Windows
Analysis Report
Benefits-Signature-RequestsPlan#241205.com.exe
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
Benefits-Signature-RequestsPlan#241205.com.exe (PID: 6292 cmdline:
"C:\Users\ user\Deskt op\Benefit s-Signatur e-Requests Plan#24120 5.com.exe" MD5: 46E978F5DEE2D39687269D77E44DF3CF)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_0040646B | |
Source: | Code function: | 0_2_004027A1 | |
Source: | Code function: | 0_2_004058BF |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_0040535C |
Source: | Process Stats: |
Source: | Code function: | 0_2_00403348 |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_00406945 | |
Source: | Code function: | 0_2_0040711C | |
Source: | Code function: | 0_2_6E7C1A98 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00403348 |
Source: | Code function: | 0_2_0040460D |
Source: | Code function: | 0_2_0040216B |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Code function: | 0_2_6E7C1A98 |
Source: | Code function: | 0_2_6E7C2F8E |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File opened: | Jump to behavior |
Source: | RDTSC instruction interceptor: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | 0_2_0040646B | |
Source: | Code function: | 0_2_004027A1 | |
Source: | Code function: | 0_2_004058BF |
Source: | API call chain: | graph_0-4193 | ||
Source: | API call chain: | graph_0-4188 |
Source: | Code function: | 0_2_6E7C1A98 |
Source: | Code function: | 0_2_00403348 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 11 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Clipboard Data | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Access Token Manipulation | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 13 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
39% | ReversingLabs | Win32.Trojan.Sonbokli | ||
100% | Avira | TR/Injector.ooawv |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1445946 |
Start date and time: | 2024-05-22 20:11:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Benefits-Signature-RequestsPlan#241205.com.exe |
Detection: | MAL |
Classification: | mal72.troj.evad.winEXE@1/20@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: Benefits-Signature-RequestsPlan#241205.com.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nsz8290.tmp\UserInfo.dll | Get hash | malicious | Remcos, GuLoader | Browse | ||
Get hash | malicious | GuLoader | Browse | |||
C:\Users\user\AppData\Local\Temp\nsz8290.tmp\System.dll | Get hash | malicious | Remcos, GuLoader | Browse | ||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1316 |
Entropy (8bit): | 3.1424847856108173 |
Encrypted: | false |
SSDEEP: | 24:8wTaRMgKcHbfYoVN6Aafk6Wo6HPHAJqy:8rRFfYyYAafLWo6fAgy |
MD5: | 0EA7EB893BCC385CF6C825B3E2E857D2 |
SHA1: | D52580CF5E3E02737D5875FC6080D1985A8BF99F |
SHA-256: | 5AD34957D3F1CCDBB126EB600C7F6A8FDE0AA8DF6D7D812037D53E8CB24393A0 |
SHA-512: | 726E824756FFB4B6DD142FFC79399FF4210B3D11D8CDBF2C68C6365E0197A8512764DA244AE55D7DFE3C0B687B3DF9F7FB496527C320C4D88092413882A36370 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.8545531334577525 |
Encrypted: | false |
SSDEEP: | 192:EPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4W:j7VpNo8gmOyRsVc4 |
MD5: | 4CA4FD3FBEFA2F6E87E6E9EE87D1C0B3 |
SHA1: | 7CDBEB5FF2B14B86AF04E075D0CA651183EA5DF4 |
SHA-256: | D09A8B3ADE4BA4B7292C0B3DA1BCB4B6C6E2012E0CCFD5E029A54AF73A9E1B57 |
SHA-512: | CF0F415A97FDC74568297FED4F1295D0D2AEF487A308141144EF8D5F04C669EF4795C273E745B81065429ADDE113FCDEDF4C22717A7AEEF60FDCD8D4D46F97F8 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 3.3282212929259076 |
Encrypted: | false |
SSDEEP: | 48:qKOpbhg7V46Br1wHsl9rECxZShMmj3hTPRYBA:5OZOVZruHs1xH6hT+i |
MD5: | 035BDB470A6807313BD005BD98341FFC |
SHA1: | 5017D1E5A23F1C64594F737E6FCCD519729C3B3E |
SHA-256: | 26FA900E3426B4DD272707E1AAF428B5EE06BDC2CC2BBAECDAB6B54F11F38F27 |
SHA-512: | F888BAED5267B05B13722E839634254393AA99B2ADF1A2AE6E799D3A901665E7EBDA0FA1202DB20A6765A8AFF58E2ED6F4E822028BE426DB732EB10EC783AA05 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9728 |
Entropy (8bit): | 5.127127260486972 |
Encrypted: | false |
SSDEEP: | 96:oVDlD3cd51V1zL7xqEscxM2DjDf3GEst+Nt+jvcx488qndYv0PLE:oVp34z/x3sREskpxjdO0PLE |
MD5: | EB2C74E05B30B29887B3219F4EA3FDAB |
SHA1: | 91173D46B34E7BAE57ACABDBD239111B5BCC4D9E |
SHA-256: | D253CA5ABA34B925796777893F114CC741B015AF7868022AB1DB2341288C55ED |
SHA-512: | 1BB035260223EC585170F891C2624B9AE98671F225E74B913B40BB77B66E3B9C2016037BC8E4B0AE16367D82590A60A0A3BD95D05139EA2454F02020D1B54DAE |
Malicious: | false |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1298 |
Entropy (8bit): | 4.819168094685199 |
Encrypted: | false |
SSDEEP: | 24:foIwTQX+y1uklbJlltkrwWGbvz/Nv/sQ4JUJibXC/V0TlnNqbcgX/vIO:fo1QMklbJllSMWGnB/kJUJIJNqH |
MD5: | 623272435DE8395E801ABF39701074A3 |
SHA1: | 5E234E9270EFAB606464277FABE18436FD92E6BD |
SHA-256: | FE85D7B25A41EE93F1A172F4F8F0489A83C24D03A0AC59066E79A1F58F9C5382 |
SHA-512: | C80FD2086FCA97387C41AE647801F4F0A991A2FC38E05A6488D069A3D222927B658038E76E05E71183A47372EE38180D9C0A43CCE63149955F1578869CF33A71 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 174515 |
Entropy (8bit): | 7.762228879626632 |
Encrypted: | false |
SSDEEP: | 3072:VBDvgzRFtlxi49x+lGHvS1aArSomD0WmejodDXVP+h2FUtAPicQZxso9:7DvCXtviQx8CvpuSoRe0rWNTxJ9 |
MD5: | 2090A6AC72CD30FA002B4682BFDC5E21 |
SHA1: | D56EE125775B2015B44006D50C01CE6A4744ABB0 |
SHA-256: | 5F862B98E08861F4B7E6078BEE8C7EC2BEF80686C04E3047BADCEFC96F783696 |
SHA-512: | 414513528B913FEE56DA9A15385EB71FD65B6EC486D502F086B87F87AAA0B18EC4448A0168B7BE0600D89E42041D558D766E33E00DEACDDD78B2AE4C31663C0B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2561 |
Entropy (8bit): | 4.870990376573247 |
Encrypted: | false |
SSDEEP: | 48:y140jm+d7sQ58IHJ6fIVOCVNiXKU6U0pqPscYD4YW3/gMqiLj:zYbKLCVNCF/0paRgpgIHiLj |
MD5: | 556C42AD236F523422A8D33C7E01D769 |
SHA1: | 86AD2EE8FAD51E33C3D316083FE427E7D59F8BA2 |
SHA-256: | 47C9FA08E1FDB45FF4B68936E127BEF728DF2558B79CEA6F9CF812E7A06580E5 |
SHA-512: | B50D36A5839AE51BADC821764FC93C7409F62CB97A7677C0C759E06217C48D58EC3AA4554746CA8EFDF23E37B2E8A4B4C629B34E91C50F611578A8D3A58B2042 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2157 |
Entropy (8bit): | 4.7880500800335914 |
Encrypted: | false |
SSDEEP: | 48:4HbrcqCyK/bteSTO8zQQZOtkcbHdDZ/U5M5KyHDr+2hX/GM/:IrcqCyit5jUaONHnmyP+25 |
MD5: | BC7EDBFCEF64A6C616650E2D9A5A7245 |
SHA1: | A87D7BD6A4174FA5BF293BE370C4C08B319A144B |
SHA-256: | 02A443F69D7695AFB9B48BFA4F79D2820C1F5C0ED7747EFFDC5CDC7E5DA04747 |
SHA-512: | 6DF4FFC0CC1835E34C3D22282B6BF1502E852EB861AD5521C826945AFE8AF52347E34F32BF8EA5905431F1B42E3407D05E6D8E5352E63D018CFB1005FFD9F35E |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3947 |
Entropy (8bit): | 4.982400359777868 |
Encrypted: | false |
SSDEEP: | 96:jExwfmqEDudI2enF8cEOJ1Zv0vp8+oXAv:jExYpwOOpIpv |
MD5: | 6968CFE66311AE9BB0DED77DE8492562 |
SHA1: | B2991E4B0427E879AD2ABDA54D94624B2D0EAC1E |
SHA-256: | D15FD3D370057160C77A483D9659CF6E79B3892665E0D87D9EF8859E4BE1AE59 |
SHA-512: | 111EF26E9DD6A1BE84C80FAEC57A6C144DB84A36CDC157E905F91985A221F91148B2B1ED92C2BF740458F959F495F8C559665C49A9E941399F3520139C3E4BE2 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1360 |
Entropy (8bit): | 4.773554728401994 |
Encrypted: | false |
SSDEEP: | 24:fyuYAol4nRKNjFyl0cfj8K692BpWtHEaqWtnQ0gaQzjWTePZMAM:fyuYApRZ3vg2BpWeapa9+AM |
MD5: | AAEFD238CA955B45BC68D442FB059D5B |
SHA1: | 71FA1CA71CD483235E0121CB39C34F81511F975B |
SHA-256: | 241C8E953F55CE7B68983303E62DD43663DCAD2D32482318A0C9E13A59E37FFF |
SHA-512: | 6C9EAAD76DA058B89AC9413064605CCB4195EEBD477697D167F9EDE06DEDF6DD3A3723081317E4EE9DFCCEE5CE1AA27FFEC9AC5B9D21D3BF5B99D9EF752D6F6E |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4335 |
Entropy (8bit): | 4.8827409322826085 |
Encrypted: | false |
SSDEEP: | 96:7S/jcLYcx/3Ii+AtAfS/hjHek1U0C1Duo9uPsfY6cKZci/5NeysyBm:7SbKnxFpAfSFHnU0C16o9tYuNeYm |
MD5: | 6C88A30B4D494FECB6B1364F0E591B9B |
SHA1: | 962C04C3D1A5DF4AA609AF206C3C351E25C8ED52 |
SHA-256: | 6CE8E19EAF50DF4811F04535695C2146C0D9664E70428E27DA844D99FE8DCA7E |
SHA-512: | 5BB08D4B7111285D0AB31E5A102CB7DE12FFD14EDAEF6023FD42106A500B7D89179A373488D89FC9A561295446B9AC8890390D46F45BC40FBF4F8F986DC298B9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3775 |
Entropy (8bit): | 4.950958257088217 |
Encrypted: | false |
SSDEEP: | 96:GfS1OD4x08ECtJTXQYMYS1SDNpDz97tS6KLva07ce7Z:ES1ODR8ECTMY2MNV97tBKDjhd |
MD5: | 7FEA240209F8B573DEFE77AF303502E9 |
SHA1: | FB010E47DAB492098E2B596AFCDAE259AAB5491F |
SHA-256: | 477003DCDB6BFBC409E90BB3E12BF4DE2437FC37E3944609B6D1563E0B4119F0 |
SHA-512: | 60C18B95C470130A1613700C098F3F57BAFE80DBD9875CFDF7D023E847182428287F5BEDDF54A64A58869360019697C2E23E2CF02FC121F0365B2F0336EFDFC7 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 499 |
Entropy (8bit): | 4.255825957007059 |
Encrypted: | false |
SSDEEP: | 12:tVIa7sNyNSJY9GXCPtNAXZFn1a2Yxd810LZx:EEHEdCPtNEn1ahk0LZx |
MD5: | AE6051F666A4BE61FEE72E82BE9472FF |
SHA1: | 75E78487542EB4829CBEC88DEA748B7F83D6D93E |
SHA-256: | 2967EBEB5E16E9FB16CEB5F2770CC1718C9085D5188DEC59F45A9B97640B926A |
SHA-512: | 4F4948CEB6320514C801951AF1A8ED746D8A28D9520DCECB96802415D1C083327B2D8D0A24299C72D78C70A7B4C1D8A4C1286AB20257841AAD72D6192981EE72 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3878 |
Entropy (8bit): | 4.817147450439702 |
Encrypted: | false |
SSDEEP: | 48:O/imajgqrd1bZRfozJhxaYUtIG7IvoMzau1GVtvSZb6//znYehs+Fot/A2QGcEZ:LggOJhxzUKG7Y43e9SVWaK |
MD5: | 2F948404EA3C59278E0D9BFCBE8D4C40 |
SHA1: | 5378D5D2B0FC0D0B8B966B5D902EB1BC7E6D779D |
SHA-256: | 28958123B65F320945BF723D1C61D73C3A8EB8312564074CB35E322FACB0DBEC |
SHA-512: | B808F7FA33194C57581DE9E6D7DB8A8A5DB275C005894B69D150D26FCB4B3A412BB2AC52A13C0D55A0E62EEDDBC6AE6F19B2CCB19CE23290E7E035C335134B0C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4824 |
Entropy (8bit): | 4.954663209503854 |
Encrypted: | false |
SSDEEP: | 96:To5JpHQbnj0h4vYskWqKXYDC0zNo4/UdvwQI3m8mNly7wDXcNLZc:gHmnwh4gaoDC0zNfUPeVm3pXclc |
MD5: | A8C0B0FD25B502DC728C818B01C4705E |
SHA1: | 83C8F134624D964B0946E634229C09262B786358 |
SHA-256: | 03822E3B8D5042BBC7751BABF9A2510E4C41F75AABAEF9D7317DAFED5C2DA04D |
SHA-512: | C945703CA4A7F28900A0929D4A6BBD4E2FFFE3323E574C5E4F8CE4D3A5A9FBAD948EA106BA030E66A66F52AAEFE957578A8FBABAB7FE3A42D0EDDAE095C285FD |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4214 |
Entropy (8bit): | 5.046129082285061 |
Encrypted: | false |
SSDEEP: | 96:PCiBr5RPnr9McV1tvyZvDmRvNBlcF/XiEwyeivw:PVRPpMcftqZyRvHUXkbr |
MD5: | 9ADD6AD16F4E7B71089D9807757A8B85 |
SHA1: | 0127249EDC98852B4AFC12B17D8C00EA4BDE8519 |
SHA-256: | 82B86D8FB42303AE132DC37792151FDE087070B9AE5DD01BBC2D77B5762942F5 |
SHA-512: | 0D52F35B9AC792E909DA465FF72B1C089515EE936E9A1DDCBA076D719431F43AC9C4E93B2C3C33BCF6A94A7638BCB543399F8D235301CEDD34D6A16CA543EDEA |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4604 |
Entropy (8bit): | 4.800828433192942 |
Encrypted: | false |
SSDEEP: | 96:2JZjKAUt4rE5yHGP/tmB4/cLodXL6FYYVtiCOfKRjY:iZjKAUt4Mh0CkenYQCRjY |
MD5: | 78C3F9CAADC9005059318C41AF371F53 |
SHA1: | 47427BE3D4D5C20B10EBE761D44FC3C6DD82B92F |
SHA-256: | 38DA1491F6996D1BD6C41949BB0EE04431D1F26991849BE89B3A4FAE488B76B1 |
SHA-512: | 250ACFC789595818403A27198C930A3DBE006336DE9DEC2C8C1E097C575D8CD1E2960A5B163975324FDC24B5CC9CE251FA28505CAE48A1FE8A9676BC17906120 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2293 |
Entropy (8bit): | 5.0147763937793375 |
Encrypted: | false |
SSDEEP: | 48:RyaRUkDpACPmhYArwa+FoQTgxVEwCXxAVY0a+XOBj7A0ziFVx/:3UtZUos0VEwCBT9rleLx/ |
MD5: | 66FE8032945556E76D24C01F08AA618B |
SHA1: | 2D1C5646DD4DE7BE749CA66729962DBDAB1AD4D6 |
SHA-256: | 8A0A214E24B244B5482BA9B064199EA53BC3975C89F70C04E8CF3021EA49FE56 |
SHA-512: | 01B1B5E568E90C4F0C303F743F6E8288A3CC82BFDCCBB8E5C95125A74F9531BC7A24831FFDAFE95678161AA41A793A092E52C44E0AE625150FD24BB84B469A79 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2256 |
Entropy (8bit): | 4.849771089742746 |
Encrypted: | false |
SSDEEP: | 48:5wV8WDczEuKBEKKXiCPsWafh/QrJKmGhYbG5sM:5wVOWSyCdYQNDGN |
MD5: | 2A94C01E0FEC66A108816A0758176AAD |
SHA1: | E13323600B9250DE1EB773D897D4278F57ADC5C4 |
SHA-256: | B2B861402ECF76335D00DF2551817EF8D8B1307D8D3E0A1349149779B26EB40A |
SHA-512: | 2081EB47CFABFD269D1708641D61FDB6D1AD0F402821CCE808FDD404F7382F8B36726590CBDE17A2F1FAD29F5160B99B21C24DF27842E5D433A76DE1670B109C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10572 |
Entropy (8bit): | 4.474055010709058 |
Encrypted: | false |
SSDEEP: | 192:dbjMuE9OL481Ow4fQLQTCZ7AfSZWDfIsySDi9aI5n:d69Xrw4gQT+Af5dySDI5n |
MD5: | 57FD79EAFAC08A7C1673C636B45B9078 |
SHA1: | 0C53D2EB5C9DEF770958F26966258F72A79B0C36 |
SHA-256: | EF77D0B3E4BA913094FA838E8A08CE588C4608A6A697AC390E539688CDB4C171 |
SHA-512: | DA4053FFF1898A1A9AAAD9B0A135580AC89E42BD2B9B7D8C54AA36362137B58E368D9F369CDB2743F4E5BC70D326E65B633EA962319E2B12EA2AE4D6F117B6A4 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.378150515131689 |
TrID: |
|
File name: | Benefits-Signature-RequestsPlan#241205.com.exe |
File size: | 325'982 bytes |
MD5: | 46e978f5dee2d39687269d77e44df3cf |
SHA1: | f15c27a41a2e7e78b07df29c687da3e70e813e66 |
SHA256: | 5828d4217d31c59b79df8a93b0a52332d4d3ef267f02c2448c463338e017f48d |
SHA512: | 81c38dd8ed41e0fc6b8a83ea536ca568c10cf1ee994edd0ef2acd00e85f45db85830f68e78e28679036d6e950617e4405e1a24fb293bf3e8fabc885f92ca9d19 |
SSDEEP: | 6144:A9X0GAbjQDWEofo891UrIq5ezWQn1SGse/yuIW7Nrw0zRRb4iUH13T:G0t/voK1UwzWQ13setIWRw0NZlo13T |
TLSH: | 3864D0422AA486E3E728057094B7E771CE78AD7065040B17AED4BBEF7F37B865D9D002 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................f...|......H3............@ |
Icon Hash: | 968646a6c7060f66 |
Entrypoint: | 0x403348 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5F24A9AF [Fri Jul 31 23:30:55 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | ced282d9b261d1462772017fe2f6972b |
Instruction |
---|
sub esp, 00000184h |
push ebx |
push esi |
push edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 0040A198h |
mov dword ptr [esp+20h], ebx |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [004080B8h] |
call dword ptr [004080BCh] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042F42Ch], eax |
je 00007F79BCC60EF3h |
push ebx |
call 00007F79BCC64056h |
cmp eax, ebx |
je 00007F79BCC60EE9h |
push 00000C00h |
call eax |
mov esi, 004082A0h |
push esi |
call 00007F79BCC63FD2h |
push esi |
call dword ptr [004080CCh] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], bl |
jne 00007F79BCC60ECDh |
push 0000000Bh |
call 00007F79BCC6402Ah |
push 00000009h |
call 00007F79BCC64023h |
push 00000007h |
mov dword ptr [0042F424h], eax |
call 00007F79BCC64017h |
cmp eax, ebx |
je 00007F79BCC60EF1h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F79BCC60EE9h |
or byte ptr [0042F42Fh], 00000040h |
push ebp |
call dword ptr [00408038h] |
push ebx |
call dword ptr [00408288h] |
mov dword ptr [0042F4F8h], eax |
push ebx |
lea eax, dword ptr [esp+38h] |
push 00000160h |
push eax |
push ebx |
push 00429850h |
call dword ptr [0040816Ch] |
push 0040A188h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8544 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x55000 | 0x19070 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x29c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6457 | 0x6600 | f6e38befa56abea7a550141c731da779 | False | 0.6682368259803921 | data | 6.434985703212657 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1380 | 0x1400 | 569269e9338b2e8ce268ead1326e2b0b | False | 0.4625 | data | 5.2610038973135005 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x25538 | 0x600 | 17edd496e40111b5a48947c480fda13c | False | 0.4635416666666667 | data | 4.133728555004788 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x30000 | 0x25000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x55000 | 0x19070 | 0x19200 | fe8809c5c9eeb1a0843e35f8758c2083 | False | 0.37116176927860695 | data | 5.512258056875945 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x552c8 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536 | English | United States | 0.34928427777120546 |
RT_ICON | 0x65af0 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | English | United States | 0.4194024563060935 |
RT_ICON | 0x69d18 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | English | United States | 0.4966804979253112 |
RT_ICON | 0x6c2c0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | English | United States | 0.5023452157598499 |
RT_ICON | 0x6d368 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | English | United States | 0.6409574468085106 |
RT_DIALOG | 0x6d7d0 | 0x100 | data | English | United States | 0.5234375 |
RT_DIALOG | 0x6d8d0 | 0x11c | data | English | United States | 0.6056338028169014 |
RT_DIALOG | 0x6d9f0 | 0xc4 | data | English | United States | 0.5918367346938775 |
RT_DIALOG | 0x6dab8 | 0x60 | data | English | United States | 0.7291666666666666 |
RT_GROUP_ICON | 0x6db18 | 0x4c | data | English | United States | 0.8026315789473685 |
RT_VERSION | 0x6db68 | 0x1c8 | data | English | United States | 0.5021929824561403 |
RT_MANIFEST | 0x6dd30 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States | 0.5542168674698795 |
DLL | Import |
---|---|
ADVAPI32.dll | RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA |
SHELL32.dll | SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA |
ole32.dll | IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree |
COMCTL32.dll | ImageList_Create, ImageList_Destroy, ImageList_AddMasked |
USER32.dll | SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard |
GDI32.dll | SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject |
KERNEL32.dll | GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 14:11:52 |
Start date: | 22/05/2024 |
Path: | C:\Users\user\Desktop\Benefits-Signature-RequestsPlan#241205.com.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 325'982 bytes |
MD5 hash: | 46E978F5DEE2D39687269D77E44DF3CF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 21.5% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 16.6% |
Total number of Nodes: | 1545 |
Total number of Limit Nodes: | 37 |
Graph
Function 00403348 Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 366stringcomfileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040535C Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282windowclipboardmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6E7C1A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004058BF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040646B Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403CA7 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346windowstringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040390A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402EA1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040618A Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199stringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040521E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406492 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040209D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402476 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405FDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405796 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401B87 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401EC5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405C90 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405761 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040239C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405D08 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405D37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6E7C2921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004041C7 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403300 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004041B0 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040419D Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6E7C101B Relevance: 1.3, APIs: 1, Instructions: 13memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6E7C1215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040460D Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 274stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406945 Relevance: .3, Instructions: 334COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040711C Relevance: .3, Instructions: 300COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404B80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004042E6 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405D66 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004041E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6E7C24D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404ACE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402DBA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6E7C22F1 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004049C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6E7C1837 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405B7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405192 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405AD6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6E7C10E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405BF5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|