Windows
Analysis Report
vv6BTLOCU9.exe
Overview
General Information
Sample name: | vv6BTLOCU9.exerenamed because original name is a hash value |
Original sample name: | 86e31f8e1daddbfc89722acb2a0ab170a33bca31a58c762e645d1a229e0a39dc.exe |
Analysis ID: | 1355486 |
MD5: | c874ea6652134f23f4343e36abe87dee |
SHA1: | cdddb07b11fb5b5908d38bffa925c34c897b4943 |
SHA256: | 86e31f8e1daddbfc89722acb2a0ab170a33bca31a58c762e645d1a229e0a39dc |
Tags: | exeGuLoader |
Infos: | |
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- vv6BTLOCU9.exe (PID: 3108 cmdline:
C:\Users\u ser\Deskto p\vv6BTLOC U9.exe MD5: C874EA6652134F23F4343E36ABE87DEE)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Code function: | 0_2_0040605D | |
Source: | Code function: | 0_2_004055A9 | |
Source: | Code function: | 0_2_00402706 |
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_0040510D |
Source: | Process Stats: |
Source: | Code function: | 0_2_004031B1 |
Source: | Code function: | 0_2_0040494A | |
Source: | Code function: | 0_2_0040636F |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00404404 |
Source: | Code function: | 0_2_0040206A |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_00406084 |
Source: | Code function: | 0_2_10002D7E |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | RDTSC instruction interceptor: |
Source: | Code function: | 0_2_0040605D | |
Source: | Code function: | 0_2_004055A9 | |
Source: | Code function: | 0_2_00402706 |
Source: | API call chain: | graph_0-4325 | ||
Source: | API call chain: | graph_0-4331 |
Source: | Code function: | 0_2_00406084 |
Source: | Code function: | 0_2_00405D3C |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact | Resource Development | Reconnaissance |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | Path Interception | Path Interception | 1 Obfuscated Files or Information | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | 1 System Shutdown/Reboot | Acquire Infrastructure | Gather Victim Identity Information |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 2 File and Directory Discovery | Remote Desktop Protocol | 1 Clipboard Data | Exfiltration Over Bluetooth | Junk Data | SIM Card Swap | Obtain Device Cloud Backups | Network Denial of Service | Domains | Credentials |
Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 13 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Data Encrypted for Impact | DNS Server | Email Addresses |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
59% | ReversingLabs | Win32.Trojan.GuLoader | ||
100% | Avira | TR/Injector.iguof |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox version: | 38.0.0 Ammolite |
Analysis ID: | 1355486 |
Start date and time: | 2023-12-07 15:48:32 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 27s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | vv6BTLOCU9.exerenamed because original name is a hash value |
Original Sample Name: | 86e31f8e1daddbfc89722acb2a0ab170a33bca31a58c762e645d1a229e0a39dc.exe |
Detection: | MAL |
Classification: | mal76.troj.evad.winEXE@1/11@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- VT rate limit hit for: vv6BTLOCU9.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nsi1B11.tmp\System.dll | Get hash | malicious | FormBook, GuLoader | Browse | ||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | AgentTesla, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse |
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11264 |
Entropy (8bit): | 5.774411073650885 |
Encrypted: | false |
SSDEEP: | 192:eB2HS+ihg200uWz947Wzvxu6v0MI7JOde+Ij5Z77dslFsE+:3S62Gw947ExuGDI7J8EF7KIE |
MD5: | BE2621A78A13A56CF09E00DD98488360 |
SHA1: | 75F0539DC6AF200A07CDB056CDDDDEC595C6CFD2 |
SHA-256: | 852047023BA0CAE91C7A43365878613CFB4E64E36FF98C460E113D5088D68EF5 |
SHA-512: | B80CF1F678E6885276B9A1BFD9227374B2EB9E38BB20446D52EBE2C3DBA89764AA50CB4D49DF51A974478F3364B5DBCBC5B4A16DC8F1123B40C89C01725BE3D1 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\tilspidser\Aricine\Administrationsomraader\Compile\decimerede.phl
Download File
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 25270 |
Entropy (8bit): | 4.947547633955461 |
Encrypted: | false |
SSDEEP: | 384:6Rr3w11y5flHKOgz2mEbdu4FmDEwFmTHcHwz+Cw5lYCTaHsVjIKUmeiqd8beGkW:ISy5AOgzLEb3FPLHcHew5aC2MHqybeC |
MD5: | 788AA7EB069EF0144FA4F3866491C72E |
SHA1: | 26E0557785940D2D08656E4B5E4BE34442CA2FCC |
SHA-256: | 3AFFC34770C4AD09C5002BA6B501D8CB1B17FF03AF7975941A3140CC134D1592 |
SHA-512: | 48DE2815CC29C817BBA9C826D36EAAD5BD48BA80B17C9E43969AE23B81952E13D6B4BF678D32F06E1866D131B349DFE51F405752522A85CB3EE178889D41EA8D |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\tilspidser\Aricine\Administrationsomraader\Compile\kjell.aug
Download File
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21071 |
Entropy (8bit): | 4.999266620553678 |
Encrypted: | false |
SSDEEP: | 384:vnxOfhKLu6iwik5eHf2R9jh1D+SVsvWINiShk3cViS/ghpkgfGWobr75UVrubXf4:vxOfF68Hf+4iSy3cYS/SkggbHeVaT4 |
MD5: | AC37C511D5CE833D4B83D9AB5F31E7DD |
SHA1: | 975AD92DF4FA2CD4AC6C9732028A166D5B036279 |
SHA-256: | 00EB893369F92059BA0C4C036748ED70D1CB9418FCDB4AD040F90DFE674A652B |
SHA-512: | 5E7599BC66F6ACF8C6C6B663B713574926A6E51302D03800D5F1D5B6307EB78B3432F842EBD3A424E9C95A0030F2AF00818B462733E6E0DE81A4291D3883C622 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 303841 |
Entropy (8bit): | 7.820318794463413 |
Encrypted: | false |
SSDEEP: | 6144:M2MsTMRCYmHOExxCUs+CwyngPSC9BeM7iH4nKIwYx7hOb1frDbxKb2GdU2:MFs4CYYOExxS+LynxC9TiH4VhsDDbxji |
MD5: | 0ABC54B6BCF96556C718E70748628109 |
SHA1: | FAA3A4484C77BBBB23C9DD12BB404BAA6B759111 |
SHA-256: | E1814A1C651C4E0695EBE8969514882E3FF9C32E053B8315CCEEBBDC482E4506 |
SHA-512: | 99DF3F20D37407472D23CF02E990D784EE32E8B008F2E87B4558A021487C1293D63EEDEC1B7CDEA6903673B97901CFDF354BE358C920E9F146DDF81E5BD00349 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 23503 |
Entropy (8bit): | 4.885237948445536 |
Encrypted: | false |
SSDEEP: | 384:+U/9bh3gWd/0UdU1QkZVpFVC3ldpTwA8fiCtRUgoyku1XYTR:+Cgi/0Ui1RZhm2r9HFXQR |
MD5: | 2FE760E5D66F7DD4E6D979B416081891 |
SHA1: | 32CF7C0D0C1E95838AA8EBBAE19A4113EEDC2867 |
SHA-256: | 0495450D795F00DD11B4BEBE9586C4E7E95B70C9706000C563428967F40C801E |
SHA-512: | 60999B282DC5463EEAC15A94F1BE10B043609A685491EC1A9B6FE53A53F59CE2FA5F810EB6892E832CF54607760E82044C74A028FAA4D57249C7D144D2F4F644 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 27893 |
Entropy (8bit): | 4.946417902557597 |
Encrypted: | false |
SSDEEP: | 768:EzN241g1ZXGWVwLZOXB/uAm1PIXQk0/JjBpp6Mg:EzZyGWVwdZAm8Qk0RNvtg |
MD5: | D97A4ECCF6175897BC483F5AC2A8ED8B |
SHA1: | B07A42D071E87F99431121AF3519A744B41CC8C4 |
SHA-256: | A4ADF525C8C74B7F7D46521F12FA755A546DD96BCAA025DD524A4B9951F751B1 |
SHA-512: | 6547191CA2CCD44EC3A293EC0AE4493C5C7256C247A8AD0F95B15465EC44717B5F27F21F06D301D60A3FA8A052A548BF0C14F449A56571CEEC1062C3FDB59019 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\tilspidser\Sagwire\Brebres\Syllabification\ravnens.gro
Download File
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21278 |
Entropy (8bit): | 4.945854059221818 |
Encrypted: | false |
SSDEEP: | 384:TxhCek0BT7Lve7iJPmHeLdNO8Xm5qFxw3XZBZhhBNg6mcEeQ8uoqBiefwv2smz:TxyKT7y7iJPYmdU8SqFkXF7A6mOowv8z |
MD5: | E4DE43F6E1867E0C153AFCC8D5D786BD |
SHA1: | C467D33ECE5E7054E24952F70F17DCC26D35CCF8 |
SHA-256: | 4FE0A5BCA3FE94A9CCED964B3C270C81E8D57E50488E551EAE625BCA6F334A0D |
SHA-512: | 11C1A578F95DC217BDB59D576524E8D0D04F66C9B0FB7FAC4980FE4BFA058459696C4E4E79FD800DC0FDE07311F417A59C54AB34B5553B5B56102E3BA54B8F07 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\tilspidser\Sagwire\Brebres\Syllabification\sudoriparous.mel
Download File
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 14116 |
Entropy (8bit): | 4.989317455419551 |
Encrypted: | false |
SSDEEP: | 384:mrQX7RV23Ll32eN7c6CqkubktMFdkmoliGXo6:6QkLVZCqOAdBoPT |
MD5: | 7D8F333FF406A08D8032714860E6BDED |
SHA1: | 30750FF1A6323DD618EC9B4C058423A4849526BC |
SHA-256: | 4585D8D4840B5BC0E98773D332D4A25BF1470CD3B1F969E33301BAD8397F32F0 |
SHA-512: | E65391E6AEB31CDA8C0145C8911E48503682E7F17863B95910D253A141A3042D3212983CDE14FD2696981E6E9A4FB059D5FC3C3F629273B0A52DAEF59A778062 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\tilspidser\Sagwire\Brebres\Syllabification\trianguleringerne.lyk
Download File
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29732 |
Entropy (8bit): | 4.960975514645896 |
Encrypted: | false |
SSDEEP: | 768:lRrePoT3LZyqZuk3yfRitJ39ExZJM9EfkJl2XzocIko03:llePoj9U3Q3KLvkJ0XzocIG |
MD5: | FB359732CB93BA304C448D1450DD63CC |
SHA1: | 6A52C3B3C68F5A523E2D80D1C7DCBBAA3C6A96C7 |
SHA-256: | 916FDCE2E2CC89E776844387839AA45003F143F372CC1D213D12DF9E37BD9BE4 |
SHA-512: | 0ED2304C9036B239728DDCD0E3DE31826664E39A3F4F4ED3BC1469833BFB679634F8B7544F20931FC2F3AD0987D4EDF1CA67A21CD6B5FCDA9413E36AE10B67A0 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12464 |
Entropy (8bit): | 5.011960046010522 |
Encrypted: | false |
SSDEEP: | 384:OBPfvejXt4yeKh1bgkvgbza6TSR43hEJrxaTw:aPXkdq+bgkwOD63hEVATw |
MD5: | 70F3A0186C812357BFEDAB45ED7A2E01 |
SHA1: | 7D2D6D08AEC8547576F62BD047E0F50D1C56DB33 |
SHA-256: | D6D36003B4CBA84F861291ED46DCA4258887651DE102DEF25E17CD29AB03C5FF |
SHA-512: | 816869E40AC2A2EA5A829CCCD45CDE4A890357D5BA666FFA9400D1C97134DF33FFA8531497D78B5A0BF52A872FDEEAE55CDC255FC67292D6EAB388931382C71C |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\tilspidser\antifibrinolysin.txt
Download File
Process: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 537 |
Entropy (8bit): | 4.22312399430893 |
Encrypted: | false |
SSDEEP: | 12:9DQKU0sMtOeVxchNJ2cXIByG+lvtcgaToXO1xx:9DfvtO5hvfIBl+lqgasXOl |
MD5: | E03227C9C51FA67B0522A229F23CDD14 |
SHA1: | DFEF0ABF96E0DA4D0341959B3626817E508F48EF |
SHA-256: | 8CD50E61598FA43F59F9D7C08681290790641BCF2E18470EFE70A7AFB3A8AF06 |
SHA-512: | 756887C93D17E27E54B9C3CB6015E30444A9A9658F859894A08C7A9AF041850A878BDFD401C4B045DEB6C56950CBA0A3255CBC933F3EF3F19F65AAA01C38D9FB |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.541045118870498 |
TrID: |
|
File name: | vv6BTLOCU9.exe |
File size: | 605'600 bytes |
MD5: | c874ea6652134f23f4343e36abe87dee |
SHA1: | cdddb07b11fb5b5908d38bffa925c34c897b4943 |
SHA256: | 86e31f8e1daddbfc89722acb2a0ab170a33bca31a58c762e645d1a229e0a39dc |
SHA512: | acb77a5e506e39896cceb98f953858f1519db75c4575b991cee994b86d0c2f9929c54fc98756c2bacb5920cca3302f45b646a47ba0e594db124e7e5a3d9debc6 |
SSDEEP: | 12288:9aC5nhe2e5SJ3MA+lzcUAHntOHSPqpivm9i:75henSVz9NO8qpx9i |
TLSH: | 79D4BE9639D965AFDC2F4A74035FEAB22AB55CE0B382086E5F40770D4C3564A80EEDC7 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....e.Q.................^...*.......1.......p....@ |
Icon Hash: | 39199c4e42c9d93c |
Entrypoint: | 0x4031b1 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x519965D6 [Sun May 19 23:52:54 2013 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 7fd61eafe142870d6d0380163804a642 |
Signature Valid: | false |
Signature Issuer: | E=Glamouriser@Smuttes.Re, OU="Canthectomy Ympers Entrebillets ", O=Fredsaftaler, L=Lencouacq, S=Nouvelle-Aquitaine, C=FR |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 61C37D6B980DF653B489AE2B8920F51A |
Thumbprint SHA-1: | 0AA779D11E8DCE38FDF0F394C53F93A79C98E785 |
Thumbprint SHA-256: | EC38106C48BB713059C9319422ABCDEE1BBCEB7E451B020594B1B5AB770A14BE |
Serial: | 66903C26397BF8B1C5F5ED1C9C6930870BE8C9A3 |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push ebp |
push esi |
push edi |
push 00000020h |
xor ebp, ebp |
pop esi |
mov dword ptr [esp+18h], ebp |
mov dword ptr [esp+10h], 004092D8h |
mov dword ptr [esp+14h], ebp |
call dword ptr [00407034h] |
push 00008001h |
call dword ptr [00407134h] |
push ebp |
call dword ptr [004072ACh] |
push 00000008h |
mov dword ptr [00429258h], eax |
call 00007FB60CE3A6A5h |
mov dword ptr [004291A4h], eax |
push ebp |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebp |
push 00420658h |
call dword ptr [0040717Ch] |
push 004092C0h |
push 004281A0h |
call 00007FB60CE3A310h |
call dword ptr [00407138h] |
mov ebx, 00434000h |
push eax |
push ebx |
call 00007FB60CE3A2FEh |
push ebp |
call dword ptr [0040710Ch] |
cmp word ptr [00434000h], 0022h |
mov dword ptr [004291A0h], eax |
mov eax, ebx |
jne 00007FB60CE3781Ah |
push 00000022h |
mov eax, 00434002h |
pop esi |
push esi |
push eax |
call 00007FB60CE39D6Ch |
push eax |
call dword ptr [00407240h] |
mov dword ptr [esp+1Ch], eax |
jmp 00007FB60CE378D9h |
push 00000020h |
pop edx |
cmp cx, dx |
jne 00007FB60CE37819h |
inc eax |
inc eax |
cmp word ptr [eax], dx |
je 00007FB60CE3780Bh |
add word ptr [eax], 0000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7494 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4c000 | 0x2b520 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x92968 | 0x1438 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x2b8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5c98 | 0x5e00 | False | 0.659657579787234 | data | 6.425247933744058 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1354 | 0x1400 | False | 0.43125 | data | 5.037835958363483 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x20298 | 0x600 | False | 0.4635416666666667 | data | 3.659675278002498 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x2a000 | 0x22000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x4c000 | 0x2b520 | 0x2b600 | False | 0.3342151476945245 | data | 5.627576599305687 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x4c418 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 0 | English | United States | 0.1602112676056338 |
RT_ICON | 0x558c0 | 0x74cb | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9987290544834275 |
RT_ICON | 0x5cd90 | 0x67e8 | Device independent bitmap graphic, 80 x 160 x 32, image size 0 | English | United States | 0.1848872180451128 |
RT_ICON | 0x63578 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 0 | English | United States | 0.1996765249537893 |
RT_ICON | 0x68a00 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 0 | English | United States | 0.2081955597543694 |
RT_ICON | 0x6cc28 | 0x3a48 | Device independent bitmap graphic, 60 x 120 x 32, image size 0 | English | United States | 0.21648793565683647 |
RT_ICON | 0x70670 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.2550829875518672 |
RT_ICON | 0x72c18 | 0x1a68 | Device independent bitmap graphic, 40 x 80 x 32, image size 0 | English | United States | 0.29659763313609466 |
RT_ICON | 0x74680 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.3405253283302064 |
RT_ICON | 0x75728 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States | 0.4385245901639344 |
RT_ICON | 0x760b0 | 0x6b8 | Device independent bitmap graphic, 20 x 40 x 32, image size 0 | English | United States | 0.5337209302325582 |
RT_ICON | 0x76768 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.625886524822695 |
RT_DIALOG | 0x76bd0 | 0x100 | data | English | United States | 0.5234375 |
RT_DIALOG | 0x76cd0 | 0x11c | data | English | United States | 0.6056338028169014 |
RT_DIALOG | 0x76df0 | 0xc4 | data | English | United States | 0.5918367346938775 |
RT_DIALOG | 0x76eb8 | 0x60 | data | English | United States | 0.7291666666666666 |
RT_GROUP_ICON | 0x76f18 | 0xae | data | English | United States | 0.7298850574712644 |
RT_VERSION | 0x76fc8 | 0x284 | data | English | United States | 0.5124223602484472 |
RT_MANIFEST | 0x77250 | 0x2cb | XML 1.0 document, ASCII text, with very long lines (715), with no line terminators | English | United States | 0.5664335664335665 |
DLL | Import |
---|---|
KERNEL32.dll | CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, SetFileAttributesW, ExpandEnvironmentStringsW, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, SetErrorMode, GetCommandLineW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, MultiByteToWideChar, FindClose, MulDiv, ReadFile, WriteFile, lstrlenA, WideCharToMultiByte |
USER32.dll | EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW |
ADVAPI32.dll | RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize |
VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 15:49:25 |
Start date: | 07/12/2023 |
Path: | C:\Users\user\Desktop\vv6BTLOCU9.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 605'600 bytes |
MD5 hash: | C874EA6652134F23F4343E36ABE87DEE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 18.3% |
Dynamic/Decrypted Code Coverage: | 15.2% |
Signature Coverage: | 18.9% |
Total number of Nodes: | 1491 |
Total number of Limit Nodes: | 39 |
Graph
Function 004031B1 Relevance: 73.8, APIs: 27, Strings: 15, Instructions: 335stringfilecomCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040510D Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405D3C Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004055A9 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040636F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004036EE Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001B47 Relevance: 18.5, APIs: 12, Instructions: 513stringmemorylibraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404FCE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402F38 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401F98 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401B22 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004067A4 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004069A5 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004066BB Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004061C0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040660E Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040672C Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406678 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10002814 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004059A3 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402251 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403134 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10002739 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402293 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403FB5 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403166 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403F9E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403F8B Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040494A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404404 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 269stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402706 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404106 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405A26 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 141filestringmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004024EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402C15 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40timeCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403FD0 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10002430 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404898 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100018CA Relevance: 7.7, APIs: 5, Instructions: 190COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 10001620 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004047B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BE7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405782 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402C9B Relevance: 6.0, APIs: 4, Instructions: 33COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404F42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040549C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004057CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405908 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |