Analysis Report ERRoqGpsIS
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Compliance: |
---|
Uses 32bit PE files | Show sources |
Source: | Static PE information: |
Uses secure TLS version for HTTPS connections | Show sources |
Source: | HTTPS traffic detected: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: |
Source: | Code function: | 14_2_008215D0 |
Source: | Code function: | 0_2_6E4D0230 | |
Source: | Code function: | 0_2_6E4CEAB0 | |
Source: | Code function: | 0_2_6E4B2730 | |
Source: | Code function: | 0_2_6E4C9BF0 | |
Source: | Code function: | 0_2_6E4BEB90 | |
Source: | Code function: | 0_2_6E4C1F90 | |
Source: | Code function: | 0_2_6E4CF870 | |
Source: | Code function: | 0_2_6E4C88F0 | |
Source: | Code function: | 0_2_6E4C1D60 | |
Source: | Code function: | 0_2_6E4B7170 | |
Source: | Code function: | 0_2_6E4CE970 | |
Source: | Code function: | 14_2_008188F0 | |
Source: | Code function: | 14_2_0081F870 | |
Source: | Code function: | 14_2_00811D60 | |
Source: | Code function: | 14_2_00807170 | |
Source: | Code function: | 14_2_0081E970 | |
Source: | Code function: | 14_2_0081EAB0 | |
Source: | Code function: | 14_2_00820230 | |
Source: | Code function: | 14_2_0080EB90 | |
Source: | Code function: | 14_2_00811F90 | |
Source: | Code function: | 14_2_00819BF0 | |
Source: | Code function: | 14_2_00802730 |
Source: | JA3 fingerprint: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Process Stats: |
Source: | Code function: | 0_2_6E4B2B90 | |
Source: | Code function: | 0_2_6E4B3E10 | |
Source: | Code function: | 0_2_6E4BB3D0 | |
Source: | Code function: | 0_2_6E4CA000 | |
Source: | Code function: | 0_2_6E4B68C0 | |
Source: | Code function: | 0_2_6E4C88F0 | |
Source: | Code function: | 0_2_6E4B2DD0 | |
Source: | Code function: | 0_2_6E4BC9A0 | |
Source: | Code function: | 0_2_6E4EBECF | |
Source: | Code function: | 0_2_6E4F275F | |
Source: | Code function: | 0_2_6E4F2CA3 | |
Source: | Code function: | 0_2_6E4F221B | |
Source: | Code function: | 0_2_6E4F4236 | |
Source: | Code function: | 14_2_008068C0 | |
Source: | Code function: | 14_2_008188F0 | |
Source: | Code function: | 14_2_0081A000 | |
Source: | Code function: | 14_2_0080C9A0 | |
Source: | Code function: | 14_2_00802DD0 | |
Source: | Code function: | 14_2_00803E10 | |
Source: | Code function: | 14_2_00802B90 | |
Source: | Code function: | 14_2_0080B3D0 |
Source: | Code function: |
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 14_2_0080E070 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_6E4CF870 |
Source: | Code function: | 0_2_6E4C038A | |
Source: | Code function: | 0_2_6E4DF6D4 | |
Source: | Code function: | 0_2_6E4DDC7B | |
Source: | Code function: | 0_2_6E4D9D28 | |
Source: | Code function: | 0_2_6E4D9D28 | |
Source: | Code function: | 0_2_6E4E9830 | |
Source: | Code function: | 0_2_6E4D98B9 | |
Source: | Code function: | 0_2_6E5093B1 | |
Source: | Code function: | 0_2_6E5093B1 | |
Source: | Code function: | 14_2_00823CF6 | |
Source: | Code function: | 14_2_0081038A |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Code function: | 0_2_6E4EDA28 |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | 14_2_008215D0 |
Source: | Code function: | 0_2_6E4E8B05 |
Source: | Code function: | 0_2_6E4CF870 |
Source: | Code function: | 0_2_6E4C3E90 | |
Source: | Code function: | 0_2_6E50A2F7 | |
Source: | Code function: | 0_2_6E509E34 | |
Source: | Code function: | 0_2_6E50A22D | |
Source: | Code function: | 14_2_00813E90 |
Source: | Code function: | 0_2_6E4EFE11 |
Source: | Code function: | 0_2_6E4EAE48 | |
Source: | Code function: | 0_2_6E4E8B05 | |
Source: | Code function: | 0_2_6E4E9009 |
HIPS / PFW / Operating System Protection Evasion: |
---|
Contains functionality to inject code into remote processes | Show sources |
Source: | Code function: | 0_2_6E4CDD00 |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_6E4F1A50 |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_6E4EF1C8 |
Source: | Key value queried: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Native API1 | DLL Side-Loading1 | Access Token Manipulation1 | Masquerading1 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Process Injection112 | Virtualization/Sandbox Evasion1 | LSASS Memory | Security Software Discovery12 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | DLL Side-Loading1 | Access Token Manipulation1 | Security Account Manager | Virtualization/Sandbox Evasion1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection112 | NTDS | Process Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Deobfuscate/Decode Files or Information1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information3 | Cached Domain Credentials | File and Directory Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Software Packing1 | DCSync | System Information Discovery23 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | DLL Side-Loading1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
58% | Virustotal | Browse | ||
24% | Metadefender | Browse | ||
50% | ReversingLabs | Win32.Trojan.Zeus |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
58% | Virustotal | Browse | ||
24% | Metadefender | Browse | ||
50% | ReversingLabs | Win32.Trojan.Zeus |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
earfetti.com | 104.21.45.75 | true | false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.45.75 | unknown | United States | 13335 | CLOUDFLARENETUS | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 352815 |
Start date: | 14.02.2021 |
Start time: | 15:13:10 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 42s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | ERRoqGpsIS (renamed file extension from none to dll) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 30 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal60.evad.winDLL@3/1@1/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\msiexec.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 371200 |
Entropy (8bit): | 6.696631640331289 |
Encrypted: | false |
SSDEEP: | 6144:X5fVAHOvzY7zHY0Uxen/0TP1a2arz7JjOGG3v2WYXmpHdwpc2:X5wgmY0ZMTZIOGyv2WYWNdI |
MD5: | D2852A3B2A20846528CEC53426FD5F9C |
SHA1: | 1FA892F9280708E7C82E958BEC516BB2B09351F3 |
SHA-256: | 8E50DA51386C2F267AFAF1A419E4467D62C01C9704F0E17C4AA188D0C090C8B2 |
SHA-512: | 247FAE9F2C9BDCA9D7EB4F44996E7E28D2CD9B7C87EA05A15B72ECB073750C8D9199D585771366687C43D802EB474E9486BB328D2984ABEB4AACEE62916CA2B6 |
Malicious: | true |
Antivirus: | |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.696631640331289 |
TrID: |
|
File name: | ERRoqGpsIS.dll |
File size: | 371200 |
MD5: | d2852a3b2a20846528cec53426fd5f9c |
SHA1: | 1fa892f9280708e7c82e958bec516bb2b09351f3 |
SHA256: | 8e50da51386c2f267afaf1a419e4467d62c01c9704f0e17c4aa188d0c090c8b2 |
SHA512: | 247fae9f2c9bdca9d7eb4f44996e7e28d2cd9b7c87ea05a15b72ecb073750c8d9199d585771366687c43d802eb474e9486bb328d2984abeb4aacee62916ca2b6 |
SSDEEP: | 6144:X5fVAHOvzY7zHY0Uxen/0TP1a2arz7JjOGG3v2WYXmpHdwpc2:X5wgmY0ZMTZIOGyv2WYWNdI |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.M.V.M.V.M.V.S...Y.V.S...$.V.D...H.V.M.W.=.V.S...d.V.S...L.V.S...L.V.S...L.V.RichM.V.........................PE..L.....hK... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x10038f4c |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE |
Time Stamp: | 0x4B688CFC [Tue Feb 2 20:37:16 2010 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | ac24111956da8096856f399aab20c9c0 |
Entrypoint Preview |
---|
Instruction |
---|
mov edi, edi |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FCD40E11727h |
call 00007FCD40E17991h |
push dword ptr [ebp+08h] |
mov ecx, dword ptr [ebp+10h] |
mov edx, dword ptr [ebp+0Ch] |
call 00007FCD40E11611h |
pop ecx |
pop ebp |
retn 000Ch |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
xor ecx, ecx |
cmp eax, dword ptr [10058628h+ecx*8] |
je 00007FCD40E11735h |
inc ecx |
cmp ecx, 2Dh |
jc 00007FCD40E11713h |
lea ecx, dword ptr [eax-13h] |
cmp ecx, 11h |
jnbe 00007FCD40E11730h |
push 0000000Dh |
pop eax |
pop ebp |
ret |
mov eax, dword ptr [1005862Ch+ecx*8] |
pop ebp |
ret |
add eax, FFFFFF44h |
push 0000000Eh |
pop ecx |
cmp ecx, eax |
sbb eax, eax |
and eax, ecx |
add eax, 08h |
pop ebp |
ret |
call 00007FCD40E13B21h |
test eax, eax |
jne 00007FCD40E11728h |
mov eax, 10058790h |
ret |
add eax, 08h |
ret |
call 00007FCD40E13B0Eh |
test eax, eax |
jne 00007FCD40E11728h |
mov eax, 10058794h |
ret |
add eax, 0Ch |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
push esi |
call 00007FCD40E11707h |
mov ecx, dword ptr [ebp+08h] |
push ecx |
mov dword ptr [eax], ecx |
call 00007FCD40E116A7h |
pop ecx |
mov esi, eax |
call 00007FCD40E116E1h |
mov dword ptr [eax], esi |
pop esi |
pop ebp |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
mov dword ptr [1006A5ECh], eax |
pop ebp |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 00000328h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x57480 | 0x45 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x56b9c | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6c000 | 0x518 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6d000 | 0x16f8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x451c0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x557c8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x45000 | 0x18c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x43abe | 0x43c00 | False | 0.716375259456 | data | 6.67890498403 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x45000 | 0x124c5 | 0x12600 | False | 0.576570471939 | data | 6.42887953464 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x58000 | 0x131c4 | 0x1800 | False | 0.326822916667 | data | 4.20462332091 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x6c000 | 0x518 | 0x600 | False | 0.376953125 | data | 2.9425525328 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x6d000 | 0x257e | 0x2600 | False | 0.490748355263 | data | 4.89739942249 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_STRING | 0x6c3e0 | 0x138 | data | English | United States |
RT_VERSION | 0x6c0a0 | 0x340 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetFileAttributesA, GetTempFileNameA, CopyFileA, GetShortPathNameA, GetEnvironmentVariableA, WaitForMultipleObjects, QueryPerformanceCounter, CreateFileA, GetWindowsDirectoryA, GetSystemTime, OpenProcess, GetVersionExA, GetModuleHandleA, GetDateFormatA, SizeofResource, LoadResource, Sleep, GetCurrentDirectoryA, VirtualProtect, FindFirstChangeNotificationA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetFileAttributesA, GetLastError, DuplicateHandle, GetCurrentProcess, CloseHandle, HeapFree, HeapReAlloc, HeapAlloc, RtlUnwind, GetCurrentThreadId, GetCommandLineA, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, SetStdHandle, EnterCriticalSection, LeaveCriticalSection, GetFileType, SetHandleCount, GetStdHandle, GetStartupInfoA, DeleteCriticalSection, GetProcAddress, WriteFile, GetModuleFileNameA, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, HeapDestroy, VirtualFree, VirtualAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, ExitProcess, RaiseException, HeapSize, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, SetFilePointer, SetEndOfFile, GetProcessHeap, ReadFile, LoadLibraryA, GetLocaleInfoA, GetStringTypeA, GetStringTypeW |
WINSPOOL.DRV | GetJobA, EnumPrintersA, GetPrinterDataA, AddPrinterConnectionA, OpenPrinterA, DocumentPropertiesA, ClosePrinter |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Knowequal | 1 | 0x10031210 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright 2006, Pound sense Blackmiss |
InternalName | Rain.dll |
FileVersion | 2.8.7.867 |
CompanyName | Pound sense |
LegalTrademarks | Trade shout |
Comments | http://www.enoughthose.de |
ProductName | Trade shout Modernplant |
ProductVersion | 2.8.7.867 |
FileDescription | Trade shout |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 14, 2021 15:14:49.487767935 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:14:49.534969091 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:14:49.535067081 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:14:49.610646009 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:14:49.659398079 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:14:49.666059971 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:14:49.666114092 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:14:49.666140079 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:14:49.666178942 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:14:49.751667023 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:14:49.798507929 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:14:49.798583984 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:14:49.798669100 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:14:49.812918901 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:14:49.859961033 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:16:29.933207989 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:16:29.933254957 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:16:29.933281898 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:16:29.933309078 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:16:29.934592962 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:16:29.948129892 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:16:29.948185921 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:16:29.994148016 CET | 49740 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:16:29.994843960 CET | 443 | 49728 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:16:29.995969057 CET | 49728 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:16:30.043862104 CET | 443 | 49740 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:16:30.044997931 CET | 49740 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:16:30.045798063 CET | 49740 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:16:30.095467091 CET | 443 | 49740 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:16:30.100220919 CET | 443 | 49740 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:16:30.101340055 CET | 49740 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:16:30.102818966 CET | 49740 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:16:30.111588001 CET | 49740 | 443 | 192.168.2.3 | 104.21.45.75 |
Feb 14, 2021 15:16:30.152415991 CET | 443 | 49740 | 104.21.45.75 | 192.168.2.3 |
Feb 14, 2021 15:16:30.158453941 CET | 443 | 49740 | 104.21.45.75 | 192.168.2.3 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 14, 2021 15:13:53.779870987 CET | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:13:53.833713055 CET | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:13:54.783674002 CET | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:13:54.834642887 CET | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:13:55.744131088 CET | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:13:55.797287941 CET | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:13:56.768134117 CET | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:13:56.818962097 CET | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:13:58.000653028 CET | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:13:58.051071882 CET | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:13:58.969991922 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:13:59.018657923 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:02.556644917 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:02.614069939 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:03.568470001 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:03.617177010 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:04.558250904 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:04.608815908 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:05.496462107 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:05.545178890 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:06.416781902 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:06.468369007 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:07.459033966 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:07.516412973 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:27.337965012 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:27.396882057 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:33.424895048 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:33.475251913 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:34.051234007 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:34.099978924 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:42.394396067 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:42.455096006 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:43.366034031 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:43.424896955 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:49.401484966 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:49.471363068 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:14:55.091443062 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:14:55.215946913 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:15:09.721174002 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:15:09.772667885 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:15:12.800273895 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:15:12.858443975 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:15:44.174472094 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:15:44.226191044 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:15:46.026094913 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:15:46.086096048 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:16:42.294533014 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:16:42.383766890 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:16:43.128657103 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:16:43.219723940 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:16:43.708333015 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:16:43.768307924 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:16:44.137789965 CET | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:16:44.194751024 CET | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:16:44.588352919 CET | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:16:44.637173891 CET | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:16:45.082493067 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:16:45.142441034 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:16:45.608637094 CET | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:16:45.667982101 CET | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:16:46.241221905 CET | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:16:46.300915003 CET | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:16:46.914968014 CET | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:16:46.972372055 CET | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Feb 14, 2021 15:16:47.374217987 CET | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 14, 2021 15:16:47.436702013 CET | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 14, 2021 15:14:49.401484966 CET | 192.168.2.3 | 8.8.8.8 | 0xdde | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 14, 2021 15:14:33.475251913 CET | 8.8.8.8 | 192.168.2.3 | 0xd5be | No error (0) | www.tm.a.prd.aadg.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | ||
Feb 14, 2021 15:14:49.471363068 CET | 8.8.8.8 | 192.168.2.3 | 0xdde | No error (0) | 104.21.45.75 | A (IP address) | IN (0x0001) | ||
Feb 14, 2021 15:14:49.471363068 CET | 8.8.8.8 | 192.168.2.3 | 0xdde | No error (0) | 172.67.211.56 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Feb 14, 2021 15:14:49.666114092 CET | 104.21.45.75 | 443 | 192.168.2.3 | 49728 | CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US | CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE | Thu Jan 28 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020 | Fri Jan 28 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US | CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE | Mon Jan 27 13:48:08 CET 2020 | Wed Jan 01 00:59:59 CET 2025 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:13:59 |
Start date: | 14/02/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x150000 |
File size: | 121856 bytes |
MD5 hash: | 99D621E00EFC0B8F396F38D5555EB078 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 15:14:44 |
Start date: | 14/02/2021 |
Path: | C:\Windows\SysWOW64\msiexec.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x12a0000 |
File size: | 59904 bytes |
MD5 hash: | 12C17B5A5C2A7B97342C362CA467E9A2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 6E4CDD00, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 434threadinjectionmemoryCOMMON
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4B2B90, Relevance: .1, Instructions: 125COMMONCrypto
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4E0750, Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 726sleepCOMMON
APIs |
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4CFC90, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4E6D80, Relevance: 3.2, APIs: 2, Instructions: 181COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4E6F3C, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4E6F5B, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4CD430, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4EB77E, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4EB1D6, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 6E4E8B05, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4CF870, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250libraryloaderCOMMON
C-Code - Quality: 87% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4C1D60, Relevance: 2.7, Strings: 2, Instructions: 181COMMON
C-Code - Quality: 100% |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 92% |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 93% |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4C88F0, Relevance: .4, Instructions: 429COMMONCrypto
C-Code - Quality: 96% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4B7170, Relevance: .3, Instructions: 325COMMON
C-Code - Quality: 91% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4CEAB0, Relevance: .2, Instructions: 221COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4C9BF0, Relevance: .1, Instructions: 133COMMON
C-Code - Quality: 60% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4B2DD0, Relevance: .1, Instructions: 116COMMONCrypto
C-Code - Quality: 96% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4BB3D0, Relevance: .1, Instructions: 111COMMONCrypto
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4B3E10, Relevance: .1, Instructions: 98COMMONCrypto
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4BC9A0, Relevance: .1, Instructions: 95COMMONCrypto
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E509E34, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4BEB90, Relevance: .1, Instructions: 75COMMON
C-Code - Quality: 43% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4D0230, Relevance: .1, Instructions: 74COMMON
C-Code - Quality: 67% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E50A22D, Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4B2730, Relevance: .0, Instructions: 46COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4CE970, Relevance: .0, Instructions: 42COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4C1F90, Relevance: .0, Instructions: 26COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4EDA28, Relevance: .0, Instructions: 18COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4C3E90, Relevance: .0, Instructions: 2COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4E1C50, Relevance: 19.7, APIs: 13, Instructions: 172COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4E8BE3, Relevance: 10.6, APIs: 7, Instructions: 77COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4EDD63, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4E7123, Relevance: 7.6, APIs: 5, Instructions: 96COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4EC6BB, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4E75EF, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4B2A90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96registryCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4E5060, Relevance: 6.3, APIs: 4, Instructions: 282COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4E4060, Relevance: 6.2, APIs: 4, Instructions: 176COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4F2059, Relevance: 6.1, APIs: 4, Instructions: 103COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4EABE7, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4ECE27, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E4B4B20, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76filewindowCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
---|
Function 008215D0, Relevance: 3.2, APIs: 2, Instructions: 182fileCOMMON
C-Code - Quality: 94% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0080E070, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
C-Code - Quality: 28% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 97% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00810ED0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184networkCOMMON
C-Code - Quality: 82% |
|
APIs |
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 46% |
|
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 80% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008105D0, Relevance: 4.6, APIs: 3, Instructions: 115COMMON
C-Code - Quality: 67% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 89% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008175B0, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 657threadCOMMON
C-Code - Quality: 95% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0081F5C0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190libraryCOMMON
C-Code - Quality: 77% |
|
APIs |
|
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 46% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 86% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 79% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00820E00, Relevance: 3.1, APIs: 2, Instructions: 81fileCOMMON
C-Code - Quality: 88% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0080EE40, Relevance: 3.1, APIs: 2, Instructions: 79fileCOMMON
C-Code - Quality: 75% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0080FBA0, Relevance: 3.1, APIs: 2, Instructions: 72COMMON
C-Code - Quality: 87% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0081CD10, Relevance: 3.1, APIs: 2, Instructions: 65COMMON
C-Code - Quality: 87% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 86% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00821580, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008010E0, Relevance: 1.6, APIs: 1, Instructions: 121COMMON
C-Code - Quality: 51% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0080DBE0, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
C-Code - Quality: 82% |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00816F40, Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
C-Code - Quality: 54% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 54% |
|
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0081D3B0, Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
C-Code - Quality: 45% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0081D310, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 008046C0, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00814650, Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
C-Code - Quality: 79% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 0081F870, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250libraryloaderCOMMON
C-Code - Quality: 87% |
|
APIs |
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0081FC90, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |