Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 20.0.0 |
Analysis ID: | 46216 |
Start time: | 21:37:49 |
Joe Sandbox Product: | CloudBasic |
Start date: | 12.02.2018 |
Overall analysis duration: | 0h 8m 27s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | winlogon.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) |
Number of analysed new started processes analysed: | 26 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal100.evad.spre.rans.spyw.troj.winEXE@34/9@31/10 |
HCA Information: |
|
EGA Information: |
|
HDC Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 100 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work |
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--" |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus detection for dropped file | Show sources |
Source: C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe | virustotal: | Perma Link |
Antivirus detection for submitted file | Show sources |
Source: winlogon.exe | virustotal: | Perma Link |
Cryptography: |
---|
Uses Microsoft's Enhanced Cryptographic Provider | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D64140 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10001D60 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_100010C0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10001200 |
Spam, unwanted Advertisements and Ransom Demands: |
---|
Deletes shadow drive data (may be related to ransomware) | Show sources |
Source: unknown | Process created: | ||
Source: winlogon.exe | Binary or memory string: | ||
Source: _usm.exe | Binary or memory string: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: vssadmin.exe | Binary or memory string: | ||
Source: vssadmin.exe | Binary or memory string: | ||
Source: vssadmin.exe | Binary or memory string: | ||
Source: vssadmin.exe | Binary or memory string: | ||
Source: vssadmin.exe | Binary or memory string: | ||
Source: vssadmin.exe | Binary or memory string: | ||
Source: vssadmin.exe | Binary or memory string: | ||
Source: vssadmin.exe | Binary or memory string: | ||
Source: _usm.exe.1.dr | Binary or memory string: |
May disable shadow drive data (uses vssadmin) | Show sources |
Source: unknown | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
Networking: |
---|
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Urls found in memory or binary data | Show sources |
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: winlogon.exe, _wjg.exe.1.dr | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: | ||
Source: yegus.exe | String found in binary or memory: |
Tries to resolve domain names, but no domain seems valid (expired dropper behavior) | Show sources |
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: |
Tries to resolve many domain names, but no domain seems valid | Show sources |
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: | ||
Source: unknown | DNS traffic detected: |
Stealing of Sensitive Information: |
---|
Contains functionality to dump credential hashes (LSA Dump) | Show sources |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_100114D0 |
Contains functionality to steal Chrome passwords | Show sources |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10001FB0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10001FB0 |
Contains functionality to steal Internet Explorer form passwords | Show sources |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10082020 |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: | ||
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: | ||
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: | ||
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: | ||
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: | ||
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | File created: | ||
Source: C:\Users\user\Desktop\winlogon.exe | File created: | ||
Source: C:\Users\user\Desktop\winlogon.exe | File created: | ||
Source: C:\Users\user\Desktop\winlogon.exe | File created: | ||
Source: C:\Users\user\Desktop\winlogon.exe | File created: |
May use bcdedit to modify the Windows boot settings | Show sources |
Source: winlogon.exe | Binary or memory string: | ||
Source: _usm.exe | Binary or memory string: | ||
Source: _usm.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: cmd.exe | Binary or memory string: | ||
Source: bcdedit.exe | Binary or memory string: | ||
Source: bcdedit.exe | Binary or memory string: | ||
Source: bcdedit.exe | Binary or memory string: | ||
Source: bcdedit.exe | Binary or memory string: | ||
Source: bcdedit.exe | Binary or memory string: | ||
Source: bcdedit.exe | Binary or memory string: | ||
Source: bcdedit.exe | Binary or memory string: | ||
Source: bcdedit.exe | Binary or memory string: | ||
Source: bcdedit.exe | Binary or memory string: | ||
Source: bcdedit.exe | Binary or memory string: | ||
Source: _usm.exe.1.dr | Binary or memory string: |
Uses bcdedit to modify the Windows boot settings | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
Data Obfuscation: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D643A0 |
Uses code obfuscation techniques (call, push, ret) | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D6B6A9 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_01334909 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10083449 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C51CF9 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_10001979 | |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: | 4_2_00142CD8 |
Spreading: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D75F8F | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_01339A82 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10088620 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C5850A | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_10008EEC | |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: | 4_2_00141441 |
Creates COM task schedule object (often to register a task for autostart) | Show sources |
Source: C:\Windows\System32\wbengine.exe | Key opened: | ||
Source: C:\Windows\System32\wbengine.exe | Key opened: | ||
Source: C:\Windows\System32\wbengine.exe | Key opened: | ||
Source: C:\Windows\System32\wbengine.exe | Key opened: | ||
Source: C:\Windows\System32\wbengine.exe | Key opened: | ||
Source: C:\Windows\System32\wbengine.exe | Key opened: | ||
Source: C:\Windows\System32\wbengine.exe | Key opened: | ||
Source: C:\Windows\System32\wbengine.exe | Key opened: | ||
Source: C:\Windows\System32\wbengine.exe | Key opened: |
Found PSEXEC tool (often used for remote process execution) | Show sources |
Source: winlogon.exe | String found in binary or memory: | ||
Source: _wjg.exe.1.dr | String found in binary or memory: |
System Summary: |
---|
Submission file is bigger than most known malware samples | Show sources |
Source: winlogon.exe | Static file information: |
PE file has a big raw section | Show sources |
Source: winlogon.exe | Static PE information: |
PE file contains a mix of data directories often seen in goodware | Show sources |
Source: winlogon.exe | Static PE information: | ||
Source: winlogon.exe | Static PE information: | ||
Source: winlogon.exe | Static PE information: | ||
Source: winlogon.exe | Static PE information: | ||
Source: winlogon.exe | Static PE information: | ||
Source: winlogon.exe | Static PE information: |
Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources |
Source: winlogon.exe | Static PE information: |
PE file contains a debug data directory | Show sources |
Source: winlogon.exe | Static PE information: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
PE file contains a valid data directory to section mapping | Show sources |
Source: winlogon.exe | Static PE information: | ||
Source: winlogon.exe | Static PE information: | ||
Source: winlogon.exe | Static PE information: | ||
Source: winlogon.exe | Static PE information: | ||
Source: winlogon.exe | Static PE information: |
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication) | Show sources |
Source: _wjg.exe.1.dr | Binary string: | ||
Source: _wjg.exe.1.dr | Binary string: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Contains functionality to adjust token privileges (e.g. debug / backup) | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D62B90 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_013335E0 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C61A30 | |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: | 4_2_001416E9 |
Contains functionality to instantiate COM classes | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D64C30 |
Contains functionality to load and extract PE file embedded resources | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D6AAD0 |
Contains functionality to modify services (start/stop/modify) | Show sources |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: | 4_2_001412E8 |
Creates files inside the user directory | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | File created: |
Creates temporary files | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | File created: |
Might use command line arguments | Show sources |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Command line argument: | 2_2_013338C0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Command line argument: | 2_2_013338C0 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Command line argument: | 3_2_00C61EC0 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Command line argument: | 3_2_00C61EC0 | |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Command line argument: | 4_2_001416E9 | |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Command line argument: | 4_2_001416E9 | |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Command line argument: | 4_2_001416E9 |
PE file has an executable .text section and no other executable section | Show sources |
Source: winlogon.exe | Static PE information: |
Reads ini files | Show sources |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File read: |
Reads software policies | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Key opened: |
SQL strings found in memory and binary data | Show sources |
Source: yegus.exe | Binary or memory string: | ||
Source: yegus.exe | Binary or memory string: | ||
Source: yegus.exe | Binary or memory string: | ||
Source: yegus.exe | Binary or memory string: | ||
Source: yegus.exe | Binary or memory string: | ||
Source: yegus.exe | Binary or memory string: | ||
Source: yegus.exe | Binary or memory string: |
Sample is known by Antivirus (Virustotal or Metascan) | Show sources |
Source: winlogon.exe | Virustotal: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process created: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process created: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process created: | ||
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Process created: | ||
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Process created: | ||
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Process created: | ||
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Process created: | ||
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Key value queried: |
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) | Show sources |
Source: winlogon.exe | Static PE information: | ||
Source: yegus.exe.1.dr | Static PE information: | ||
Source: ucngw.exe.1.dr | Static PE information: | ||
Source: _yig.exe.1.dr | Static PE information: |
Contains functionality to call native functions | Show sources |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_100147C0 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_10013CB0 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_100145E0 |
Creates files inside the system directory | Show sources |
Source: C:\Windows\System32\wbadmin.exe | File created: |
Detected potential crypto function | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D7989E | |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D793F0 | |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D6F6CE | |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D7CF3F | |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D61110 | |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D69330 | |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D61870 | |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D68EE0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_01331370 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_0133E8FF | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_013315E0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_013310A0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_01332B70 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_013332D0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10064140 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_100196A0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10029130 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_1003C880 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10053C80 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10065870 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_100804F0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10027050 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10006022 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10007870 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10005C30 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_1006F810 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10036CD0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_1003B6A0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10008D50 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10079459 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10022AD0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10078060 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10017050 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10002200 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_1002DD28 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10074780 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10021F80 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_1001EBB0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_1001CFF0 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_1008DE01 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_100722E0 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C5FC90 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C60F40 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C5D39F | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C5FD20 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C61150 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C5F3F0 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C5F6A0 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_10004950 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_100039B3 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_1000F898 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_10003C10 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_1000B61E |
Enables security privileges | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Process token adjusted: |
Found potential string decryption / allocating functions | Show sources |
PE file contains executable resources (Code or Archives) | Show sources |
Source: _wjg.exe.1.dr | Static PE information: |
Reads the hosts file | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | File read: | ||
Source: C:\Users\user\Desktop\winlogon.exe | File read: | ||
Source: C:\Users\user\Desktop\winlogon.exe | File read: | ||
Source: C:\Users\user\Desktop\winlogon.exe | File read: | ||
Source: C:\Users\user\Desktop\winlogon.exe | File read: | ||
Source: C:\Users\user\Desktop\winlogon.exe | File read: |
Sample file is different than original file name gathered from version info | Show sources |
Source: winlogon.exe | Binary or memory string: | ||
Source: winlogon.exe | Binary or memory string: |
Sample reads its own file content | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | File read: |
Tries to load missing DLLs | Show sources |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Section loaded: | ||
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Section loaded: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Contains functionality to execute programs as a different user | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D63920 |
Contains functionality to inject code into remote processes | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D65DD0 |
Contains functionality to inject threads in other processes | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D65DD0 |
Anti Debugging: |
---|
Contains functionality to register its own exception handler | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D6B598 | |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D6AE70 | |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D6B406 | |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D7009F | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_013347F1 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_013346A3 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_013340FB | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_013372DB | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_100827CB | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_1008657C | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10083265 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C51BE9 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C54CBD | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C514CB | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C51A54 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_10001795 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_1000662D | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_10001B37 | |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: | 4_2_001417EA | |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: | 4_2_0014333B |
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | System information queried: |
Contains functionality to check if a debugger is running (IsDebuggerPresent) | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D6B406 |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D643A0 |
Contains functionality to read the PEB | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D70D28 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_01337F59 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10085756 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C558EB | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_100051BB |
Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D6A6F0 |
Enables debug privileges | Show sources |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Process token adjusted: |
Malware Analysis System Evasion: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D75F8F | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_01339A82 | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_10088620 | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_00C5850A | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: | 3_2_10008EEC | |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: | 4_2_00141441 |
Contains functionality to query system information | Show sources |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_1000D3F0 |
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources |
Source: wbadmin.exe | Binary or memory string: | ||
Source: wbadmin.exe | Binary or memory string: |
Program exit points | Show sources |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | API call chain: |
Queries a list of all running processes | Show sources |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Process information queried: |
Contains functionality to enumerate running services | Show sources |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: | 4_2_001412E8 |
Contains long sleeps (>= 3 min) | Show sources |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Thread delayed: |
Found dropped PE file which has not been started or loaded | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Dropped PE file which has not been started: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Dropped PE file which has not been started: |
Found evasive API chain (may stop execution after checking a module file name) | Show sources |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Evasive API call chain: | ||
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Evasive API call chain: |
Found evasive API chain checking for process token information | Show sources |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Check user administrative privileges: | |||
Source: C:\Users\user\Desktop\winlogon.exe | Check user administrative privileges: | graph_1-13588 | ||
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Check user administrative privileges: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe TID: 3392 | Thread sleep time: | ||
Source: C:\Users\user\AppData\Local\Temp\yegus.exe TID: 3268 | Thread sleep time: | ||
Source: C:\Users\user\AppData\Local\Temp\_usm.exe TID: 3300 | Thread sleep time: | ||
Source: C:\Windows\System32\wbadmin.exe TID: 3460 | Thread sleep time: | ||
Source: C:\Windows\System32\wbadmin.exe TID: 3460 | Thread sleep time: | ||
Source: C:\Windows\System32\wbengine.exe TID: 3492 | Thread sleep count: | ||
Source: C:\Windows\System32\wbengine.exe TID: 3492 | Thread sleep time: | ||
Source: C:\Windows\System32\vdsldr.exe TID: 3520 | Thread sleep count: | ||
Source: C:\Windows\System32\vdsldr.exe TID: 3520 | Thread sleep time: | ||
Source: C:\Windows\System32\vdsldr.exe TID: 3520 | Thread sleep time: | ||
Source: C:\Windows\System32\vds.exe TID: 3548 | Thread sleep count: | ||
Source: C:\Windows\System32\vds.exe TID: 3548 | Thread sleep time: |
Sample execution stops while process was sleeping (likely an evasion) | Show sources |
Source: C:\Windows\System32\vdsldr.exe | Last function: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: | ||
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: |
Creates files inside the volume driver (system volume information) | Show sources |
Source: C:\Windows\System32\wbengine.exe | File created: |
Language, Device and Operating System Detection: |
---|
Contains functionality to create pipes for IPC | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D634B0 |
Contains functionality to query local / system time | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D74EF7 |
Contains functionality to query time zone information | Show sources |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: | 2_2_100879B6 |
Contains functionality to query windows version | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D65970 |
Queries the cryptographic machine GUID | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Key value queried: |
Contains functionality to query CPU information (cpuid) | Show sources |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: | 1_2_00D6B6CE |
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Queries volume information: | ||
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Queries volume information: | ||
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Queries volume information: | ||
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Queries volume information: | ||
Source: C:\Windows\System32\cmd.exe | Queries volume information: |
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Antivirus Detection |
---|
Initial Sample |
---|
Source | Detection | Cloud | Link |
---|---|---|---|
62% | virustotal | Browse |
Dropped Files |
---|
Source | Detection | Cloud | Link |
---|---|---|---|
60% | virustotal | Browse | |
0% | virustotal | Browse | |
3% | metadefender | Browse |
Domains |
---|
Source | Detection | Cloud | Link |
---|---|---|---|
0% | virustotal | Browse |
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Joe Sandbox View / Context |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Type: | |
Size (bytes): | 36864 |
Entropy (8bit): | 5.891300526858096 |
Encrypted: | false |
MD5: | 3C0D740347B0362331C882C2DEE96DBF |
SHA1: | 8350E06F52E5C660BB416B03EDB6A5DDC50C3A59 |
SHA-256: | AE9A4E244A9B3C77D489DEE8AEAF35A7C3BA31B210E76D81EF2E91790F052C85 |
SHA-512: | A701F94B9CDEBCE6EFF2F82552EC7554BF10D99019F8BCD6871EBCA804D7519BDCFA3806AC7C7D8E604C3259C61C58B905293FA641C092A8FCA8245F91EB0F8F |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
File Type: | |
Size (bytes): | 339096 |
Entropy (8bit): | 6.384232735880303 |
Encrypted: | false |
MD5: | 27304B246C7D5B4E149124D5F93C5B01 |
SHA1: | E50D9E3BD91908E13A26B3E23EDEAF577FB3A095 |
SHA-256: | 3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF |
SHA-512: | BEC172A2F92A95796199CFC83F544A78685B52A94061CE0FFB46B265070EE0BCC018C4F548F56018BF3FF1E74952811B2AFB6DF79AB8D09F1EC73C9477AF636B |
Malicious: | false |
Antivirus: | |
Reputation: | low |
File Type: | |
Size (bytes): | 3723264 |
Entropy (8bit): | 7.9213131085726545 |
Encrypted: | false |
MD5: | 56E50AD3D0746E4A4B1458506DACF2E7 |
SHA1: | 0B818B27FD4C1656F43B288C29C510F0BABF939A |
SHA-256: | 131BA113ED14E999275B0CC7C932277EF7CA944888F928EE8DB50333420CA3BC |
SHA-512: | 69FE8FC3039C5503D15C8AE77E9B4D4DFA457D2DBF52289B6A5FBB83278713EA3AF63246F64E74B021BE6A7C67E2089702FC97F3EFD4C349CFEB5C44CA57BC04 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 26 |
Entropy (8bit): | 3.9500637564362093 |
Encrypted: | false |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Reputation: | high, very likely benign file |
File Type: | |
Size (bytes): | 18432 |
Entropy (8bit): | 0.8481809040173017 |
Encrypted: | false |
MD5: | 727EB3BA54F16CB4C7C19AB1101B8802 |
SHA1: | 8702933960447F3FB8423E9F9F8FEF2C23D6B7AB |
SHA-256: | 255F5314D835CBDC33B46216B083C3FA4DD7F61B27F48B539B41341EF0911423 |
SHA-512: | FB079623312587E70AE2263FFCC9C12C492332CE6D048A85DD1B32C15535A6CF8E9D67AE146D01862B1C50B297EED0A07042AC19A4FC8838E534BCFEBFC77BE2 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
File Type: | |
Size (bytes): | 231424 |
Entropy (8bit): | 7.52549984722154 |
Encrypted: | false |
MD5: | 6E0EBEEEA1CB00192B074B288A4F9CFE |
SHA1: | 21CA710ED3BC536BD5394F0BFF6D6140809156CF |
SHA-256: | A52AF66A4438C5517870C503AC1E0515AF44D3994AA62C7D818B6EEF46CFBB2D |
SHA-512: | BBB24AAC7EF5B5E8CF8934666D02C1E51980DB3C4703FEC1F240BAE35E1C8517E19736D8F2E27A9ED77D8A6881C2C3A5A3653E66425E7058B2985063FC38949C |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 769536 |
Entropy (8bit): | 7.930796192224973 |
Encrypted: | false |
MD5: | 4F43F03783F9789F804DCF9B9474FA6D |
SHA1: | 492D4A4A74099074E26B5DFFD0D15434009CCFD9 |
SHA-256: | 19AB44A1343DB19741B0E0B06BACCE55990B6C8F789815DAAF3476E0CC30EBEA |
SHA-512: | 645C2F0A1342732B86A45403FB8B1343BCC18C015C9918D2EDF118BBB210FEAD98AA21F1B66AC5FAABD0542583D74E158FBAC6D5F0D49827F4EEB58C8EBAFD6D |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 12 |
Entropy (8bit): | 2.125814583693911 |
Encrypted: | false |
MD5: | 177C7293D42D1C9C48678AB79D034F1E |
SHA1: | C828BAEF11CC61FC91D29D00AB980FBBA9A3BD42 |
SHA-256: | 7E1246792C8DFE9E1F254115344159F0A800EBD273F678E7036F10FCAC0CD377 |
SHA-512: | DF3A4FCBDB220FDD26301A5B4DF68A15CB6DE5D748C86E1E340268D3F7C0384323E7A792DFBE8BADB1523339994CFFFEE1E94D7C64557DD47546C466B559D557 |
Malicious: | false |
File Type: | |
Size (bytes): | 0 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
MD5: | D41D8CD98F00B204E9800998ECF8427E |
SHA1: | DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 |
SHA-256: | E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 |
SHA-512: | CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E |
Malicious: | false |
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection |
---|---|---|---|---|
252.0.0.224.in-addr.arpa | unknown | unknown | true | 0%, virustotal, Browse |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|
192.168.2.238 | unknown | unknown | unknown | false | |
192.168.2.240 | unknown | unknown | unknown | false | |
192.168.2.250 | unknown | unknown | unknown | false | |
192.168.2.252 | unknown | unknown | unknown | false | |
192.168.2.244 | unknown | unknown | unknown | false | |
8.8.8.8 | United States | 15169 | GOOGLE-GoogleIncUS | false | |
192.168.2.254 | unknown | unknown | unknown | false | |
192.168.2.242 | unknown | unknown | unknown | false | |
192.168.2.248 | unknown | unknown | unknown | false | |
192.168.2.246 | unknown | unknown | unknown | false |
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.9213131085726545 |
TrID: |
|
File name: | winlogon.exe |
File size: | 1861632 |
MD5: | cfdd16225e67471f5ef54cab9b3a5558 |
SHA1: | 26de43cc558a4e0e60eddd4dc9321bcb5a0a181c |
SHA256: | edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 |
SHA512: | e1855a872f4db7c17eb22130d9cb205eddde641f1b39ea5de97dfb762fc97dc2347bc6e6e88b9c5a303e1540b4b4bdb19c839c7d3e237348adbfa4b942f24adb |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;E..hE..hE..h.._hO..h..]h...h..\h]..h.6ihD..h~..iQ..h~..ii..h~..iV..hL.-hF..hL.=hP..hE..h...h...iV..h..QhD..hE.9hD..h...iD.. |
File Icon |
---|
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40ae66 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5A4387AF [Wed Dec 27 11:44:47 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 975087e9286238a80895b195efb3968d |
Entrypoint Preview |
---|
Instruction |
---|
call 00007FC5206B76CFh |
jmp 00007FC5206B70D3h |
push ebp |
mov ebp, esp |
push 00000000h |
call dword ptr [0041F188h] |
push dword ptr [ebp+08h] |
call dword ptr [0041F184h] |
push C0000409h |
call dword ptr [0041F124h] |
push eax |
call dword ptr [0041F114h] |
pop ebp |
ret |
push ebp |
mov ebp, esp |
sub esp, 00000324h |
push 00000017h |
call 00007FC5206C98A3h |
test eax, eax |
je 00007FC5206B7247h |
push 00000002h |
pop ecx |
int 29h |
mov dword ptr [00430CC8h], eax |
mov dword ptr [00430CC4h], ecx |
mov dword ptr [00430CC0h], edx |
mov dword ptr [00430CBCh], ebx |
mov dword ptr [00430CB8h], esi |
mov dword ptr [00430CB4h], edi |
mov word ptr [00430CE0h], ss |
mov word ptr [00430CD4h], cs |
mov word ptr [00430CB0h], ds |
mov word ptr [00430CACh], es |
mov word ptr [00430CA8h], fs |
mov word ptr [00430CA4h], gs |
pushfd |
pop dword ptr [00430CD8h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [00430CCCh], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [00430CD0h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [00430CDCh], eax |
mov eax, dword ptr [ebp-00000324h] |
mov dword ptr [00430C18h], 00010001h |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x26df4 | 0xdc | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x33000 | 0x195b88 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1c9000 | 0x1644 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x25df0 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x25e28 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1f000 | 0x278 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1d4ac | 0x1d600 | False | 0.573720079787 | data | 6.65423641734 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x1f000 | 0x8bac | 0x8c00 | False | 0.497879464286 | data | 5.462837397 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x28000 | 0x96fc | 0x8c00 | False | 0.0412109375 | data | 0.885300140538 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.gfids | 0x32000 | 0x134 | 0x200 | False | 0.3984375 | data | 2.38182890346 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x33000 | 0x195b88 | 0x195c00 | False | 1.00009145872 | data | 7.99984549743 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x1c9000 | 0x1644 | 0x1800 | False | 0.766927083333 | data | 6.4041746291 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
BIN | 0x33170 | 0xbbe00 | data | English | United States |
BIN | 0xeef70 | 0x38800 | data | English | United States |
BIN | 0x127770 | 0x45600 | data | English | United States |
BIN | 0x16cd70 | 0x52c98 | data | English | United States |
BIN | 0x1bfa08 | 0x9000 | data | English | United States |
RT_MANIFEST | 0x1c8a08 | 0x17d | XML 1.0 document text | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetVersionExW, GetModuleHandleA, CreateEventW, MultiByteToWideChar, Sleep, GetTempPathA, CopyFileA, GetLastError, GetFileAttributesA, CreateFileA, SetEvent, TerminateThread, DeleteFileW, CloseHandle, LoadLibraryW, CreateThread, GetOverlappedResult, VirtualProtectEx, GetWindowsDirectoryW, GetProcAddress, VirtualAllocEx, LocalFree, GetFileSize, DeleteCriticalSection, ExitProcess, GetCurrentProcessId, CreateProcessW, GetModuleHandleW, CreateRemoteThread, CreateProcessA, CreateEventA, ConnectNamedPipe, GetComputerNameA, GetFileAttributesW, HeapFree, HeapAlloc, GetProcessHeap, GetTempPathW, GetTickCount, SizeofResource, LockResource, LoadResource, FindResourceW, FindFirstFileExW, CreateFileW, LocalAlloc, WaitForSingleObject, InitializeCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, CreateNamedPipeW, GetModuleFileNameW, TerminateProcess, InterlockedDecrement, WriteFile, ReadFile, GetCurrentProcess, GetCommandLineW, EnterCriticalSection, WriteProcessMemory, CancelIo, FindClose, DecodePointer, SetEndOfFile, HeapSize, WriteConsoleW, FlushFileBuffers, GetStringTypeW, SetStdHandle, ReadConsoleW, SetFilePointerEx, GetModuleFileNameA, FreeLibrary, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, LCMapStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, WideCharToMultiByte, EncodePointer, RaiseException, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, GetModuleHandleExW, GetACP, HeapReAlloc, GetConsoleCP, GetConsoleMode, GetFileType, FindNextFileW |
USER32.dll | wsprintfW |
ADVAPI32.dll | CryptAcquireContextW, CryptReleaseContext, LookupPrivilegeValueW, AdjustTokenPrivileges, CryptGenRandom, LookupPrivilegeNameW, CopySid, IsValidSid, LogonUserA, OpenProcessToken, ConvertSidToStringSidW, GetLengthSid, LookupAccountSidW, GetTokenInformation |
SHELL32.dll | SHGetSpecialFolderPathW, CommandLineToArgvW |
ole32.dll | CoCreateGuid, CoTaskMemFree, CoSetProxyBlanket, CoInitializeEx, CoInitializeSecurity, CoCreateInstance, CoUninitialize |
OLEAUT32.dll | SysFreeString, SysAllocString, SysStringLen, SafeArrayUnaccessData, SafeArrayAccessData, VariantClear, SafeArrayCreate |
IPHLPAPI.DLL | GetIpNetTable |
WS2_32.dll | FreeAddrInfoW, GetAddrInfoW, WSACleanup, WSAStartup, ntohl |
credui.dll | CredUIParseUserNameW |
NETAPI32.dll | NetApiBufferFree, NetGetDCName |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 12, 2018 21:38:30.860141993 CET | 56842 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:30.880199909 CET | 53440 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:30.880276918 CET | 53 | 53440 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:30.905082941 CET | 51075 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:30.905164003 CET | 53 | 51075 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:30.927845955 CET | 63053 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:30.927926064 CET | 53 | 63053 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:30.995573997 CET | 65490 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:30.995654106 CET | 53 | 65490 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.002337933 CET | 65311 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:31.002427101 CET | 53 | 65311 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.012367010 CET | 59195 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:31.012440920 CET | 53 | 59195 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.036601067 CET | 65034 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:31.036674976 CET | 53 | 65034 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.050959110 CET | 56352 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:31.051029921 CET | 53 | 56352 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.059361935 CET | 51492 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:31.059423923 CET | 53 | 51492 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.765642881 CET | 53 | 56842 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:32.179327011 CET | 65236 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:32.311522007 CET | 53 | 65236 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:32.616265059 CET | 57178 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:32.753743887 CET | 53 | 57178 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:33.061160088 CET | 49408 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:33.179438114 CET | 53 | 49408 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:33.513441086 CET | 57291 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:33.718898058 CET | 53 | 57291 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:34.032504082 CET | 64225 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:34.168128967 CET | 53 | 64225 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:34.497317076 CET | 64017 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:34.668488026 CET | 53 | 64017 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:34.980822086 CET | 61578 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:35.109461069 CET | 53 | 61578 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:35.419275999 CET | 64808 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:35.682538033 CET | 53 | 64808 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:35.696975946 CET | 49169 | 135 | 192.168.2.2 | 192.168.2.254 |
Feb 12, 2018 21:38:35.823093891 CET | 49170 | 135 | 192.168.2.2 | 192.168.2.246 |
Feb 12, 2018 21:38:35.824702978 CET | 49171 | 135 | 192.168.2.2 | 192.168.2.252 |
Feb 12, 2018 21:38:35.826517105 CET | 49172 | 135 | 192.168.2.2 | 192.168.2.248 |
Feb 12, 2018 21:38:35.827938080 CET | 49173 | 135 | 192.168.2.2 | 192.168.2.250 |
Feb 12, 2018 21:38:35.835345030 CET | 49174 | 135 | 192.168.2.2 | 192.168.2.244 |
Feb 12, 2018 21:38:35.895308971 CET | 49175 | 135 | 192.168.2.2 | 192.168.2.240 |
Feb 12, 2018 21:38:35.896699905 CET | 49176 | 135 | 192.168.2.2 | 192.168.2.238 |
Feb 12, 2018 21:38:35.903877974 CET | 49177 | 135 | 192.168.2.2 | 192.168.2.242 |
Feb 12, 2018 21:38:36.022747993 CET | 63535 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:36.172410011 CET | 53 | 63535 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:36.489626884 CET | 64117 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:36.696399927 CET | 53 | 64117 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:37.006269932 CET | 55120 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:37.137315989 CET | 53 | 55120 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:37.452662945 CET | 58962 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:37.739259005 CET | 53 | 58962 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:38.052788973 CET | 50225 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:38.164005041 CET | 53 | 50225 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:38.479089022 CET | 60278 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:38.696377039 CET | 49169 | 135 | 192.168.2.2 | 192.168.2.254 |
Feb 12, 2018 21:38:38.718569040 CET | 53 | 60278 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:38.880198002 CET | 49170 | 135 | 192.168.2.2 | 192.168.2.246 |
Feb 12, 2018 21:38:38.880208969 CET | 49171 | 135 | 192.168.2.2 | 192.168.2.252 |
Feb 12, 2018 21:38:38.880218029 CET | 49172 | 135 | 192.168.2.2 | 192.168.2.248 |
Feb 12, 2018 21:38:38.880224943 CET | 49173 | 135 | 192.168.2.2 | 192.168.2.250 |
Feb 12, 2018 21:38:38.880234003 CET | 49174 | 135 | 192.168.2.2 | 192.168.2.244 |
Feb 12, 2018 21:38:38.916991949 CET | 49175 | 135 | 192.168.2.2 | 192.168.2.240 |
Feb 12, 2018 21:38:38.917016983 CET | 49176 | 135 | 192.168.2.2 | 192.168.2.238 |
Feb 12, 2018 21:38:38.917036057 CET | 49177 | 135 | 192.168.2.2 | 192.168.2.242 |
Feb 12, 2018 21:38:39.026475906 CET | 55216 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:39.156883001 CET | 53 | 55216 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:39.511333942 CET | 56951 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:39.673909903 CET | 53 | 56951 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:39.979579926 CET | 62051 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:40.080379009 CET | 53 | 62051 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:40.392570972 CET | 61043 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:40.572628021 CET | 53 | 61043 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:40.883240938 CET | 64395 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:41.035156965 CET | 53 | 64395 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:41.355576038 CET | 57416 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:41.578322887 CET | 53 | 57416 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:41.888006926 CET | 55268 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:42.034862995 CET | 53 | 55268 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:42.338536024 CET | 65065 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:42.437918901 CET | 53 | 65065 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:42.756555080 CET | 53409 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:42.868976116 CET | 53 | 53409 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:43.488595009 CET | 61881 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:43.676775932 CET | 53 | 61881 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:44.000485897 CET | 53988 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:44.106827974 CET | 53 | 53988 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:44.427696943 CET | 55654 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:44.625426054 CET | 53 | 55654 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:44.714911938 CET | 49169 | 135 | 192.168.2.2 | 192.168.2.254 |
Feb 12, 2018 21:38:44.915150881 CET | 49170 | 135 | 192.168.2.2 | 192.168.2.246 |
Feb 12, 2018 21:38:44.915175915 CET | 49171 | 135 | 192.168.2.2 | 192.168.2.252 |
Feb 12, 2018 21:38:44.915184975 CET | 49172 | 135 | 192.168.2.2 | 192.168.2.248 |
Feb 12, 2018 21:38:44.915193081 CET | 49173 | 135 | 192.168.2.2 | 192.168.2.250 |
Feb 12, 2018 21:38:44.915199995 CET | 49174 | 135 | 192.168.2.2 | 192.168.2.244 |
Feb 12, 2018 21:38:44.915205956 CET | 49175 | 135 | 192.168.2.2 | 192.168.2.240 |
Feb 12, 2018 21:38:44.915213108 CET | 49176 | 135 | 192.168.2.2 | 192.168.2.238 |
Feb 12, 2018 21:38:44.915226936 CET | 49177 | 135 | 192.168.2.2 | 192.168.2.242 |
Feb 12, 2018 21:38:44.953222990 CET | 54534 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:45.142456055 CET | 53 | 54534 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:45.473556995 CET | 51206 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:45.779345989 CET | 53 | 51206 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:46.084404945 CET | 54894 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:46.238379002 CET | 53 | 54894 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:46.544713020 CET | 60111 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:46.779881954 CET | 53 | 60111 | 8.8.8.8 | 192.168.2.2 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 12, 2018 21:38:30.860141993 CET | 56842 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:30.880199909 CET | 53440 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:30.880276918 CET | 53 | 53440 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:30.905082941 CET | 51075 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:30.905164003 CET | 53 | 51075 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:30.927845955 CET | 63053 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:30.927926064 CET | 53 | 63053 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:30.995573997 CET | 65490 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:30.995654106 CET | 53 | 65490 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.002337933 CET | 65311 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:31.002427101 CET | 53 | 65311 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.012367010 CET | 59195 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:31.012440920 CET | 53 | 59195 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.036601067 CET | 65034 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:31.036674976 CET | 53 | 65034 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.050959110 CET | 56352 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:31.051029921 CET | 53 | 56352 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.059361935 CET | 51492 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:31.059423923 CET | 53 | 51492 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:31.765642881 CET | 53 | 56842 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:32.179327011 CET | 65236 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:32.311522007 CET | 53 | 65236 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:32.616265059 CET | 57178 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:32.753743887 CET | 53 | 57178 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:33.061160088 CET | 49408 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:33.179438114 CET | 53 | 49408 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:33.513441086 CET | 57291 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:33.718898058 CET | 53 | 57291 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:34.032504082 CET | 64225 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:34.168128967 CET | 53 | 64225 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:34.497317076 CET | 64017 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:34.668488026 CET | 53 | 64017 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:34.980822086 CET | 61578 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:35.109461069 CET | 53 | 61578 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:35.419275999 CET | 64808 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:35.682538033 CET | 53 | 64808 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:36.022747993 CET | 63535 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:36.172410011 CET | 53 | 63535 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:36.489626884 CET | 64117 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:36.696399927 CET | 53 | 64117 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:37.006269932 CET | 55120 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:37.137315989 CET | 53 | 55120 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:37.452662945 CET | 58962 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:37.739259005 CET | 53 | 58962 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:38.052788973 CET | 50225 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:38.164005041 CET | 53 | 50225 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:38.479089022 CET | 60278 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:38.718569040 CET | 53 | 60278 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:39.026475906 CET | 55216 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:39.156883001 CET | 53 | 55216 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:39.511333942 CET | 56951 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:39.673909903 CET | 53 | 56951 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:39.979579926 CET | 62051 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:40.080379009 CET | 53 | 62051 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:40.392570972 CET | 61043 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:40.572628021 CET | 53 | 61043 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:40.883240938 CET | 64395 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:41.035156965 CET | 53 | 64395 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:41.355576038 CET | 57416 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:41.578322887 CET | 53 | 57416 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:41.888006926 CET | 55268 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:42.034862995 CET | 53 | 55268 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:42.338536024 CET | 65065 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:42.437918901 CET | 53 | 65065 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:42.756555080 CET | 53409 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:42.868976116 CET | 53 | 53409 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:43.488595009 CET | 61881 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:43.676775932 CET | 53 | 61881 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:44.000485897 CET | 53988 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:44.106827974 CET | 53 | 53988 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:44.427696943 CET | 55654 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:44.625426054 CET | 53 | 55654 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:44.953222990 CET | 54534 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:45.142456055 CET | 53 | 54534 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:45.473556995 CET | 51206 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:45.779345989 CET | 53 | 51206 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:46.084404945 CET | 54894 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:46.238379002 CET | 53 | 54894 | 8.8.8.8 | 192.168.2.2 |
Feb 12, 2018 21:38:46.544713020 CET | 60111 | 53 | 192.168.2.2 | 8.8.8.8 |
Feb 12, 2018 21:38:46.779881954 CET | 53 | 60111 | 8.8.8.8 | 192.168.2.2 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 12, 2018 21:38:30.860141993 CET | 192.168.2.2 | 8.8.8.8 | 0xb7a7 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:32.179327011 CET | 192.168.2.2 | 8.8.8.8 | 0xc3dd | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:32.616265059 CET | 192.168.2.2 | 8.8.8.8 | 0x152 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:33.061160088 CET | 192.168.2.2 | 8.8.8.8 | 0x26e4 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:33.513441086 CET | 192.168.2.2 | 8.8.8.8 | 0xcd43 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:34.032504082 CET | 192.168.2.2 | 8.8.8.8 | 0xc366 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:34.497317076 CET | 192.168.2.2 | 8.8.8.8 | 0xd809 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:34.980822086 CET | 192.168.2.2 | 8.8.8.8 | 0xfb5 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:35.419275999 CET | 192.168.2.2 | 8.8.8.8 | 0xcd9f | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:36.022747993 CET | 192.168.2.2 | 8.8.8.8 | 0x8b9d | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:36.489626884 CET | 192.168.2.2 | 8.8.8.8 | 0xaa99 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:37.006269932 CET | 192.168.2.2 | 8.8.8.8 | 0x2ad9 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:37.452662945 CET | 192.168.2.2 | 8.8.8.8 | 0x9754 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:38.052788973 CET | 192.168.2.2 | 8.8.8.8 | 0x9aa7 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:38.479089022 CET | 192.168.2.2 | 8.8.8.8 | 0x4024 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:39.026475906 CET | 192.168.2.2 | 8.8.8.8 | 0x7ff | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:39.511333942 CET | 192.168.2.2 | 8.8.8.8 | 0x3298 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:39.979579926 CET | 192.168.2.2 | 8.8.8.8 | 0x2c13 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:40.392570972 CET | 192.168.2.2 | 8.8.8.8 | 0xf3f5 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:40.883240938 CET | 192.168.2.2 | 8.8.8.8 | 0x1fa9 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:41.355576038 CET | 192.168.2.2 | 8.8.8.8 | 0x715f | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:41.888006926 CET | 192.168.2.2 | 8.8.8.8 | 0x948e | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:42.338536024 CET | 192.168.2.2 | 8.8.8.8 | 0x4034 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:42.756555080 CET | 192.168.2.2 | 8.8.8.8 | 0xde3e | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:43.488595009 CET | 192.168.2.2 | 8.8.8.8 | 0xc681 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:44.000485897 CET | 192.168.2.2 | 8.8.8.8 | 0xee4c | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:44.427696943 CET | 192.168.2.2 | 8.8.8.8 | 0xb3fa | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:44.953222990 CET | 192.168.2.2 | 8.8.8.8 | 0x10f7 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:45.473556995 CET | 192.168.2.2 | 8.8.8.8 | 0xfd81 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:46.084404945 CET | 192.168.2.2 | 8.8.8.8 | 0xc169 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:46.544713020 CET | 192.168.2.2 | 8.8.8.8 | 0xad00 | Standard query (0) | PTR (Pointer record) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 12, 2018 21:38:31.765642881 CET | 8.8.8.8 | 192.168.2.2 | 0xb7a7 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:32.311522007 CET | 8.8.8.8 | 192.168.2.2 | 0xc3dd | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:32.753743887 CET | 8.8.8.8 | 192.168.2.2 | 0x152 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:33.179438114 CET | 8.8.8.8 | 192.168.2.2 | 0x26e4 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:33.718898058 CET | 8.8.8.8 | 192.168.2.2 | 0xcd43 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:34.168128967 CET | 8.8.8.8 | 192.168.2.2 | 0xc366 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:34.668488026 CET | 8.8.8.8 | 192.168.2.2 | 0xd809 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:35.109461069 CET | 8.8.8.8 | 192.168.2.2 | 0xfb5 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:35.682538033 CET | 8.8.8.8 | 192.168.2.2 | 0xcd9f | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:36.172410011 CET | 8.8.8.8 | 192.168.2.2 | 0x8b9d | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:36.696399927 CET | 8.8.8.8 | 192.168.2.2 | 0xaa99 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:37.137315989 CET | 8.8.8.8 | 192.168.2.2 | 0x2ad9 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:37.739259005 CET | 8.8.8.8 | 192.168.2.2 | 0x9754 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:38.164005041 CET | 8.8.8.8 | 192.168.2.2 | 0x9aa7 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:38.718569040 CET | 8.8.8.8 | 192.168.2.2 | 0x4024 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:39.156883001 CET | 8.8.8.8 | 192.168.2.2 | 0x7ff | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:39.673909903 CET | 8.8.8.8 | 192.168.2.2 | 0x3298 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:40.080379009 CET | 8.8.8.8 | 192.168.2.2 | 0x2c13 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:40.572628021 CET | 8.8.8.8 | 192.168.2.2 | 0xf3f5 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:41.035156965 CET | 8.8.8.8 | 192.168.2.2 | 0x1fa9 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:41.578322887 CET | 8.8.8.8 | 192.168.2.2 | 0x715f | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:42.034862995 CET | 8.8.8.8 | 192.168.2.2 | 0x948e | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:42.437918901 CET | 8.8.8.8 | 192.168.2.2 | 0x4034 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:42.868976116 CET | 8.8.8.8 | 192.168.2.2 | 0xde3e | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:43.676775932 CET | 8.8.8.8 | 192.168.2.2 | 0xc681 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:44.106827974 CET | 8.8.8.8 | 192.168.2.2 | 0xee4c | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:44.625426054 CET | 8.8.8.8 | 192.168.2.2 | 0xb3fa | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:45.142456055 CET | 8.8.8.8 | 192.168.2.2 | 0x10f7 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:45.779345989 CET | 8.8.8.8 | 192.168.2.2 | 0xfd81 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:46.238379002 CET | 8.8.8.8 | 192.168.2.2 | 0xc169 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | |
Feb 12, 2018 21:38:46.779881954 CET | 8.8.8.8 | 192.168.2.2 | 0xad00 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 21:38:46 |
Start date: | 12/02/2018 |
Path: | C:\Users\user\Desktop\winlogon.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xd60000 |
File size: | 1861632 bytes |
MD5 hash: | CFDD16225E67471F5EF54CAB9B3A5558 |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 21:38:46 |
Start date: | 12/02/2018 |
Path: | C:\Users\user\AppData\Local\Temp\yegus.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x1330000 |
File size: | 769536 bytes |
MD5 hash: | 4F43F03783F9789F804DCF9B9474FA6D |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 21:38:47 |
Start date: | 12/02/2018 |
Path: | C:\Users\user\AppData\Local\Temp\ucngw.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xc50000 |
File size: | 231424 bytes |
MD5 hash: | 6E0EBEEEA1CB00192B074B288A4F9CFE |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 21:38:49 |
Start date: | 12/02/2018 |
Path: | C:\Users\user\AppData\Local\Temp\_usm.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x140000 |
File size: | 36864 bytes |
MD5 hash: | 3C0D740347B0362331C882C2DEE96DBF |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 21:38:49 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4a9e0000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:38:50 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\vssadmin.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x6e0000 |
File size: | 115200 bytes |
MD5 hash: | 6E248A3D528EDE43994457CF417BD665 |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 21:38:51 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4a0d0000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:38:52 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\wbadmin.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x670000 |
File size: | 224768 bytes |
MD5 hash: | EAB630E7E6A7FC248870A2FCDC098B98 |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 21:38:52 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\wbengine.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xbf0000 |
File size: | 1203200 bytes |
MD5 hash: | 691E3285E53DCA558E1A84667F13E15A |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 21:38:52 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\vdsldr.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x3b0000 |
File size: | 19968 bytes |
MD5 hash: | A2551668C78CEA4089D71A0A3B36FC0C |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 21:38:53 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\vds.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xac0000 |
File size: | 453632 bytes |
MD5 hash: | C3CD30495687C2A2F66A65CA6FD89BE9 |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 21:38:55 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4a460000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:38:55 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\bcdedit.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x5b0000 |
File size: | 295936 bytes |
MD5 hash: | ABD373E82F6240031C1E631AA20711C7 |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 21:38:56 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\bcdedit.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xcf0000 |
File size: | 295936 bytes |
MD5 hash: | ABD373E82F6240031C1E631AA20711C7 |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 21:38:57 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4a640000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:38:58 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\wevtutil.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x100000 |
File size: | 175616 bytes |
MD5 hash: | 81538B795F922B8DA6FD897EFB04B5EE |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 21:38:59 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4a0d0000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:39:00 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\wevtutil.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4a0000 |
File size: | 175616 bytes |
MD5 hash: | 81538B795F922B8DA6FD897EFB04B5EE |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 21:39:04 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\LogonUI.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xcc0000 |
File size: | 10752 bytes |
MD5 hash: | 3EF0D8AB08385AAB5802E773511A2E6A |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 21:39:06 |
Start date: | 12/02/2018 |
Path: | C:\Windows\System32\LogonUI.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xcc0000 |
File size: | 10752 bytes |
MD5 hash: | 3EF0D8AB08385AAB5802E773511A2E6A |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 13.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 7.1% |
Total number of Nodes: | 2000 |
Total number of Limit Nodes: | 72 |
Graph
Executed Functions |
---|
Control-flow Graph |
---|
C-Code - Quality: 25% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 91% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 69% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 71% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 91% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 55% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 25% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 67% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 86% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 42% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 69% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 48% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 69% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 75% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 79% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 82% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 87% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 93% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 51% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 76% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 47% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 86% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 85% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 92% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 65% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 47% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 87% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 61% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 88% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 86% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 30% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 16% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 68% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 93% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 92% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 53% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 56% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 81% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 76% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 72% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 88% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 80% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 90% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 72% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 74% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 68% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
C-Code - Quality: 89% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 83% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 77% |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 85% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 84% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 72% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 90% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 88% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 34% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 97% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 16% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 74% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 90% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 73% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 64% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 77% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 81% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 61% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 75% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 79% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 90% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Executed Functions |
---|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 71% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 74% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 95% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 69% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 65% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 34% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 17% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 16% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 68% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 90% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 84% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 77% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 72% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 88% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 90% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 85% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 71% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 25% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 72% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 97% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 75% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 66% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 82% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Executed Functions |
---|
Control-flow Graph |
---|
C-Code - Quality: 71% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 74% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 85% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 59% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 95% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 69% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 95% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 69% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 65% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 65% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 91% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 97% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 34% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 30% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 17% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 16% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 16% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 68% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 90% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 92% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 76% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 75% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 72% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 88% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 88% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 90% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 90% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 16% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
C-Code - Quality: 93% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 77% |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 85% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 71% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 72% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 90% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 25% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 83% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 83% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 72% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 97% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 97% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 55% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 73% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 63% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 77% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 75% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 73% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 87% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 73% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 81% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 66% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 94% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 75% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 82% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 93% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Executed Functions |
---|
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 72% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 51% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 51% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 76% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 78% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 21% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 23% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 37% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
C-Code - Quality: 61% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 78% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 81% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 79% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 24% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 96% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 91% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 79% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 80% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 59% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 75% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
C-Code - Quality: 91% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|