Windows
Analysis Report
ePAY-Advice_Rf[UC7749879100].exe
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- ePAY-Advice_Rf[UC7749879100].exe (PID: 6136 cmdline:
C:\Users\u ser\Deskto p\ePAY-Adv ice_Rf[UC7 749879100] .exe MD5: 06BF8620598B674FC3506A2844D42D65)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_0040626D | |
Source: | Code function: | 0_2_00405732 | |
Source: | Code function: | 0_2_004026FE |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_004051CF |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Code function: | 0_2_004031D6 |
Source: | Code function: | 0_2_00404A0E | |
Source: | Code function: | 0_2_004065F6 | |
Source: | Code function: | 0_2_6E161A9C |
Source: | Static PE information: |
Source: | Process Stats: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_004031D6 |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File written: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 0_2_004020D1 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 0_2_0040449B |
Source: | Static PE information: |
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_6E162F4E |
Source: | Code function: | 0_2_6E161A9C |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | RDTSC instruction interceptor: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | 0_2_0040626D | |
Source: | Code function: | 0_2_00405732 | |
Source: | Code function: | 0_2_004026FE |
Source: | API call chain: | graph_0-4749 | ||
Source: | API call chain: | graph_0-4919 |
Source: | Code function: | 0_2_6E161A9C |
Source: | Code function: | 0_2_004031D6 |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | Path Interception | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | LSASS Memory | 3 File and Directory Discovery | Remote Desktop Protocol | 1 Clipboard Data | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 13 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
28% | ReversingLabs | Win32.Trojan.GuLoader | ||
32% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 828721 |
Start date and time: | 2023-03-17 13:56:47 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 10m 7s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | ePAY-Advice_Rf[UC7749879100].exe |
Detection: | MAL |
Classification: | mal68.troj.evad.winEXE@1/17@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nslD140.tmp\System.dll | Get hash | malicious | GuLoader, Lokibot | Browse | ||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader, Lokibot | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader, Lokibot | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | AveMaria, GuLoader, UACMe | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader, Lokibot | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse |
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54 |
Entropy (8bit): | 4.838039816898156 |
Encrypted: | false |
SSDEEP: | 3:7KG/LmI/cXQQLQIfLBJXmgxv:OG/LmI/cXQQkIP2I |
MD5: | FB5EE2C0CAC332EC8390F50016EF0769 |
SHA1: | 11D9FB52FE5289140B9D52A38B56F99512B3A3A7 |
SHA-256: | C557AFE51AB22916E3423820A09D3805BF9DCDCECBEC4FE8DE2C67FB023BA631 |
SHA-512: | 87CCEA7B203B8BFC4E21544FE4FE9693AF230E246C450E673410565791DFE8257E30354772FDCC114C7068D9295FDB491E9B52D1A3B490C0756E568B70B95C0A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.832316471889005 |
Encrypted: | false |
SSDEEP: | 192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC |
MD5: | B0C77267F13B2F87C084FD86EF51CCFC |
SHA1: | F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3 |
SHA-256: | A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77 |
SHA-512: | F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\AEGISIIIRadeonHelper.dll
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 34016 |
Entropy (8bit): | 6.1021284380541925 |
Encrypted: | false |
SSDEEP: | 384:JP7a6wQdSCVWSdoEdXjYmxzfkfIwuWR7UPMEdxsTStsBdMQJK2wKucYkcuhV3:N7a6eiHdFdr7W5UPMgy+OBG2X90uhV3 |
MD5: | 4FC7FC174E80C178225C2509027DF961 |
SHA1: | 9FF62413EC0DD462F5F016EBC804F1D736D24796 |
SHA-256: | 866B31DD39B97DEDAFD0FBD5672639EE91B47AD319C47816B4F6D01BFF93FF8C |
SHA-512: | 29261B9ABC4AF2F51C05B61A37721BC737B411530361A4B48A7BFFAB0F8263EA75BFD51B6E6E94E91E1D02DC442B534C3334B05FD8324E7CF307FA08179A1ED9 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 295288 |
Entropy (8bit): | 6.745618664148764 |
Encrypted: | false |
SSDEEP: | 3072:x+/xc6g1BpoF5SmRfY+uynGbbqwHzp8d7fMUMQpnf+Dk64qR/2sE4GjEZQ2CfDU4:MkpGQqruyGqIzgsG5Nq/uC4fQzbEI2 |
MD5: | 4D698E219A6C687613078B94085D51FE |
SHA1: | 52A9BD9EF707F72A14006D4FDA0989F11A5616B9 |
SHA-256: | 5E0F6244C6A33528CFCEC4C23F45F6238EA57818484B602086D26562F498EF49 |
SHA-512: | 02E934B3374EE1CF9195FC7C329D0F4AC4A8DFBB081CDD04F4D76CF5EA92353507B34EAC099A5161CCD36BF11048FA3588A4D7F029FE585979A1D3E3C93E150B |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 35747 |
Entropy (8bit): | 4.582392134953922 |
Encrypted: | false |
SSDEEP: | 384:x0ApQpUO7nJ9BGe8Gd+zZcrpqHCuY4TIm+io9fUe4KgZzZxrj2V+QRf4TGf:FypbJrGernrspY4s9fUKgpZxrahgTGf |
MD5: | 69FFEE981CA33B2B99A58323AE19A198 |
SHA1: | C9B1C33C92AE9BAE354B11A9F8F09639B7A8D493 |
SHA-256: | 6623E3157B8615EBC31FE362C9058FFA9682A033822ED7A5E965A086D5F069A3 |
SHA-512: | ED48BD96F3D65CA8F3BDBDBEFDF2F40A29468326436D28E4F9B58FF3A7EFB06197525D55777277719270864AA7D5301F3E3478C86E944D3AD054542DA94084A4 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\avatar-default-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 266 |
Entropy (8bit): | 4.986245244009802 |
Encrypted: | false |
SSDEEP: | 6:tI9mc4slzc8SRIKMNo/aMhFl1OkUjq5eKVrGDVfqKlNK+:t4C8LKMuyMhPobjoprGDRlj |
MD5: | 8B727826F9D8C0C7C954EDE912CB0DEB |
SHA1: | 1518AA80747326B5353C22D32E57A33D61285119 |
SHA-256: | 0783A7F518D3879C8F0F50B45FBD779A98652469E9B7C659CE41F14D1629D334 |
SHA-512: | 0ABB243F9D1E0B6EDA0CB25D35C3449AB2B5B83078208F11B876A27FF11FF70B79F8BA97D4DA3AED21A8314C75FB2174D9378AF59B57DCB99DFF681D9AAB8561 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\be.txt
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12193 |
Entropy (8bit): | 4.4720152705808935 |
Encrypted: | false |
SSDEEP: | 192:i2PDEeaNB1PmcptkcDHxbTvPnc67bMxQxGx4ch/JuLQRcg/oN96bPNljYiYr197:ikDFKBFmcPLx3HPnIsqrJuqcgAN96b87 |
MD5: | 3C21135144AC7452E7DB66F0214F9D68 |
SHA1: | B1EC0589D769EAB5E4E8F0F8C21B157EF5EBB47D |
SHA-256: | D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E |
SHA-512: | 0446A0E2570A1F360FD8700FD4C869C7E2DBB9476BBDEC2526A53844074C79691542B91455343C50941B8A6D5E02A58EE6AA539CC4C4AE9CF000B4034EF663E2 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\changes-allow-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 998 |
Entropy (8bit): | 5.186938379246791 |
Encrypted: | false |
SSDEEP: | 24:t4CBGD0QNRWLLxo2em0yKbRAecFxV0/wXK:gDrc0NtAecFiH |
MD5: | CB1EEE7BDB582B756D0F68EF02D6D96D |
SHA1: | 9E9B0F25BC472EF1C1C13EEAC12FD11C4CC0D2D9 |
SHA-256: | 20EA767E852A8EBF2C5BA16D56CBAE10BD09D6CBA89B372A57EAA973AD3281B4 |
SHA-512: | E22FAEAE78D244A0F4E7215B31125D5AA4FD66C0720B0DE61D12084EAB879D7A9E231CCD5CD431417115B0945B450DC348DA400D67DB1898513B7BD6B9C274DB |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\dotnet.api
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\ebook-reader.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 555 |
Entropy (8bit): | 7.499536740374189 |
Encrypted: | false |
SSDEEP: | 12:6v/7anZhFxDEKwjAq0kaO/yvSL6T1pjNngLpzPanwmB9HE4JqSjF:5bDEPxdqKLmpqLdynw29kEqSZ |
MD5: | BFF011148B773FA44B9A9BB029E8CC52 |
SHA1: | F2B838927E320D12649CEFDEA3AFE383C6650D7C |
SHA-256: | B21DE7B432A7A67544D007ECC0FDD95F8E8C6129AF558A32102EE04C08635653 |
SHA-512: | A57C83AEE0E1F4C530D2F5B90589C31FD6E2FF8F62F998963284218FAC5EE164BCA7A619A9597DC3E2ECD0095A2CF04467E89EDF86700E1A90B3DF60B5121C9B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\emblem-photos-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 680 |
Entropy (8bit): | 5.109191824773878 |
Encrypted: | false |
SSDEEP: | 12:t4CP5GEA9xI7jhz4AeW02KdTwWjhz4AeW02KdTPqkoop4p:t4CBGEAgF4AeW0/N4AeW0/Zqg4p |
MD5: | 379690952AAA576521D51249D404CBCD |
SHA1: | 61A8A95B0454422AA47379CF983B99FFDD839439 |
SHA-256: | EAD402FB0B85DB153356EC695016FD4F2C4031367D8ED6D1C1EF5FF4F28A8DE8 |
SHA-512: | 35B6BC866C3D02A2486D3447C82405103DE89D46940F7FE44A7009E714BBA57FBE601EEC939C3206ADB06FB31C4FD1D3822A0ED52A346ACFDE5908643432F928 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\font-select-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 220 |
Entropy (8bit): | 6.546211943247282 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysde0C1jngP3V95D2tOA/RDvhpLUxbVp:6v/7jC1zi3Sr/hW |
MD5: | C84EE7522C124892455BB09DEBCF9340 |
SHA1: | AF87A2A5688346A3902762DD250328B7EF224620 |
SHA-256: | E0A3BD6FE1A1BAEFFE04BCA2980ADF755F888E31DCE3686B16C5DAC4202A38C8 |
SHA-512: | 3BEED79366F15CD075781F677C0C9E84081D2189D1FB541A34AA25980B48701A3D93DC550E4ABEB550EFBE3167B1CAB8338E22F4603C6A71936876FBA75FAD58 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\network-wired-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 144 |
Entropy (8bit): | 5.708279548998072 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllAoSF1/LvgStjP9f9uvJYUo+/JHt//sup:6v/lhPysKo21/Lvlt7V9+YUouJH1/jp |
MD5: | 1ED278AD206D6EA33FF787DD326E0FC5 |
SHA1: | 8CFF7AD12FC0E5545E71D05879A0245BEDAF4D46 |
SHA-256: | CC88E76F7C7D2E5B07E49D1F2AD88F8BAFC0542EB11CEB2B2FFF235C87AB4417 |
SHA-512: | 7291085B6153C02EDBF679CDDB93B97DBB74943F216EB622CE9722E02613269F626F8A7A5BE8DA683153E9AEE22C40ED7264E8A0ED62A99F477E2B96642596BF |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\pan-start-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 140 |
Entropy (8bit): | 5.529383944212929 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllDM9vFW0p/sXm1MMos9DwlTYTbklt/sbp:6v/lhPysx8vFW0pkX4iZlTYTI3Ebp |
MD5: | 4308BBBAB1DB146494AE5ABB07B8E6DB |
SHA1: | 58121574EEB070E26DDD75A964F3548E176E58A4 |
SHA-256: | EFB732049C674EB25BFCB2FA0CBCC45D24190BF1479C054647F424B31E34C828 |
SHA-512: | 41C9B37516F8D6AB7155F890EE36C26FE4161383A93BFBF696AB18292774C3556642E898361D21CECCBFEFFAF5814495CFAC2C74791E02F068B055BD3AD87DE4 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\printer-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 147 |
Entropy (8bit): | 5.834297280344084 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllPhF1MzoQxJrN7djpdXLImeR/mV2kg1p:6v/lhPysx1MzoQxlRZbCRaip |
MD5: | 38D787F55E22FB591135F9250CD259D4 |
SHA1: | 0E135B0E1CA49A6E43DB4CB7596FAEA022E23924 |
SHA-256: | 1ED839B015A67CAB9948469975411D982A96314CE82851EA2F9F6BB8D733A002 |
SHA-512: | 4E21AB54B7110B4CD2EBC0E2CF6DF3F8C7C988495BCCA76949BC3C5EB669A793FCCDA5CB4DDB7B627A21734BD181FE44670757144CC2A007FCB695405F08EC2B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\pt-br.txt
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9515 |
Entropy (8bit): | 5.04214621707661 |
Encrypted: | false |
SSDEEP: | 192:icoGT04mzNN8hYivh5gtE/PkjY09fdNQuQ:ibGg4mzNhi4tEHoDfHQuQ |
MD5: | 7B02E1AE16E2E709D7C97DE560B4DBE9 |
SHA1: | 191A54644417F7D36F5CB4182DCDB3737D74BE51 |
SHA-256: | DA0B58F52BBC131F967942D1D8E9DE1B5721AE864BC21852A0AD4062332297CB |
SHA-512: | 4F689F854DB3F766B5E53CE2F19E9F8293C075EE3F9B18098EB05B352F2EC95DF85E49A78540781EB531BCE60C7B1F7890F1FE3C65200DEC3CB908E90FB827A1 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\omfartsvejene\Reberbanernes\Muhamedaneres\Sminknings\LogoCanary.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16669 |
Entropy (8bit): | 7.836876926418697 |
Encrypted: | false |
SSDEEP: | 384:dg1Ew+1FT+/6trrKWzge5jh2xmalhctpNy:W1E1c6tru1CUYa4tDy |
MD5: | F80867A421C85C6E2865CF85FF7C4B02 |
SHA1: | C3EAB6B7E92646FE3407B2B3C5AFFE13A7873C48 |
SHA-256: | BCAA3B1333919176137D4DE4B1E3F31126159B12F959D7277BD8537B95139BD3 |
SHA-512: | 06B51E660AEE86FC3BB068C6DEA046920E04F86B8EDD02E640EAC619F0F0D7E87E5CAE5BE1390CEBC5DFE70AA13BAB1710176E88C9D1C859182629D429745D78 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.556713515266732 |
TrID: |
|
File name: | ePAY-Advice_Rf[UC7749879100].exe |
File size: | 329072 |
MD5: | 06bf8620598b674fc3506a2844d42d65 |
SHA1: | 00e28bd96e338f7bfff9c41d985de05f010d8ea7 |
SHA256: | 98883d7d2678fd8cbdad8b8c1ca7cf13a797b1074f081dee24aba14dcc346ffe |
SHA512: | d1e49bf22a28b2521f5ddfe4e0da6a40ebd599a3284f9d25b791e0ded05918e615ed4d65fe5d49c588fcc61e05cd2a80374ebfe94ceed972e5490d255f28dae7 |
SSDEEP: | 6144:iDk/kgv+gAz2TU8tpVy+cofgwCNW8J++jMJnq2UroIbvt:ztD42TU8DdcjNFJgJnqbrh1 |
TLSH: | 4C64F14176A1C823FD6A4630CD91E5F3E1BAFE04C828D10773A13FAFB9352858555EBA |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...+.oZ.................`......... |
Icon Hash: | 08c2b0d8cc64b046 |
Entrypoint: | 0x4031d6 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5A6FED2B [Tue Jan 30 03:57:31 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 3abe302b6d9a1256e6a915429af4ffd2 |
Signature Valid: | false |
Signature Issuer: | E=spinulation@Johnsen.fo, OU="Releaser Regionplanlov Ellwood ", O=Blodkrftens, L=Fleuriel, S=Auvergne-Rh\xf4ne-Alpes, C=FR |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | E72625F2F2E4D81D13EEADD636799AE5 |
Thumbprint SHA-1: | 96AB23C902D117D7E57A617EE5CD324FD5CFB328 |
Thumbprint SHA-256: | 4DD00D1164E5A3B45C21C6B0ACA7CDE02DF5C70EBD4F95F3736AD2784DC2D5E4 |
Serial: | 16E55C1D2183D78DF9C4B28EDF378EDD20F08352 |
Instruction |
---|
sub esp, 00000184h |
push ebx |
push esi |
push edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 00409198h |
mov dword ptr [esp+20h], ebx |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [004070A0h] |
call dword ptr [0040709Ch] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042370Ch], eax |
je 00007FA1BCC81C53h |
push ebx |
call 00007FA1BCC84D2Ah |
cmp eax, ebx |
je 00007FA1BCC81C49h |
push 00000C00h |
call eax |
mov esi, 00407298h |
push esi |
call 00007FA1BCC84CA6h |
push esi |
call dword ptr [00407098h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], bl |
jne 00007FA1BCC81C2Dh |
push 0000000Ah |
call 00007FA1BCC84CFEh |
push 00000008h |
call 00007FA1BCC84CF7h |
push 00000006h |
mov dword ptr [00423704h], eax |
call 00007FA1BCC84CEBh |
cmp eax, ebx |
je 00007FA1BCC81C51h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007FA1BCC81C49h |
or byte ptr [0042370Fh], 00000040h |
push ebp |
call dword ptr [00407044h] |
push ebx |
call dword ptr [00407288h] |
mov dword ptr [004237D8h], eax |
push ebx |
lea eax, dword ptr [esp+38h] |
push 00000160h |
push eax |
push ebx |
push 0041ECC8h |
call dword ptr [00407178h] |
push 00409188h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7428 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x36000 | 0xa3c0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x4fb50 | 0xa20 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x298 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5f0d | 0x6000 | False | 0.6649169921875 | data | 6.450520423955375 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1248 | 0x1400 | False | 0.4275390625 | data | 5.007650149182371 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x1a818 | 0x400 | False | 0.6376953125 | data | 5.129587811765307 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x24000 | 0x12000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x36000 | 0xa3c0 | 0xa400 | False | 0.0760766006097561 | data | 1.8822021165260459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x36268 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States |
RT_ICON | 0x365d0 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 0 | English | United States |
RT_DIALOG | 0x3fa78 | 0x144 | data | English | United States |
RT_DIALOG | 0x3fbc0 | 0x13c | data | English | United States |
RT_DIALOG | 0x3fd00 | 0x120 | data | English | United States |
RT_DIALOG | 0x3fe20 | 0x11c | data | English | United States |
RT_DIALOG | 0x3ff40 | 0xc4 | data | English | United States |
RT_DIALOG | 0x40008 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x40068 | 0x14 | data | English | United States |
RT_MANIFEST | 0x40080 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA |
USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 13:57:43 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 329072 bytes |
MD5 hash: | 06BF8620598B674FC3506A2844D42D65 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Execution Graph
Execution Coverage: | 21.4% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 20.6% |
Total number of Nodes: | 1494 |
Total number of Limit Nodes: | 49 |
Graph
Function 004031D6 Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366stringcomfileCOMMON
Control-flow Graph
C-Code - Quality: 86% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404A0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMONCrypto
Control-flow Graph
C-Code - Quality: 96% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E161A9C Relevance: 25.1, APIs: 13, Strings: 1, Instructions: 571stringlibrarymemoryCOMMONCrypto
C-Code - Quality: 95% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405732 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
Control-flow Graph
C-Code - Quality: 98% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004065F6 Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 84% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403798 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
Control-flow Graph
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 80% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405F8C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199stringCOMMON
Control-flow Graph
C-Code - Quality: 72% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
Control-flow Graph
C-Code - Quality: 61% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406294 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 94% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
Control-flow Graph
C-Code - Quality: 60% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 94% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Control-flow Graph
C-Code - Quality: 59% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
C-Code - Quality: 83% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 21% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 87% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
C-Code - Quality: 89% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405E51 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
C-Code - Quality: 90% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405609 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406A2B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
C-Code - Quality: 99% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406C2C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406942 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406447 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406895 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004069B3 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 168COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 86% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E1628E5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
C-Code - Quality: 59% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401E2B Relevance: 3.0, APIs: 2, Instructions: 25COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405B03 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
C-Code - Quality: 68% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405ADE Relevance: 3.0, APIs: 2, Instructions: 13COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004055D4 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004025CA Relevance: 1.6, APIs: 1, Instructions: 76COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
C-Code - Quality: 70% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
C-Code - Quality: 40% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004022FC Relevance: 1.5, APIs: 1, Instructions: 26COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405B7B Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BAA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402340 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040403E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040318E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E161215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004051CF Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040449B Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
C-Code - Quality: 78% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 74% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
C-Code - Quality: 39% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404174 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
C-Code - Quality: 93% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BD9 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 77% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E1622B5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140memoryCOMMON
C-Code - Quality: 86% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404070 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040495C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 73% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 37% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E16183B Relevance: 7.7, APIs: 5, Instructions: 194COMMON
C-Code - Quality: 97% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404852 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
C-Code - Quality: 77% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004059F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
C-Code - Quality: 53% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405902 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405949 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E1610E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405A68 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |