Windows
Analysis Report
setup.exe
Overview
General Information
Detection
Score: | 3 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
- System is w10x64
- setup.exe (PID: 2100 cmdline:
"C:\Users\ user\Deskt op\setup.e xe" MD5: CA4D56ABBA85C97023F2E236DC82C4AA)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Code function: | 0_2_004066B2 | |
Source: | Code function: | 0_2_00409F75 | |
Source: | Code function: | 0_2_00406143 | |
Source: | Code function: | 0_2_00409D0F | |
Source: | Code function: | 0_2_00406623 | |
Source: | Code function: | 0_2_00410B70 |
Source: | Code function: | 0_2_00403794 |
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_0040F840 | |
Source: | Code function: | 0_2_0040D050 | |
Source: | Code function: | 0_2_0040FC20 | |
Source: | Code function: | 0_2_00414CE0 | |
Source: | Code function: | 0_2_0040B8EC | |
Source: | Code function: | 0_2_0040C9A0 | |
Source: | Code function: | 0_2_0040F5B0 | |
Source: | Code function: | 0_2_0040D2F0 | |
Source: | Code function: | 0_2_004187D0 |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00403794 |
Source: | Code function: | 0_2_0040924A |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Evasive API call chain: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Code function: | 0_2_00417CA0 |
Source: | Code function: | 0_2_00412B6E |
Source: | Code function: | 0_2_004084E7 | |
Source: | Code function: | 0_2_00405885 | |
Source: | Code function: | 0_2_0040746D | |
Source: | Code function: | 0_2_00407E75 | |
Source: | Code function: | 0_2_00408F7A | |
Source: | Code function: | 0_2_00408FE7 |
Source: | Evasive API call chain: |
Source: | Code function: | 0_2_004066B2 | |
Source: | Code function: | 0_2_00409F75 | |
Source: | Code function: | 0_2_00406143 | |
Source: | Code function: | 0_2_00409D0F | |
Source: | Code function: | 0_2_00406623 | |
Source: | Code function: | 0_2_00410B70 |
Source: | Code function: | 0_2_00417CA0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00412600 |
Source: | Code function: | 0_2_00412600 |
Source: | Code function: | 0_2_00413060 |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 21 Native API | Boot or Logon Initialization Scripts | 1 Process Injection | 1 Access Token Manipulation | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Process Injection | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 3 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1530829 |
Start date and time: | 2024-10-10 15:36:07 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 9s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | setup.exe |
Detection: | CLEAN |
Classification: | clean3.winEXE@1/1@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
- VT rate limit hit for: setup.exe
Process: | C:\Users\user\Desktop\setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 303 |
Entropy (8bit): | 4.678844719486963 |
Encrypted: | false |
SSDEEP: | 6:sENVGgA0dO/MKYiRgKRLGiFxl0AA8HLPs/QhOL+xgqNhkE+In:scsgA0dOjYiX4i7eA/0EcrIEI |
MD5: | 4AF08CCBCCE59FDA9C64B29F5B206BEF |
SHA1: | 8C97829EE35421C87AB774617C90A6CF4967C281 |
SHA-256: | 035B0A7155BE4C6196A16F06DD21E268B3A5062EA89BCC9A4429E371E34669B8 |
SHA-512: | 9BD8756589751781EA87B963F919F2614DDC88E7A7C5A8687D0D58D46FFB9F7A8108041B9B6DADF911500A5FD6FBA2A6A5345F1392950BF0F31AB8FCA4D64E79 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 6.126511930909836 |
TrID: |
|
File name: | setup.exe |
File size: | 139'776 bytes |
MD5: | ca4d56abba85c97023f2e236dc82c4aa |
SHA1: | 5c4be7cef4082adae0e187ec140c0f10dd113260 |
SHA256: | 7052d75548d0f34e290baf29aa7281b44b4eb38327a9078354e15a3dc8749da4 |
SHA512: | 42b895b8ca244d4a5dc3b662f6379073c8ee893a3a56b0e77b9eca3be4c3242bcbc9f97a2cf2432109c13fdfa842e2d73f14c7d1b328b4f6a000202af8215562 |
SSDEEP: | 3072:WARAEzUI3AOGfte0D9P9HjT0rIm7f1dZJZgJIK/J:WARdb3NGfYm9VTwImJdEX/ |
TLSH: | D1D3285672E5C071F5F2277116F16A31AA3A7C356B36C2CBC700DD6A5C306A4A8393AB |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ 5..A[..A[..A[.hG]..A[..A[..@[.Rich.A[.................PE..L...f}.8............................`0............@................ |
Icon Hash: | 674e4f45a7297639 |
Entrypoint: | 0x413060 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x38CE7D66 [Tue Mar 14 17:56:54 2000 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 8d6f18fdfe290097ec083ff27d192e91 |
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 0041A778h |
push 004168D8h |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
add esp, FFFFFFA8h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
call dword ptr [0041A0D4h] |
xor edx, edx |
mov dl, ah |
mov dword ptr [00423110h], edx |
mov ecx, eax |
and ecx, 000000FFh |
mov dword ptr [0042310Ch], ecx |
shl ecx, 08h |
add ecx, edx |
mov dword ptr [00423108h], ecx |
shr eax, 10h |
mov dword ptr [00423104h], eax |
call 00007FE40CC9EED9h |
test eax, eax |
jne 00007FE40CC9E0CCh |
push 0000001Ch |
call 00007FE40CC9E22Eh |
add esp, 04h |
mov dword ptr [ebp-04h], 00000000h |
call 00007FE40CC9E3CFh |
call 00007FE40CCA102Ah |
call dword ptr [0041A09Ch] |
mov dword ptr [00427424h], eax |
call 00007FE40CCA165Ah |
mov dword ptr [00423188h], eax |
test eax, eax |
je 00007FE40CC9E0CBh |
mov eax, dword ptr [00427424h] |
test eax, eax |
jne 00007FE40CC9E0CCh |
push FFFFFFFFh |
call 00007FE40CC9BF51h |
add esp, 04h |
call 00007FE40CCA1389h |
call 00007FE40CCA1294h |
call 00007FE40CC9BF0Fh |
mov esi, dword ptr [00427424h] |
mov dword ptr [ebp-64h], esi |
cmp byte ptr [esi], 00000022h |
jne 00007FE40CC9E184h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1ab60 | 0xc8 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x28000 | 0x3cd0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1a000 | 0x300 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x18946 | 0x18a00 | 6402e561ef237f0ae29e041348528e7a | False | 0.5565018242385786 | data | 6.599939161511523 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x1a000 | 0x1b4c | 0x1c00 | f379a6fbb3ea192eccd0240f9d08d27d | False | 0.4228515625 | data | 5.478199383881284 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1c000 | 0xb430 | 0x3a00 | e2f25de8dfe3c3ecb4273fa4af478747 | False | 0.20204741379310345 | data | 2.451888010679478 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x28000 | 0x3cd0 | 0x3e00 | 10dd306ba561254027beb2f622a6ad2e | False | 0.2610887096774194 | data | 3.495450025329039 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x28310 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.4153225806451613 |
RT_ICON | 0x285f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.5743243243243243 |
RT_STRING | 0x29e08 | 0x2a | Matlab v4 mat-file (little endian) r, numeric, rows 0, columns 0 | English | United States | 0.5714285714285714 |
RT_STRING | 0x29e38 | 0x604 | data | English | United States | 0.32987012987012987 |
RT_STRING | 0x2a440 | 0x3f0 | data | English | United States | 0.3482142857142857 |
RT_STRING | 0x2b520 | 0x678 | data | English | United States | 0.37318840579710144 |
RT_STRING | 0x2a830 | 0xcf0 | data | English | United States | 0.30585748792270534 |
RT_STRING | 0x28bf8 | 0x73c | data | English | United States | 0.3536717062634989 |
RT_STRING | 0x2bb98 | 0x134 | data | English | United States | 0.5064935064935064 |
RT_STRING | 0x29338 | 0x128 | data | English | United States | 0.5675675675675675 |
RT_STRING | 0x29460 | 0x3da | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | United States | 0.3671399594320487 |
RT_STRING | 0x29840 | 0x5c6 | data | English | United States | 0.2347767253044655 |
RT_GROUP_ICON | 0x28720 | 0x22 | data | English | United States | 1.0 |
RT_VERSION | 0x28748 | 0x4b0 | data | English | United States | 0.4116666666666667 |
DLL | Import |
---|---|
GDI32.dll | GetStockObject, SetTextColor, CreateFontIndirectA, DeleteObject, GetDeviceCaps, SetBkColor, SelectObject, GetTextMetricsA |
SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc |
USER32.dll | SendMessageA, CreateWindowExA, GetWindowLongA, MessageBoxA, CharNextA, DispatchMessageA, PeekMessageA, PostMessageA, PackDDElParam, DestroyWindow, CharPrevA, UpdateWindow, SetWindowTextA, BeginPaint, GetClientRect, EndPaint, DrawTextA, OffsetRect, IsWindow, PostQuitMessage, FindWindowA, GetSystemMetrics, ShowCursor, GetDC, ShowWindow, MoveWindow, ReleaseDC, BringWindowToTop, GetMessageA, TranslateMessage, LoadCursorA, SetFocus, wvsprintfA, InvalidateRect, LoadIconA, LoadStringA, wsprintfA, ExitWindowsEx, CharUpperA, RegisterClassA, UnpackDDElParam, DefWindowProcA, UnregisterClassA |
comdlg32.dll | GetOpenFileNameA |
ADVAPI32.dll | AdjustTokenPrivileges, RegEnumKeyExA, OpenProcessToken, RegCloseKey, LookupPrivilegeValueA, RegSetValueExA, RegCreateKeyA, RegQueryInfoKeyA, RegOpenKeyExA, RegQueryValueExA |
ole32.dll | CoUninitialize, OleInitialize, OleUninitialize, CoCreateInstance, CoInitialize |
OLEAUT32.dll | LoadTypeLib, SysAllocStringLen, VariantChangeTypeEx, VariantClear, VariantTimeToDosDateTime, RegisterTypeLib |
VERSION.dll | GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA, VerInstallFileA |
KERNEL32.dll | Sleep, GlobalFree, GlobalAlloc, SetFilePointer, GetACP, CreateFileA, LCMapStringW, LCMapStringA, GetCPInfo, VirtualAlloc, VirtualFree, GetCurrentProcessId, HeapDestroy, SetStdHandle, HeapCreate, SetHandleCount, SetEndOfFile, GetStdHandle, GetStartupInfoA, GetCommandLineA, GetLocalTime, GetSystemTime, GetCurrentDirectoryA, HeapFree, HeapAlloc, GetTimeZoneInformation, ExitProcess, FileTimeToLocalFileTime, TerminateProcess, GetFileType, FileTimeToSystemTime, GetFileAttributesA, GetVersionExA, GetVersion, GetSystemDirectoryA, DosDateTimeToFileTime, HeapReAlloc, LocalFree, GetWindowsDirectoryA, LocalFileTimeToFileTime, SetFileTime, GetModuleHandleA, GetDriveTypeA, SetErrorMode, LoadLibraryA, GetProcAddress, CreateProcessA, FreeLibrary, FlushFileBuffers, SetEnvironmentVariableA, CompareStringW, GetStringTypeW, GetStringTypeA, RtlUnwind, GetEnvironmentStringsW, GlobalAddAtomA, LocalAlloc, GlobalDeleteAtom, _lclose, GetFileSize, GetPrivateProfileStringA, LocalLock, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetOEMCP, lstrcatA, lstrcpyA, lstrlenA, lstrcmpiA, SetFileAttributesA, CopyFileA, GetModuleFileNameA, OpenFile, FindClose, IsDBCSLeadByte, WriteFile, CloseHandle, FindFirstFileA, _lread, _lwrite, LocalUnlock, DeleteFileA, MoveFileA, GetExitCodeProcess, GetFullPathNameA, lstrcpynA, GlobalUnlock, GlobalLock, GlobalFindAtomA, GetShortPathNameA, MoveFileExA, MultiByteToWideChar, WideCharToMultiByte, CompareStringA, ReadFile, GetTempFileNameA, RemoveDirectoryA, GetLastError, CreateDirectoryA, GetTempPathA, GetCurrentProcess |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 09:37:05 |
Start date: | 10/10/2024 |
Path: | C:\Users\user\Desktop\setup.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 139'776 bytes |
MD5 hash: | CA4D56ABBA85C97023F2E236DC82C4AA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Function 004084E7 Relevance: 95.0, APIs: 31, Strings: 23, Instructions: 500windowCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405885 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 253stringwindowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413060 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004066B2 Relevance: 4.5, APIs: 3, Instructions: 23fileCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405557 Relevance: 63.3, APIs: 33, Strings: 3, Instructions: 277windowCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404F35 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 214stringfileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403B63 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60memorystringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401F0F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104stringfileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004051B6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39registrywindowCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409E9F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22filestringCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413F10 Relevance: 6.4, APIs: 5, Instructions: 110memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00410FD0 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402314 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00413ED0 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406A32 Relevance: 3.0, APIs: 2, Instructions: 17stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040746D Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 224processCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406143 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 296stringfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040924A Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 276stringcomfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408FE7 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 138fileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407E75 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 108stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403794 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 75shutdownCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004187D0 Relevance: 16.7, Strings: 13, Instructions: 472COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00417CA0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 57libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406623 Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00412600 Relevance: 4.6, APIs: 3, Instructions: 77timeCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414CE0 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C9A0 Relevance: .5, Instructions: 533COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040D2F0 Relevance: .5, Instructions: 463COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F840 Relevance: .3, Instructions: 261COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040FC20 Relevance: .3, Instructions: 257COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040F5B0 Relevance: .2, Instructions: 199COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040D050 Relevance: .2, Instructions: 152COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B8EC Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040322C Relevance: 72.1, APIs: 32, Strings: 9, Instructions: 358filestringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004098C3 Relevance: 56.3, APIs: 11, Strings: 21, Instructions: 270stringfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407720 Relevance: 51.0, APIs: 12, Strings: 17, Instructions: 257librarystringloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402FAE Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 189stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407FB9 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 157stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405EF4 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 197stringregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408BD5 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 190registrystringprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406AFA Relevance: 33.3, APIs: 13, Strings: 6, Instructions: 99stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040680E Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 181stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040129D Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 293stringfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040957D Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 88stringfileCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004028D8 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405372 Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 176stringmemoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405D5B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 123filememoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403C25 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403874 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 137stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407BF1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 155stringprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00416680 Relevance: 15.2, APIs: 10, Instructions: 153COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004097C2 Relevance: 15.1, APIs: 10, Instructions: 84stringfilememoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040815C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 116comCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00417FD0 Relevance: 13.8, APIs: 9, Instructions: 300COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004169F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 161fileCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409674 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004096F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402A57 Relevance: 12.1, APIs: 8, Instructions: 66stringmemorywindowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407A9F Relevance: 10.6, APIs: 7, Instructions: 60memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00417070 Relevance: 9.1, APIs: 6, Instructions: 131COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401071 Relevance: 9.1, APIs: 6, Instructions: 80stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040194E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004082BC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00410650 Relevance: 7.8, APIs: 5, Instructions: 288fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004171B0 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402B3F Relevance: 7.6, APIs: 6, Instructions: 83stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004091C9 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414A30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 224timeCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040523A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004016FB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403A37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401E56 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405C1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004153C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408E72 Relevance: 6.3, APIs: 5, Instructions: 88COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401C74 Relevance: 6.3, APIs: 5, Instructions: 79stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004117D0 Relevance: 6.2, APIs: 4, Instructions: 223fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00411A30 Relevance: 6.2, APIs: 4, Instructions: 178fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401C09 Relevance: 6.0, APIs: 4, Instructions: 48stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409FEA Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|