | Show sources |
Source: C:\blakaka.exe | File created: |
Drops files with a non-matching file extension (content does not match file extension) | Show sources |
Source: C:\blakaka.exe | File created: |
Uses cmd line tools excessively to alter registry or file data | Show sources |
Source: C:\WINDOWS\system32\cmd.exe | Process created: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process created: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process created: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process created: |
Data Obfuscation: |
---|
Binary may include packed or encrypted code | Show sources |
Source: initial sample | Static PE information: |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_0040F961 |
PE file contains an invalid checksum | Show sources |
Source: puntosw.exe.1760.dr | Static PE information: | ||
Source: blakaka.exe | Static PE information: |
Spreading: |
---|
Contains functionality to enumerate network shares | Show sources |
Source: C:\blakaka.exe | Code function: | 4_2_0040BCE6 | |
Source: C:\blakaka.exe | Code function: | 4_1_0040BCE6 |
System Summary: |
---|
Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources |
Source: blakaka.exe | Static PE information: |
PE file contains a valid data directory to section mapping | Show sources |
Source: blakaka.exe | Static PE information: | ||
Source: blakaka.exe | Static PE information: | ||
Source: blakaka.exe | Static PE information: | ||
Source: blakaka.exe | Static PE information: | ||
Source: blakaka.exe | Static PE information: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Found command line output | Show sources |
Source: C:\WINDOWS\system32\cmd.exe | Console Write: | ||
Source: C:\WINDOWS\system32\reg.exe | Console Write: | ||
Source: C:\WINDOWS\system32\reg.exe | Console Write: | ||
Source: C:\WINDOWS\system32\cmd.exe | Console Write: | ||
Source: C:\WINDOWS\system32\netsh.exe | Console Write: | ||
Source: C:\WINDOWS\system32\netsh.exe | Console Write: | ||
Source: C:\WINDOWS\system32\netsh.exe | Console Write: | ||
Source: C:\WINDOWS\system32\netsh.exe | Console Write: | ||
Source: C:\WINDOWS\system32\reg.exe | Console Write: | ||
Source: C:\WINDOWS\system32\netsh.exe | Console Write: |
Might use command line arguments | Show sources |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 0_1_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 12_2_00406008 | |
Source: C:\blakaka.exe | Command line argument: | 12_1_00406008 |
PE file has an executable .text section and no other executable section | Show sources |
Source: blakaka.exe | Static PE information: |
Reads software policies | Show sources |
Source: C:\blakaka.exe | Key opened: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process created: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process created: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process created: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process created: | ||
Source: C:\blakaka.exe | Process created: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process created: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\WINDOWS\system32\netsh.exe | Key value queried: |
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) | Show sources |
Source: blakaka.exe | Static PE information: | ||
Source: puntosw.exe.1760.dr | Static PE information: |
Creates files inside the system directory | Show sources |
Source: C:\blakaka.exe | File created: |
Creates mutexes | Show sources |
Source: C:\blakaka.exe | Mutant created: |
Found potential string decryption / allocating functions | Show sources |
Source: C:\blakaka.exe | Code function: |
Sample file is different than original file name gathered from version info | Show sources |
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: |
Uses reg.exe to modify the Windows registry | Show sources |
Source: unknown | Process created: |
Contains functionality to create processes via WMI | Show sources |
Source: C:\blakaka.exe | Code function: | 0_1_00404EA3 | |
Source: blakaka.exe | Binary or memory string: |
Uses shutdown.exe to shutdown or reboot the system | Show sources |
Source: unknown | Process created: |
Anti Debugging: |
---|
Contains functionality to register its own exception handler | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_0040F51C | |
Source: C:\blakaka.exe | Code function: | 0_2_00407B90 | |
Source: C:\blakaka.exe | Code function: | 0_2_00401210 | |
Source: C:\blakaka.exe | Code function: | 0_2_0040CA8F | |
Source: C:\blakaka.exe | Code function: | 0_1_0040F51C | |
Source: C:\blakaka.exe | Code function: | 0_1_00407B90 | |
Source: C:\blakaka.exe | Code function: | 0_1_00401210 | |
Source: C:\blakaka.exe | Code function: | 0_1_0040CA8F | |
Source: C:\blakaka.exe | Code function: | 4_2_0040F51C | |
Source: C:\blakaka.exe | Code function: | 4_2_00407B90 | |
Source: C:\blakaka.exe | Code function: | 4_2_00401210 | |
Source: C:\blakaka.exe | Code function: | 4_2_0040CA8F | |
Source: C:\blakaka.exe | Code function: | 4_1_0040F51C | |
Source: C:\blakaka.exe | Code function: | 4_1_00407B90 | |
Source: C:\blakaka.exe | Code function: | 4_1_00401210 | |
Source: C:\blakaka.exe | Code function: | 4_1_0040CA8F | |
Source: C:\blakaka.exe | Code function: | 12_2_0040F51C | |
Source: C:\blakaka.exe | Code function: | 12_2_00407B90 | |
Source: C:\blakaka.exe | Code function: | 12_2_00401210 | |
Source: C:\blakaka.exe | Code function: | 12_2_0040CA8F | |
Source: C:\blakaka.exe | Code function: | 12_1_0040F51C | |
Source: C:\blakaka.exe | Code function: | 12_1_00407B90 | |
Source: C:\blakaka.exe | Code function: | 12_1_00401210 | |
Source: C:\blakaka.exe | Code function: | 12_1_0040CA8F |
Creates guard pages, often used to prevent reverse engineering and debugging | Show sources |
Source: C:\WINDOWS\system32\cmd.exe | Memory protected: |
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\blakaka.exe | System information queried: |
Checks if the current process is being debugged | Show sources |
Source: C:\blakaka.exe | Process queried: |
Contains functionality to check if a debugger is running (IsDebuggerPresent) | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_00407B90 |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_0040F961 |
Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_00406008 |
Enables debug privileges | Show sources |
Source: C:\blakaka.exe | Process token adjusted: |
Checks for debuggers (window names) | Show sources |
Source: C:\blakaka.exe | Open window title or class name: |
Malware Analysis System Evasion: |
---|
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources |
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: |
Queries a list of all running drivers | Show sources |
Source: C:\blakaka.exe | System information queried: |
Queries a list of all running processes | Show sources |
Source: C:\blakaka.exe | Process information queried: |
Contains capabilities to detect virtual machines | Show sources |
Source: C:\blakaka.exe | Registry key queried: | ||
Source: C:\blakaka.exe | Registry key queried: |
Found dropped PE file which has not been started or loaded | Show sources |
Source: C:\blakaka.exe | Dropped PE file which has not been started: | ||
Source: C:\WINDOWS\system32\cmd.exe | Dropped PE file which has not been started: |
Found evasive API chain (may stop execution after checking a module file name) | Show sources |
Source: C:\blakaka.exe | Evasive API call chain: | graph_0-6274 |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\WINDOWS\system32\netsh.exe TID: 168 | Thread sleep time: | ||
Source: C:\WINDOWS\system32\netsh.exe TID: 2964 | Thread sleep time: | ||
Source: C:\WINDOWS\system32\netsh.exe TID: 820 | Thread sleep time: |
Contains functionality to detect virtual machines (IN, VMware) | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_0040E8E3 |
Tries to detect sandboxes and other dynamic analysis tools (process name) | Show sources |
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: |
Tries to detect virtual machines | Show sources |
Source: C:\blakaka.exe | Code function: | 0_1_004016E5 | |
Source: C:\blakaka.exe | Code function: | 0_1_00402B18 | |
Source: C:\blakaka.exe | Code function: | 0_1_004086DA | |
Source: C:\blakaka.exe | Code function: | 0_1_0040295A | |
Source: C:\blakaka.exe | Code function: | 0_1_00404368 | |
Source: C:\blakaka.exe | Code function: | 4_1_004016E5 | |
Source: C:\blakaka.exe | Code function: | 4_1_00402B18 | |
Source: C:\blakaka.exe | Code function: | 4_1_004086DA | |
Source: C:\blakaka.exe | Code function: | 4_1_0040295A | |
Source: C:\blakaka.exe | Code function: | 4_1_00404368 |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\blakaka.exe | Process information set: | ||
Source: C:\blakaka.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\blakaka.exe | Process information set: | ||
Source: C:\blakaka.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\blakaka.exe | Process information set: | ||
Source: C:\blakaka.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: | ||
Source: C:\WINDOWS\system32\cmd.exe | Process information set: |
Creates files in alternative data streams (ADS) | Show sources |
Source: C:\blakaka.exe | File created: |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
AV process strings found (often used to terminate AV products) | Show sources |
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: blakaka.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: |
Uses netsh to modify the Windows network and firewall settings | Show sources |
Source: unknown | Process created: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query local / system time | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_00407143 |
Contains functionality to query the account / user name | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_0040EAC6 |
Contains functionality locales information (e.g. system language) | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_0040B715 | |
Source: C:\blakaka.exe | Code function: | 0_1_0040B715 | |
Source: C:\blakaka.exe | Code function: | 4_2_0040B715 | |
Source: C:\blakaka.exe | Code function: | 4_1_0040B715 | |
Source: C:\blakaka.exe | Code function: | 12_2_0040B715 | |
Source: C:\blakaka.exe | Code function: | 12_1_0040B715 |
Contains functionality to detect query CPU information (cpuid) | Show sources |
Source: C:\blakaka.exe | Code function: | 0_2_00409E85 |
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\WINDOWS\system32\cmd.exe | Queries volume information: | ||
Source: C:\WINDOWS\system32\cmd.exe | Queries volume information: | ||
Source: C:\WINDOWS\system32\cmd.exe | Queries volume information: | ||
Source: C:\WINDOWS\system32\cmd.exe | Queries volume information: | ||
Source: C:\WINDOWS\system32\cmd.exe | Queries volume information: | ||
Source: C:\WINDOWS\system32\cmd.exe | Queries volume information: | ||
Source: C:\WINDOWS\system32\cmd.exe | Queries volume information: |
Behavior Graph |
---|
Yara Overview |
---|
No Yara matches |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | PE32 executable (GUI) Intel 80386, for MS Windows |
TrID: |
|
File name: | blakaka.exe |
File size: | 294400 |
MD5: | 564ac87ca4114edd6a84a005092f1285 |
SHA1: | 638d549a24bb0a28e462c70880bf3f979f137cc6 |
SHA256: | 766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963 |
SHA512: | 81ca552dbcbc4fc16d95afb1cc945e77db0143830829decb1d489e458ef7ce2ba887f5410f965c01c3b9bdb0a4b5b76117a44224846c9a5167fed5317f7c62e1 |
File Icon |
---|
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40f11e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5718C6AF [Thu Apr 21 12:25:19 2016 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 8369a46ca398dad62c690e1e866873d9 |
Entrypoint Preview |
---|
Instruction |
---|
call 00007F2BECA66565h |
jmp 00007F2BECA6E3BEh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebx |
push esi |
mov eax, dword ptr [esp+18h] |
or eax, eax |
jne 00007F2BECA6E55Ah |
mov ecx, dword ptr [esp+14h] |
mov eax, dword ptr [esp+10h] |
xor edx, edx |
div ecx |
mov ebx, eax |
mov eax, dword ptr [esp+0Ch] |
div ecx |
mov edx, ebx |
jmp 00007F2BECA6E583h |
mov ecx, eax |
mov ebx, dword ptr [esp+14h] |
mov edx, dword ptr [esp+10h] |
mov eax, dword ptr [esp+0Ch] |
shr ecx, 1 |
rcr ebx, 1 |
shr edx, 1 |
rcr eax, 1 |
or ecx, ecx |
jne 00007F2BECA6E536h |
div ebx |
mov esi, eax |
mul dword ptr [esp+18h] |
mov ecx, eax |
mov eax, dword ptr [esp+14h] |
mul esi |
add edx, ecx |
jc 00007F2BECA6E550h |
cmp edx, dword ptr [esp+10h] |
jnbe 00007F2BECA6E54Ah |
jc 00007F2BECA6E549h |
cmp eax, dword ptr [esp+0Ch] |
jbe 00007F2BECA6E543h |
dec esi |
xor edx, edx |
mov eax, esi |
pop esi |
pop ebx |
retn 0010h |
mov edi, edi |
push ebx |
mov ebx, dword ptr [004120C4h] |
push esi |
mov esi, 004140D0h |
push edi |
mov edi, dword ptr [esi] |
test edi, edi |
je 00007F2BECA6E555h |
cmp dword ptr [esi+04h], 01h |
je 00007F2BECA6E54Fh |
push edi |
call ebx |
push edi |
call 00007F2BECA61AAEh |
and dword ptr [esi], 00000000h |
pop ecx |
add esi, 08h |
cmp esi, 004141F0h |
jl 00007F2BECA6E51Eh |
mov esi, 004140D0h |
pop edi |
mov eax, dword ptr [esi] |
test eax, eax |
je 00007F2BECA6E54Bh |
cmp dword ptr [esi+04h], 01h |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x135f4 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x49000 | 0x4b8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4a000 | 0xf78 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x132f8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x12000 | 0x144 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x101d4 | 0x10200 | 6.47330559227 | False | 0.57644440407 | data | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x12000 | 0x1d24 | 0x1e00 | 5.52923342533 | False | 0.351822916667 | data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x14000 | 0x34840 | 0x33c00 | 7.98492600644 | False | 0.989059669384 | data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x49000 | 0x4b8 | 0x600 | 3.58458284029 | False | 0.380208333333 | data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x4a000 | 0x174c | 0x1800 | 5.18021474413 | False | 0.550944010417 | data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country | Nbr Of Functions | Xored PE |
---|---|---|---|---|---|---|---|
RT_VERSION | 0x490a0 | 0x280 | 8086 relocatable (Microsoft) | Russian | Russia | 0 | False |
RT_MANIFEST | 0x49320 | 0x196 | XML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators | English | United States | 0 | False |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | HeapAlloc, GetProcessHeap, HeapFree, InterlockedExchange, GetProcAddress, GetModuleHandleA, MoveFileExW, ReleaseMutex, OpenMutexW, WaitForSingleObject, CreateMutexW, CreateThread, CreateFileMappingW, TerminateThread, CloseHandle, SetErrorMode, GetCurrentThread, FreeLibrary, GetLastError, GetDriveTypeW, GetCurrentProcessId, LocalFree, TerminateProcess, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, GetCurrentProcess, GetCommandLineW, GetExitCodeProcess, SetLastError, GetModuleFileNameW, GetComputerNameW, GetCurrentThreadId, GetModuleHandleW, DeleteFileW, OpenMutexA, HeapReAlloc, GetSystemTimeAsFileTime, Sleep, ExitProcess, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, InterlockedDecrement, WriteFile, GetStdHandle, GetModuleFileNameA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, LoadLibraryA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, RtlUnwind, GetLocaleInfoA, WideCharToMultiByte, VirtualAlloc, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright (C) 2016 |
InternalName | d |
FileVersion | 1, 0, 0, 6 |
ProductName | Egistec Application |
ProductVersion | 1, 0, 0, 6 |
FileDescription | Egistec |
OriginalFilename | Egistec.exe |
Translation | 0x0000 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Russian | Russia | |
English | United States |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 22:40:33 |
Start date: | 13/07/2016 |
Path: | C:\blakaka.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x400000 |
File size: | 294400 bytes |
MD5 hash: | 564AC87CA4114EDD6A84A005092F1285 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:33 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | /C C:\WINDOWS\system32\ping.exe 0.0.0.0 & copy /B /Y C:\blakaka.exe C:\Dokumente und Einstellungen\Administrator\Startmen \Programme\Autostart\puntosw.exe |
Imagebase: | 0x4ad00000 |
File size: | 401920 bytes |
MD5 hash: | 9B890F756D087991322464912FE68E75 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:33 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | /C C:\blakaka.exe 1 2 3 |
Imagebase: | 0x4ad00000 |
File size: | 401920 bytes |
MD5 hash: | 9B890F756D087991322464912FE68E75 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:33 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\ping.exe |
Wow64 process (32bit): | false |
Commandline: | C:\WINDOWS\system32\ping.exe 0.0.0.0 |
Imagebase: | 0x1000000 |
File size: | 18944 bytes |
MD5 hash: | 820DB7D330EC730440B09419F3E6B67B |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:33 |
Start date: | 13/07/2016 |
Path: | C:\blakaka.exe |
Wow64 process (32bit): | false |
Commandline: | C:\blakaka.exe 1 2 3 |
Imagebase: | 0x7e360000 |
File size: | 294400 bytes |
MD5 hash: | 564AC87CA4114EDD6A84A005092F1285 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:34 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | /C C:\WINDOWS\system32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Session Manager /f /v BootExecute /t REG_MULTI_SZ /d autocheck autochk *\0C:\WINDOWS\Temp:1\0 |
Imagebase: | 0x4ad00000 |
File size: | 401920 bytes |
MD5 hash: | 9B890F756D087991322464912FE68E75 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:34 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\reg.exe |
Wow64 process (32bit): | false |
Commandline: | C:\WINDOWS\system32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Session Manager /f /v BootExecute /t REG_MULTI_SZ /d autocheck autochk *\0C:\WINDOWS\Temp:1\0 |
Imagebase: | 0x1000000 |
File size: | 53248 bytes |
MD5 hash: | 3DF60FE856C8221891817037D603D9A0 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:34 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | /C C:\WINDOWS\system32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Session Manager /f /v SetupExecute /t REG_MULTI_SZ /d C:\WINDOWS\Temp:1\0 |
Imagebase: | 0x4ad00000 |
File size: | 401920 bytes |
MD5 hash: | 9B890F756D087991322464912FE68E75 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:34 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\reg.exe |
Wow64 process (32bit): | false |
Commandline: | C:\WINDOWS\system32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Session Manager /f /v SetupExecute /t REG_MULTI_SZ /d C:\WINDOWS\Temp:1\0 |
Imagebase: | 0x1000000 |
File size: | 53248 bytes |
MD5 hash: | 3DF60FE856C8221891817037D603D9A0 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:35 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | /C C:\WINDOWS\System32\attrib.exe -H -S C:\WINDOWS\bootstat.dat |
Imagebase: | 0x4ad00000 |
File size: | 401920 bytes |
MD5 hash: | 9B890F756D087991322464912FE68E75 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:35 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\attrib.exe |
Wow64 process (32bit): | false |
Commandline: | C:\WINDOWS\System32\attrib.exe -H -S C:\WINDOWS\bootstat.dat |
Imagebase: | 0x1000000 |
File size: | 12288 bytes |
MD5 hash: | 423D8261BDDC5C639EA12FFAFA70B626 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:35 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | /C copy /B /Y C:\WINDOWS\bootstat.dat C:\WINDOWS\bootstat2.dat |
Imagebase: | 0x4ad00000 |
File size: | 401920 bytes |
MD5 hash: | 9B890F756D087991322464912FE68E75 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:36 |
Start date: | 13/07/2016 |
Path: | C:\blakaka.exe |
Wow64 process (32bit): | false |
Commandline: | health |
Imagebase: | 0x400000 |
File size: | 294400 bytes |
MD5 hash: | 564AC87CA4114EDD6A84A005092F1285 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:36 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\netsh.exe |
Wow64 process (32bit): | false |
Commandline: | winsock reset |
Imagebase: | 0x7c800000 |
File size: | 88064 bytes |
MD5 hash: | 5D3B646CA77DCFA25020C041D9C7F7BE |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:36 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | /C C:\WINDOWS\system32\ping.exe 0.0.0.0 & C:\WINDOWS\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v HideSCAHealth /t REG_DWORD /d 0x1 |
Imagebase: | 0x4ad00000 |
File size: | 401920 bytes |
MD5 hash: | 9B890F756D087991322464912FE68E75 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:36 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\ping.exe |
Wow64 process (32bit): | false |
Commandline: | C:\WINDOWS\system32\ping.exe 0.0.0.0 |
Imagebase: | 0x7c910000 |
File size: | 18944 bytes |
MD5 hash: | 820DB7D330EC730440B09419F3E6B67B |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:38 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\netsh.exe |
Wow64 process (32bit): | false |
Commandline: | firewall set opmode mode = DISABLE profile = ALL |
Imagebase: | 0x1800000 |
File size: | 88064 bytes |
MD5 hash: | 5D3B646CA77DCFA25020C041D9C7F7BE |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:40 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\reg.exe |
Wow64 process (32bit): | false |
Commandline: | C:\WINDOWS\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v HideSCAHealth /t REG_DWORD /d 0x1 |
Imagebase: | 0x1000000 |
File size: | 53248 bytes |
MD5 hash: | 3DF60FE856C8221891817037D603D9A0 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:40 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\netsh.exe |
Wow64 process (32bit): | false |
Commandline: | advfirewall set allprofiles state off |
Imagebase: | 0x1800000 |
File size: | 88064 bytes |
MD5 hash: | 5D3B646CA77DCFA25020C041D9C7F7BE |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:52 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\shutdown.exe |
Wow64 process (32bit): | false |
Commandline: | -r -t 1 -f |
Imagebase: | 0x1000000 |
File size: | 20480 bytes |
MD5 hash: | 3BF481992A701173252D88DBD00BDEE6 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 22:40:53 |
Start date: | 13/07/2016 |
Path: | C:\WINDOWS\system32\logonui.exe |
Wow64 process (32bit): | |
Commandline: | unknown |
Imagebase: | |
File size: | 515072 bytes |
MD5 hash: | F2FBB810CEE3E25F8F923959C400E457 |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 13.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 7.4% |
Total number of Nodes: | 1144 |
Total number of Limit Nodes: | 13 |
Graph
Executed Functions |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Execution Graph |
---|
Execution Coverage: | 17.5% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 2.9% |
Total number of Nodes: | 1193 |
Total number of Limit Nodes: | 12 |
Graph
Executed Functions |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Execution Graph |
---|
Execution Coverage: | 12.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 3.7% |
Total number of Nodes: | 1141 |
Total number of Limit Nodes: | 13 |
Graph
Executed Functions |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|