Windows
Analysis Report
eXiJWkp8OE.exe
Overview
General Information
Sample name: | eXiJWkp8OE.exerenamed because original name is a hash value |
Original sample name: | ad98db4c044bc51bd2d6b0df5050291dc589135794f798dbafdf720ac64112e2.exe |
Analysis ID: | 1466879 |
MD5: | 1209391dff4079c9c796efb0af814c08 |
SHA1: | 695a11f6ba7fcae6e61f9eafa908c3cb4a6cd152 |
SHA256: | ad98db4c044bc51bd2d6b0df5050291dc589135794f798dbafdf720ac64112e2 |
Tags: | exe |
Infos: | |
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
eXiJWkp8OE.exe (PID: 7288 cmdline:
"C:\Users\ user\Deskt op\eXiJWkp 8OE.exe" MD5: 1209391DFF4079C9C796EFB0AF814C08)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_0040596F | |
Source: | Code function: | 0_2_004064C1 | |
Source: | Code function: | 0_2_004027FB |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_0040541C |
Source: | Process Stats: |
Source: | Code function: | 0_2_05128D05 |
Source: | Code function: | 0_2_004033B6 |
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_00406846 | |
Source: | Code function: | 0_2_00404C59 | |
Source: | Code function: | 0_2_050E0C72 | |
Source: | Code function: | 0_2_050EE613 | |
Source: | Code function: | 0_2_05128F25 | |
Source: | Code function: | 0_2_05125940 | |
Source: | Code function: | 0_2_051256B5 | |
Source: | Code function: | 0_2_050E0BE8 |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_004033B6 |
Source: | Code function: | 0_2_004046DD |
Source: | Code function: | 0_2_00402095 |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File written: | Jump to behavior |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Code function: | 0_2_10001B18 |
Source: | Code function: | 0_2_10002E0E | |
Source: | Code function: | 0_2_04BBFB9C | |
Source: | Code function: | 0_2_04BC2B9C |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | API/Special instruction interceptor: |
Source: | RDTSC instruction interceptor: |
Source: | Code function: | 0_2_050E0A86 |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | 0_2_0040596F | |
Source: | Code function: | 0_2_004064C1 | |
Source: | Code function: | 0_2_004027FB |
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-5624 | ||
Source: | API call chain: | graph_0-5626 |
Source: | Code function: | 0_2_050E0A86 |
Source: | Code function: | 0_2_00402E41 |
Source: | Code function: | 0_2_10001B18 |
Source: | Code function: | 0_2_004061A0 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 11 Masquerading | OS Credential Dumping | 211 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Access Token Manipulation | LSASS Memory | 3 File and Directory Discovery | Remote Desktop Protocol | 1 Clipboard Data | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 23 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
53% | ReversingLabs | Win32.Trojan.Guloader | ||
100% | Avira | TR/AD.NsisInject.edcss | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1466879 |
Start date and time: | 2024-07-03 14:33:04 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 57s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | eXiJWkp8OE.exerenamed because original name is a hash value |
Original Sample Name: | ad98db4c044bc51bd2d6b0df5050291dc589135794f798dbafdf720ac64112e2.exe |
Detection: | MAL |
Classification: | mal80.troj.evad.winEXE@1/10@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: eXiJWkp8OE.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nsr69D8.tmp\System.dll | Get hash | malicious | FormBook, GuLoader | Browse | ||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader, Remcos | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse |
Process: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 44 |
Entropy (8bit): | 4.81705292530797 |
Encrypted: | false |
SSDEEP: | 3:x41xmQQLQIfLBJXmgxv:xsxmQQkIP2I |
MD5: | 698ACD9EC3D87696ABE82BB0D9970F28 |
SHA1: | 9ADB6617C95902BD10B05A82436C5AA61CBE14A0 |
SHA-256: | 8FC6E44C13EB046C8EA7424EA799A7E66AABC220B4CE6CD404ED160C996030D1 |
SHA-512: | 18715DF4EBAE19BA54F387988DED991816C9C96D8357FC9ED78B01897BAF2649C5D6E3A9B1A3B52FAF8660DB3A8BA3B89C7B0D7130C646F2912A1EE844B5CB60 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.656060535507129 |
Encrypted: | false |
SSDEEP: | 192:eS24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OloSl:S8QIl975eXqlWBrz7YLOlo |
MD5: | FC3772787EB239EF4D0399680DCC4343 |
SHA1: | DB2FA99EC967178CD8057A14A428A8439A961A73 |
SHA-256: | 9B93C61C9D63EF8EC80892CC0E4A0877966DCA9B0C3EB85555CEBD2DDF4D6EED |
SHA-512: | 79E491CA4591A5DA70116114B7FBB66EE15A0532386035E980C9DFE7AFB59B1F9D9C758891E25BFB45C36B07AFD3E171BAC37A86C887387EF0E80B1EAF296C89 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1080082 |
Entropy (8bit): | 3.4676970575371584 |
Encrypted: | false |
SSDEEP: | 12288:vP70bFDaA44s1mjX5Nvyh+lCuEtf5NNuuU/dE:Xjf1mjX3e/fLNsE |
MD5: | AA52637846AE5788905B6E3C4B82342D |
SHA1: | 9DD08619A0A930A8943B6408EE4484CFABC40E52 |
SHA-256: | 7E32E202AB2775D67FB76F3DE191C225BCC532E4EC2BBA2D5672F0A2AAD0A89A |
SHA-512: | A6146CEB90CDCF81A79605F51A080D4506CC0A9560D2227F09622DAE51561E3052051248B250BB41FEC140C826FA292FB44EFBBBCE3A42B9253CBB37822661E4 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 44 |
Entropy (8bit): | 4.126950016748872 |
Encrypted: | false |
SSDEEP: | 3:pGXDKI7WLhMGYDzOc3n:QOLhLYnr3n |
MD5: | 91C4F98316BDDADC66FCF70398CE4C16 |
SHA1: | B2B0CB16FDFCE2A8CB324750E4DB6A453BCC937A |
SHA-256: | CA353EE13D34DD61D6E15CF88789AFAB0E879F2C8F93CE58364D4B200C2C958B |
SHA-512: | 022EBD6C5951C4F416C1D513BFAA91DE9F05AB7574289852B144F2B90FCD54C52EDDB44768C9FE4E012899B277D26C680D2356BED466FC2B0F6E0977379CF0EE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 201209 |
Entropy (8bit): | 0.15441833754537992 |
Encrypted: | false |
SSDEEP: | 96:YGSXMOfcTWl2n5lb8gVsMZTisIrVPPBdV:YGSXMOfcTWs5lb8gVsMcsIrVHBdV |
MD5: | 54CD663724ACFE5547D2A09D2D216502 |
SHA1: | 039B4D8D04CE14696DBAB075425B8BC5BF387F43 |
SHA-256: | D551460BFE6F675E72B51F9B75CF2B6F464370CA3EF95F08F97582A30C157CCA |
SHA-512: | 997F1E677440C523394B72EEE2E4456A1A82D867B434FE45D6E2C36D4607ED9B3E6F1DB3C4C6E46F2408A5BCDDEDEC1818F64571DE8B8DCD56A358ACACBB6607 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 356397 |
Entropy (8bit): | 7.693267485199153 |
Encrypted: | false |
SSDEEP: | 6144:Y5Z/ntOHbFa6VUB+f447HfSPxN1t8emN7vXXpNUGRiRbh+rBCuEX9flibgNNuuIr:vbFDaA44s1mjX5Nvyh+lCuEtf5NNuuU/ |
MD5: | D0711BF286C31474C7D121502D8D4C7D |
SHA1: | EAD25C6191E47690C20092B5780A15C37EDF8EA1 |
SHA-256: | 98C643CF23ADF2A64CF38A129F328F029970BDF1C27E9EDDF18D8A5112CB8185 |
SHA-512: | 3DA7583DADA8FAA6CBB446E32B282292448E26689A57D634F8D1824CDC78CC690B431B988D4AA785E9D505A0A22DD4E8921785F9E5DA7AEB2385DFD4202DC324 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\tndingers\idyllion\Farthest122\Burdalone\hovedstoles\Overtenaciousness\Yves231.txt
Download File
Process: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 420 |
Entropy (8bit): | 4.279139119874913 |
Encrypted: | false |
SSDEEP: | 12:CSAqUxYS+QA/Ulb0+UsQw6Y57RW/dv8iHzxn:JAqUif/UlI+kNMYV8iHzx |
MD5: | D9513425BD0FA572C6870B8AE7EC6749 |
SHA1: | 9362F26597C73F909DD32CC0328450BA8A92137A |
SHA-256: | E53489D36794F21533560A90AA88E01E2C8BCB266313E660F540013870E2E33A |
SHA-512: | 4FDC68103628E5F8E17AB1FD64E7EA16F9F4FA538007E4E8B818D0DFA8FFC0C163A5613B630B50775F9C07E53D41BB1C9BAD36146D0D12B5C6D6F25F3570C8B0 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 185685 |
Entropy (8bit): | 0.15794109990694136 |
Encrypted: | false |
SSDEEP: | 48:3O9CNivRD191rH6pI3JI2PSiEzHGFJrRheiubPk7qYQiZ1BkTxSSysNsJCUv7flZ:+9BpFFZ1PStjqRluTBvK/uyTJCqNwEd |
MD5: | 12F76E82DCE91459C7B810BB597635B0 |
SHA1: | 12AE593D6E8C0F2B9EBBB66509047571D0826444 |
SHA-256: | DBEB677B4A46C7FABDB9F63F3BCB287C66730AB832FAE6B653EDF61B3FEA0ADD |
SHA-512: | DEA83DF51D397FAAD119B25D5DBC135A1C18B662C8D63C544C86443A9D27D1731328EEDC037F73140A80A0AE8A9B792C5ACEB9D988AED6271155FAA29D6F41D8 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 109604 |
Entropy (8bit): | 0.15512892516699378 |
Encrypted: | false |
SSDEEP: | 48:dFa8OdJATAcKZ2JWbL6chUmv4p5m4BNYGmHNQiu:8AoYYbOchUmwjSGmS |
MD5: | 6D474B2A2A52442BA06641B32BA9426A |
SHA1: | 1C35D73A6882ADAC2D97DE79A1E0C3FEFE02E3B9 |
SHA-256: | A959C155DD886C91F15FB50245965EA7869FC63FF3A8DAC89D30B7D83D6D3E0F |
SHA-512: | 8A84D602C8FD88F862E808CA597FB3313A9D1C3F20963048703699CF38CA9D573459A3610B42D544B952EC7DAE864C4AAC8F048FB0A5029BC6CA360564EAFDB6 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 199937 |
Entropy (8bit): | 0.15680391851126443 |
Encrypted: | false |
SSDEEP: | 48:9DPUbZj8geR5P1YcSiOVv/fbQ0aC3kuN7AcD99HxjQMXOh+vQ+ofjk55u4dZYVMq:RMVjteRohzaK7A+6+Y+KjkurP2W8N |
MD5: | BB1F6067B4E96CE0CC0EE0D2FED548E3 |
SHA1: | 3CDBE6747ECCA5772B47B81D40F5E9D7E08739DD |
SHA-256: | 404D41E5442D03925F740F9BEB168551C38F612977FE3DDC9DD64F0585BA60B6 |
SHA-512: | 1B57AA5E2016FC172E65C74ECF48E65157D0C6B67A8F8B72460888F16E2521FDFE209DA4EFB2E4F68DD43AFBA2A224CE98149C096F8701BE233BC2120EFAA12D |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.499898717032478 |
TrID: |
|
File name: | eXiJWkp8OE.exe |
File size: | 476'328 bytes |
MD5: | 1209391dff4079c9c796efb0af814c08 |
SHA1: | 695a11f6ba7fcae6e61f9eafa908c3cb4a6cd152 |
SHA256: | ad98db4c044bc51bd2d6b0df5050291dc589135794f798dbafdf720ac64112e2 |
SHA512: | e6e21a3fe30ff34622aecd6636e64f5110b5cba13683873bb3f1b200ac59920fc4e9fdedb8bb2150e7b0c6ad0bd87982d704fb6bc30cc7dc9f01b0d5a6f7f432 |
SSDEEP: | 12288:+gEdT9KvsdBJUeABk+x12lUunkxkq2Ule:kdTQELJoBk+2yVxkqhe |
TLSH: | 23A401AA7904E416D5BA0879C8B7D9F11A246E7CE9423E077751BF0F35B3503283A92F |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L....{.W.................b...*.......3............@ |
Icon Hash: | 09080941072d1903 |
Entrypoint: | 0x4033b6 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x57807BD5 [Sat Jul 9 04:21:41 2016 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 4ea4df5d94204fc550be1874e1b77ea7 |
Signature Valid: | false |
Signature Issuer: | E=Bistered@Overabundance23.St, O=Cibophobia, OU="Salthorste Brnefilm ", CN=Cibophobia, L=Imling, S=Grand Est, C=FR |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 6C111DE33AF5D28B2956CE4E3B42918A |
Thumbprint SHA-1: | 97168EB4EDB12FE15E824346D5C7E765A93D9BB2 |
Thumbprint SHA-256: | 798B4B1A09185B441FC9A288C2F6ADCD9F0194C57E94CF87D3042CE4ACA01FD9 |
Serial: | 2F9479FCCEDA7BF9644DD4914C20B56AF579CD3F |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+14h], ebx |
mov dword ptr [esp+10h], 0040A230h |
mov dword ptr [esp+1Ch], ebx |
call dword ptr [004080B4h] |
call dword ptr [004080B0h] |
cmp ax, 00000006h |
je 00007F18807EB283h |
push ebx |
call 00007F18807EE3DCh |
cmp eax, ebx |
je 00007F18807EB279h |
push 00000C00h |
call eax |
mov esi, 004082B8h |
push esi |
call 00007F18807EE356h |
push esi |
call dword ptr [0040815Ch] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], 00000000h |
jne 00007F18807EB25Ch |
push ebp |
push 00000009h |
call 00007F18807EE3AEh |
push 00000007h |
call 00007F18807EE3A7h |
mov dword ptr [0042A244h], eax |
call dword ptr [0040803Ch] |
push ebx |
call dword ptr [004082A4h] |
mov dword ptr [0042A2F8h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebx |
push 004216E8h |
call dword ptr [00408188h] |
push 0040A384h |
push 00429240h |
call 00007F18807EDF90h |
call dword ptr [004080ACh] |
mov ebp, 00435000h |
push eax |
push ebp |
call 00007F18807EDF7Eh |
push ebx |
call dword ptr [00408174h] |
add word ptr [eax], 0000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8504 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x55000 | 0x18a88 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x72230 | 0x2278 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b4 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x615d | 0x6200 | 0b0812166ebbd0109e7f5e007b182949 | False | 0.6616709183673469 | data | 6.450231726170125 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x13a4 | 0x1400 | 4ac891d4ddf58633f14436f9f80ac6b6 | False | 0.4529296875 | data | 5.163001655755973 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x20338 | 0x600 | 66b45fceba0f24d768fb09e0afe23c99 | False | 0.5026041666666666 | data | 3.9824009583068882 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x2b000 | 0x2a000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x55000 | 0x18a88 | 0x18c00 | 22de74f39c108d279067eb856b03e0a7 | False | 0.27538076073232326 | data | 4.262327938416955 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x55448 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 0 | English | United States | 0.16749970424701288 |
RT_ICON | 0x65c70 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.383195020746888 |
RT_ICON | 0x68218 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.45614446529080677 |
RT_ICON | 0x692c0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | United States | 0.5906183368869936 |
RT_ICON | 0x6a168 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States | 0.5504098360655738 |
RT_ICON | 0x6aaf0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | United States | 0.6787003610108303 |
RT_ICON | 0x6b398 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | English | United States | 0.7021889400921659 |
RT_ICON | 0x6ba60 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 0 | English | United States | 0.4451219512195122 |
RT_ICON | 0x6c0c8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | United States | 0.6380057803468208 |
RT_ICON | 0x6c630 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.699468085106383 |
RT_ICON | 0x6ca98 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | United States | 0.5295698924731183 |
RT_ICON | 0x6cd80 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 0 | English | United States | 0.6127049180327869 |
RT_ICON | 0x6cf68 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | United States | 0.6858108108108109 |
RT_DIALOG | 0x6d090 | 0x100 | data | English | United States | 0.5234375 |
RT_DIALOG | 0x6d190 | 0x11c | data | English | United States | 0.6056338028169014 |
RT_DIALOG | 0x6d2b0 | 0xc4 | data | English | United States | 0.5918367346938775 |
RT_DIALOG | 0x6d378 | 0x60 | data | English | United States | 0.7291666666666666 |
RT_GROUP_ICON | 0x6d3d8 | 0xbc | data | English | United States | 0.601063829787234 |
RT_VERSION | 0x6d498 | 0x2b0 | data | English | United States | 0.5 |
RT_MANIFEST | 0x6d748 | 0x340 | XML 1.0 document, ASCII text, with very long lines (832), with no line terminators | English | United States | 0.5540865384615384 |
DLL | Import |
---|---|
KERNEL32.dll | SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
USER32.dll | GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW |
ADVAPI32.dll | RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 08:33:58 |
Start date: | 03/07/2024 |
Path: | C:\Users\user\Desktop\eXiJWkp8OE.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 476'328 bytes |
MD5 hash: | 1209391DFF4079C9C796EFB0AF814C08 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 14.8% |
Dynamic/Decrypted Code Coverage: | 21% |
Signature Coverage: | 24.2% |
Total number of Nodes: | 1713 |
Total number of Limit Nodes: | 50 |
Graph
Function 004033B6 Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 401stringfilecomCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040541C Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402E41 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004061A0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040596F Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406846 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 050E0C72 Relevance: 1.6, Strings: 1, Instructions: 356COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403D6A Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004039C7 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004052DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004064E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406C7B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406E7C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406B92 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406697 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406AE5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406C03 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406B4F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004031EF Relevance: 4.6, APIs: 3, Instructions: 101COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004030E7 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405D53 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405D2E Relevance: 3.0, APIs: 2, Instructions: 13COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405829 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E05 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405DD6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004022DF Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040428E Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040336E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404277 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404264 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404C59 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004046DD Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 05128F25 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 051256B5 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 050EE613 Relevance: .2, Instructions: 207COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 050E0BE8 Relevance: .2, Instructions: 183COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 05125940 Relevance: .2, Instructions: 160COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 050E0A86 Relevance: .1, Instructions: 93COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004043DF Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405EAD Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100022D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004042A9 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404BA7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402D04 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404A99 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040604B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405B32 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405C3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040585E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405CB8 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|