Edit tour
Windows
Analysis Report
ugslmd.exe
Overview
General Information
| Sample name: | ugslmd.exe |
| Analysis ID: | 1432144 |
| MD5: | 551ed08a9076a98b16ce6dd72c993209 |
| SHA1: | 7f6e01bbbfe0caa479cb9feee9cec092fd4fde9d |
| SHA256: | b3507a576c4b7861f343a95f00e177c0aaeb44fac3400dd054fe8c0aeeeddccd |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Contains functionality to dynamically determine API calls
Detected potential crypto function
Entry point lies outside standard sections
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
ugslmd.exe (PID: 7136 cmdline: "C:\Users\ user\Deskt op\ugslmd. exe" MD5: 551ED08A9076A98B16CE6DD72C993209) 
conhost.exe (PID: 6516 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00408064 | |
| Source: | Code function: | 0_2_0040807B | |
| Source: | Code function: | 0_2_00407039 | |
| Source: | Code function: | 0_2_00407D5C | |
| Source: | Code function: | 0_2_00408911 | |
| Source: | Code function: | 0_2_00403D15 | |
| Source: | Code function: | 0_2_0040891E | |
| Source: | Code function: | 0_2_00403D25 | |
| Source: | Code function: | 0_2_0040652E | |
| Source: | Code function: | 0_2_00406539 | |
| Source: | Code function: | 0_2_004051CC | |
| Source: | Code function: | 0_2_00402D97 | |
| Source: | Code function: | 0_2_00402DAE | |
| Source: | Code function: | 0_2_004051B4 | |
| Source: | Code function: | 0_2_00405645 | |
| Source: | Code function: | 0_2_00405601 | |
| Source: | Code function: | 0_2_00407213 | |
| Source: | Code function: | 0_2_0040721E | |
| Source: | Code function: | 0_2_00404221 | |
| Source: | Code function: | 0_2_00404234 | |
| Source: | Code function: | 0_2_004092CB | |
| Source: | Code function: | 0_2_00409AA9 | |
| Source: | Code function: | 0_2_004092BC | |
| Source: | Code function: | 0_2_00408F6C | |
| Source: | Code function: | 0_2_00408F7A | |
| Source: | Code function: | 0_2_0040330A | |
| Source: | Code function: | 0_2_00409F0B | |
| Source: | Code function: | 0_2_00409F1A | |
| Source: | Code function: | 0_2_004047B3 | |
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040101A | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00683239 | |
| Source: | Code function: | 0_2_00683735 | |
| Source: | Code function: | 0_2_00683739 | |
| Source: | Code function: | 0_2_00685340 | |
| Source: | Code function: | 0_2_00684060 | |
| Source: | Code function: | 0_2_00401C59 | |
| Source: | Code function: | 0_2_0040284F | |
| Source: | Code function: | 0_2_004018DF | |
| Source: | Code function: | 0_2_004018DF | |
| Source: | Code function: | 0_2_00401CF0 | |
| Source: | Code function: | 0_2_004018DF | |
| Source: | Code function: | 0_2_004028FB | |
| Source: | Code function: | 0_2_005E08D5 | |
| Source: | Code function: | 0_2_005E016C | |
| Source: | Code function: | 0_2_005E0585 | |
| Source: | Code function: | 0_2_00401917 | |
| Source: | Code function: | 0_2_0040191B | |
| Source: | Code function: | 0_2_00402128 | |
| Source: | Code function: | 0_2_00402196 | |
| Source: | Code function: | 0_2_0040219A | |
| Source: | Code function: | 0_2_004025F3 | |
| Source: | Code function: | 0_2_00402659 | |
| Source: | Code function: | 0_2_00402659 | |
| Source: | Code function: | 0_2_005E005D | |
| Source: | Code function: | 0_2_00402723 | |
| Source: | Code function: | 0_2_00683ACE | |
| Source: | Code function: | 0_2_00680E5B | |
| Source: | Code function: | 0_2_00401B46 | |
| Source: | Code function: | 0_2_00401B4E | |
| Source: | Code function: | 0_2_005E1338 | |
| Source: | Code function: | 0_2_005E1340 | |
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_0040101A | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00401000 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Process Injection | 1 Software Packing | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 2 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 13% | ReversingLabs | |||
| 18% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1432144 |
| Start date and time: | 2024-04-26 15:33:22 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 56s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 2 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | ugslmd.exe |
| Detection: | MAL |
| Classification: | mal48.winEXE@2/1@0/0 |
| EGA Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Execution Graph export aborted for target ugslmd.exe, PID 7136 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
⊘No simulations
| Process: | C:\Users\user\Desktop\ugslmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 158 |
| Entropy (8bit): | 4.860800455330473 |
| Encrypted: | false |
| SSDEEP: | 3:JQ4F0nxuWCLQYUnIZJjHZbhF02WRhF8iHuhTySWYMovn:W40gLQ5n2TRhChF81zpv |
| MD5: | 4FADD1BA8EA3F26DBA74156E0FFD73E4 |
| SHA1: | 96AD1043190F1C71618767F1CE0F39CF91B3D87E |
| SHA-256: | D7A1201A82CBECDD918429499BCE842C65CDCA02D71476D6789B368A117EF817 |
| SHA-512: | 3D5FE6DBD3EC0E260659F063945F4594C2C1717F2D61ECCEF4E04230E9CA6952A2BBA4F6FA34BB95DF9A4BB09AB2AB0C89DC921CC2ABAACC9FC0316A009705BD |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.964289450405882 |
| TrID: |
|
| File name: | ugslmd.exe |
| File size: | 643'072 bytes |
| MD5: | 551ed08a9076a98b16ce6dd72c993209 |
| SHA1: | 7f6e01bbbfe0caa479cb9feee9cec092fd4fde9d |
| SHA256: | b3507a576c4b7861f343a95f00e177c0aaeb44fac3400dd054fe8c0aeeeddccd |
| SHA512: | 58570764200da8757b56060d3ab7881107c791dfde23463c8f431f7b5b76e0c3e1f68b15ef09d38286071201dc478a85d003c11ba1a6346f5c1ea37aa3e2e755 |
| SSDEEP: | 12288:+XK4BUw/KnGv8UMmkVmhaPHuukCfb0gLfY+SdZyJxAfjdtOpR8YUa7G:+5lKnghMmkVmhavuuk4TLfKZmedORvPK |
| TLSH: | 7DD423A388484178ECC64F7517B9A8FF9F55E368898DCA1AD251EE134C037B728DD18E |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p26y4SX*4SX*4SX*.\.*:SX*..&*?SX*4SY*&RX*..#*7SX*..6*6SX*..%*6SX*.D.*.SX*4SX*.SX*..5*;RX*.. *5SX*Rich4SX*................PE..L.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x680377 |
| Entrypoint Section: | .data11 |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x4B0C27BF [Tue Nov 24 18:36:47 2009 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 7c183f724feb3551aab2593ae1d06669 |
| Instruction |
|---|
| pushfd |
| pushad |
| mov byte ptr [esp+08h], cl |
| mov dword ptr [esp+20h], 864CCD9Eh |
| call 00007F546CAC50D0h |
| stc |
| shl edi, 08h |
| test ch, dl |
| cmc |
| lea esp, dword ptr [esp+60h] |
| jbe 00007F546CAC5D54h |
| bt dx, dx |
| add edi, eax |
| push 692B9188h |
| sub ecx, 01h |
| pushfd |
| call 00007F546CB5BCA8h |
| add byte ptr [eax], al |
| inc esi |
| imul ebp, dword ptr [esi+64h], 73726946h |
| je 00007F546CB59798h |
| imul ebp, dword ptr [ebp+41h], 83DFD200h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x234540 | 0xc8 | .data11 |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1df000 | 0x1ac | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x28066c | 0x484 | .data11 |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xb75cc | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .textidx | 0xb9000 | 0xa4cea | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| CONST | 0x15e000 | 0x50 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x15f000 | 0x94f6 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x169000 | 0x75418 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x1df000 | 0x1ac | 0x1000 | aa68e70a4ffee646764f17f76b69fdbf | False | 0.070068359375 | data | 0.8981481885262328 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data10 | 0x1e0000 | 0xa034 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data11 | 0x1eb000 | 0x9a931 | 0x9b000 | 6c1764a4905556b2e3fb5c680221e305 | False | 0.9879819808467742 | data | 7.9892958796289655 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x1df058 | 0x154 | ASCII text, with CRLF line terminators | English | United States | 0.65 |
| DLL | Import |
|---|---|
| MSVCR80.dll | iscntrl, isgraph, islower, isprint, ispunct, isupper, toupper, atol, clearerr, ungetc, isspace, wcscmp, memmove, _amsg_exit, __getmainargs, _cexit, _XcptFilter, __initenv, _initterm, _initterm_e, _configthreadlocale, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, isalpha, __set_app_type, ?terminate@@YAXXZ, _unlock, __dllonexit, _lock, _onexit, _decode_pointer, _except_handler4_common, _invoke_watson, _controlfp_s, _crt_debugger_hook, isalnum, _exit, strncat, sprintf_s, strncpy_s, strtoul, strcpy_s, strcat_s, isxdigit, isdigit, _beginthread, _endthread, _putenv, _wunlink, _wremove, _waccess, strcpy, _wrename, rename, _wstat32, _close, _wopen, _wfreopen, freopen, _wfopen, getchar, _popen, fgetc, perror, exit, _mktime32, _findfirst32, _findnext32, _stat32, _findclose, qsort, longjmp, tolower, fflush, srand, rand, _environ, strtol, __sys_nerr, __sys_errlist, fprintf, __iob_func, abs, _localtime32, _setjmp3, _errno, strrchr, strchr, sscanf, strcat, fgets, strstr, strtok, strncmp, realloc, calloc, _vsnprintf, vsprintf, atoi, strncpy, _time32, strcmp, fseek, ftell, malloc, fread, fputs, fputc, vfprintf, _beginthreadex, _utime32, _locking, _unlink, _open, _stricmp, _strdup, _getpid, _umask, memcmp, remove, free, fopen, fwrite, fclose, memset, _getcwd, _chdir, sprintf, _mkdir, _access, getenv, strlen, memcpy, _encode_pointer, _strnicmp |
| KERNEL32.dll | DeleteFileA, SetConsoleTitleA, IsDebuggerPresent, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, QueryPerformanceCounter, SetUnhandledExceptionFilter, InterlockedCompareExchange, InterlockedExchange, ReleaseSemaphore, OpenSemaphoreA, CreateSemaphoreA, SearchPathA, GetFileSize, LocalFree, LocalAlloc, GetLocalTime, SystemTimeToFileTime, GetSystemTime, GetModuleFileNameA, GetCurrentProcessId, SetLastError, FindClose, FindNextFileA, FindNextFileW, FindFirstFileA, FindFirstFileW, GetModuleHandleA, GetProcessTimes, CreateMutexA, ReleaseMutex, SetHandleInformation, SetErrorMode, GetEnvironmentVariableW, GetEnvironmentVariableA, GetCommandLineW, WideCharToMultiByte, MultiByteToWideChar, VirtualFree, VirtualAlloc, GetCurrentProcess, GetDriveTypeA, GetVolumeInformationA, GetSystemDirectoryA, FormatMessageA, SetEvent, CreateEventA, ResetEvent, Sleep, GetWindowsDirectoryA, DeviceIoControl, WriteFile, ReadFile, CreateFileA, GetLastError, CloseHandle, GetTickCount, GetPrivateProfileIntA, GetPrivateProfileStringA, GetVersionExA, LoadLibraryA, GetProcAddress, FreeLibrary, GetVersion, WaitForSingleObject |
| USER32.dll | DialogBoxIndirectParamA, CreateDialogIndirectParamA, wsprintfA, GetClientRect, ScreenToClient, GetSystemMetrics, MessageBoxA, MoveWindow, ShowWindow, EnableWindow, GetWindowRect, GetDlgItem, SendMessageA, GetWindowLongA, MessageBeep, SetDlgItemTextA, GetDlgItemTextW, GetDlgItemTextA, EndDialog, GetParent, GetFocus, SetFocus, SetWindowTextA, GetActiveWindow |
| NETAPI32.dll | Netbios |
| ADVAPI32.dll | RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA, RegCloseKey, GetUserNameA, RegDeleteValueA, RegEnumValueA, RegQueryValueExW, RegSetValueExW, GetUserNameW, RegEnumKeyExA, RegQueryInfoKeyA, DeregisterEventSource, RegisterEventSourceA, ReportEventA |
| comdlg32.dll | GetOpenFileNameA |
| COMCTL32.dll | |
| WSOCK32.dll | getsockopt, ntohs, select, connect, socket, closesocket, recv, send, inet_ntoa, setsockopt, getservbyport, gethostbyaddr, gethostbyname, WSAGetLastError, ioctlsocket, htons, getservbyname, inet_addr, WSASetLastError, htonl, ntohl, WSAStartup, gethostname, WSACleanup, getprotobyname, getsockname, __WSAFDIsSet |
| KERNEL32.dll | GetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 15:34:07 |
| Start date: | 26/04/2024 |
| Path: | C:\Users\user\Desktop\ugslmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 643'072 bytes |
| MD5 hash: | 551ED08A9076A98B16CE6DD72C993209 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 15:34:07 |
| Start date: | 26/04/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Function 0040101A Relevance: 94.8, APIs: 45, Strings: 9, Instructions: 252librarystringloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403D15 Relevance: .2, Instructions: 235COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00407213 Relevance: .2, Instructions: 232COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00409AA9 Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040652E Relevance: .2, Instructions: 152COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405645 Relevance: .1, Instructions: 128COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408064 Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402D97 Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405601 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404221 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004051B4 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004092BC Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408F6C Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00409F0B Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408911 Relevance: .1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040807B Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040721E Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404234 Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00407039 Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004092CB Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00407D5C Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408F7A Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040330A Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00409F1A Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040891E Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403D25 Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406539 Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004051CC Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402DAE Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004047B3 Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004013FE Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 170fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401608 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 83fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401358 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 48fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |