Analysis Report payment.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_GuLoader | Yara detected GuLoader | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Compliance: |
---|
Uses 32bit PE files | Show sources |
Source: | Static PE information: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Executable has a suspicious name (potential lure to open the executable) | Show sources |
Source: | Static file information: |
Initial sample is a PE file and has a suspicious name | Show sources |
Source: | Static PE information: |
Source: | Process Stats: |
Source: | Code function: | 15_2_0056E697 | |
Source: | Code function: | 15_2_0056EC97 |
Source: | Code function: | 0_2_00411464 | |
Source: | Code function: | 0_2_00410C71 | |
Source: | Code function: | 0_2_00411817 | |
Source: | Code function: | 0_2_00411016 | |
Source: | Code function: | 0_2_004114E6 | |
Source: | Code function: | 0_2_00410CF8 | |
Source: | Code function: | 0_2_0041108A | |
Source: | Code function: | 0_2_004110AC | |
Source: | Code function: | 0_2_0041156A | |
Source: | Code function: | 0_2_0040411C | |
Source: | Code function: | 0_2_0041191C | |
Source: | Code function: | 0_2_00411133 | |
Source: | Code function: | 0_2_004115F5 | |
Source: | Code function: | 0_2_0041199B | |
Source: | Code function: | 0_2_00410E05 | |
Source: | Code function: | 0_2_00411237 | |
Source: | Code function: | 0_2_004112D0 | |
Source: | Code function: | 0_2_00410E88 | |
Source: | Code function: | 0_2_0041134F | |
Source: | Code function: | 0_2_00410B5E | |
Source: | Code function: | 0_2_00410F06 | |
Source: | Code function: | 0_2_0041170E | |
Source: | Code function: | 0_2_004113D2 | |
Source: | Code function: | 0_2_00410BF4 | |
Source: | Code function: | 0_2_00410F8F | |
Source: | Code function: | 0_2_00411796 | |
Source: | Code function: | 15_2_0056D7F2 | |
Source: | Code function: | 15_2_1CF247B2 | |
Source: | Code function: | 15_2_1CF2D6D0 | |
Source: | Code function: | 15_2_1CF24827 |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior |
Source: | Section loaded: | Jump to behavior |
Source: | WMI Queries: |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | Window detected: |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 15_2_00567057 | |
Source: | Code function: | 15_2_0056B057 | |
Source: | Code function: | 15_2_00567063 | |
Source: | Code function: | 15_2_0056B063 | |
Source: | Code function: | 15_2_0056805F | |
Source: | Code function: | 15_2_0056505F | |
Source: | Code function: | 15_2_0056605F | |
Source: | Code function: | 15_2_0056B04B | |
Source: | Code function: | 15_2_00566047 | |
Source: | Code function: | 15_2_0056A047 | |
Source: | Code function: | 15_2_00568053 | |
Source: | Code function: | 15_2_00565053 | |
Source: | Code function: | 15_2_00566053 | |
Source: | Code function: | 15_2_0056A053 | |
Source: | Code function: | 15_2_0056704B | |
Source: | Code function: | 15_2_0056707B | |
Source: | Code function: | 15_2_0056B07B | |
Source: | Code function: | 15_2_00568077 | |
Source: | Code function: | 15_2_00565077 | |
Source: | Code function: | 15_2_00566077 | |
Source: | Code function: | 15_2_00568083 | |
Source: | Code function: | 15_2_00566083 | |
Source: | Code function: | 15_2_00565083 | |
Source: | Code function: | 15_2_0056A07F | |
Source: | Code function: | 15_2_0056A067 | |
Source: | Code function: | 15_2_0056806B | |
Source: | Code function: | 15_2_0056506B | |
Source: | Code function: | 15_2_0056606B | |
Source: | Code function: | 15_2_0056A073 | |
Source: | Code function: | 15_2_0056706F | |
Source: | Code function: | 15_2_0056A017 |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Detected RDTSC dummy instruction sequence (likely for instruction hammering) | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Tries to detect Any.run | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: |
Tries to detect virtualization through RDTSC time measurements | Show sources |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Source: | Code function: | 15_2_0056EC97 |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 15_2_0056EC97 |
Source: | Code function: | 15_2_005664EC | |
Source: | Code function: | 15_2_00566534 | |
Source: | Code function: | 15_2_0056DC0F | |
Source: | Code function: | 15_2_0056AC3D | |
Source: | Code function: | 15_2_0056BF85 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
Writes to foreign memory regions | Show sources |
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 15_2_00565184 |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | DLL Side-Loading1 | Process Injection112 | Virtualization/Sandbox Evasion34 | OS Credential Dumping | Security Software Discovery631 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Disable or Modify Tools1 | LSASS Memory | Virtualization/Sandbox Evasion34 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection112 | Security Account Manager | Process Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing1 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | DLL Side-Loading1 | Cached Domain Credentials | System Information Discovery323 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
57% | Virustotal | Browse | ||
46% | ReversingLabs | Win32.Backdoor.Remcos |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
onedrive.live.com | unknown | unknown | false | high | |
c3ixha.bl.files.1drv.com | unknown | unknown | false | high |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 357249 |
Start date: | 24.02.2021 |
Start time: | 10:43:28 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | payment.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 24 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@4/0@2/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
10:44:19 | API Interceptor | |
10:46:00 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.584972265863127 |
TrID: |
|
File name: | payment.exe |
File size: | 225280 |
MD5: | 0780e01f6ac683c0529fb1d40aaca8b4 |
SHA1: | d2c1ef0cab63992d4bea95fdf7838047997c46a7 |
SHA256: | 0fc71d13ed4108b3afb81d9347063f9ef6ed9c3528a9c6e67a892c8a8db5fada |
SHA512: | d7c0ede50d907e9374d3dc6ccaf18dedb1984b0d54a8bd50ba9fac9405c9f4acb7994e182b7a9e49d7d9c95f1135015e1d5cb61d8838536cc7edbfa12724bd8d |
SSDEEP: | 1536:ai24BsvhHpVmqBu755CxBa/t3UWoF6Jp6GeSlm3WdtHV1BsjlwoEffyW053iYk:SxZTGb9F3UWoFWpNgZUfh |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...M..H.................0...@......0........@....@................ |
File Icon |
---|
Icon Hash: | 0634b8d4c8c4c0ce |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x401630 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x48A5FC4D [Fri Aug 15 21:59:41 2008 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | c495ca9196b04f3a1871ecbfcbd50911 |
Entrypoint Preview |
---|
Instruction |
---|
push 00402BD8h |
call 00007FF4A8EA6DC5h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [ecx], dl |
pop edx |
out dx, eax |
or eax, 4E4BFD93h |
xchg eax, edx |
or dh, ah |
das |
push ebx |
clc |
jnc 00007FF4A8EA6DD2h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [ecx], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax+72h], dl |
outsd |
push 00000065h |
arpl word ptr [ecx+esi+00h], si |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add bh, bh |
int3 |
xor dword ptr [eax], eax |
sub byte ptr [edx], ch |
call far 42B0h : F9A52BC6h |
mov edi, DA7EB6B7h |
lds eax, fword ptr [edx+edi*2+3Fh] |
dec edi |
faddp st(6), st(0) |
aaa |
leave |
cdq |
inc esp |
mov bh, byte ptr [ecx] |
xor ebp, ebp |
xchg dword ptr [eax], edi |
adc byte ptr [eax+3Ah], bl |
dec edi |
lodsd |
xor ebx, dword ptr [ecx-48EE309Ah] |
or al, 00h |
stosb |
add byte ptr [eax-2Dh], ah |
xchg eax, ebx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
mov esp, B4000014h |
push cs |
add byte ptr [eax], al |
add byte ptr [ebx], dl |
add byte ptr [ecx+eax*2+54h], al |
inc ecx |
push esp |
push edx |
inc ecx |
dec esi |
push ebx |
dec ebp |
dec ecx |
push ebx |
push ebx |
dec ecx |
dec edi |
dec esi |
inc ebp |
push edx |
push ebx |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x33364 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x36000 | 0x1252 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x124 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x32870 | 0x33000 | False | 0.263604856005 | data | 6.80293275288 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x34000 | 0x1280 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x36000 | 0x1252 | 0x2000 | False | 0.168090820312 | data | 2.29185489566 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x369aa | 0x8a8 | data | ||
RT_ICON | 0x36442 | 0x568 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x36420 | 0x22 | data | ||
RT_VERSION | 0x36120 | 0x300 | data | Chinese | Taiwan |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, __vbaCyAdd, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaCyI2, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaI2Var, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0404 0x04b0 |
LegalCopyright | Coldest |
InternalName | Ancistrocladaceous5 |
FileVersion | 1.00 |
CompanyName | SummerDream Company |
LegalTrademarks | Coldest |
Comments | SummerDream Company |
ProductName | Project1 |
ProductVersion | 1.00 |
OriginalFilename | Ancistrocladaceous5.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | Taiwan |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 24, 2021 10:44:10.911381006 CET | 55074 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:10.960200071 CET | 53 | 55074 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:11.780896902 CET | 54513 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:11.834822893 CET | 53 | 54513 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:12.757447004 CET | 62044 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:12.806353092 CET | 53 | 62044 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:13.411082983 CET | 63791 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:13.477824926 CET | 53 | 63791 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:13.569865942 CET | 64267 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:13.618797064 CET | 53 | 64267 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:14.516139984 CET | 49448 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:14.568125010 CET | 53 | 49448 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:15.470302105 CET | 60342 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:15.522371054 CET | 53 | 60342 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:16.690913916 CET | 61346 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:16.740000963 CET | 53 | 61346 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:18.376986980 CET | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:18.428474903 CET | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:19.211590052 CET | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:19.264411926 CET | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:20.427401066 CET | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:20.480751991 CET | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:23.716433048 CET | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:23.768256903 CET | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:25.128577948 CET | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:25.177556038 CET | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:29.631326914 CET | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:29.683278084 CET | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:31.132128954 CET | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:31.183218002 CET | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:32.073699951 CET | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:32.127625942 CET | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:32.960329056 CET | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:33.009255886 CET | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:37.799596071 CET | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:37.851288080 CET | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:38.644771099 CET | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:38.693814993 CET | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:44.368793964 CET | 50055 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:44.420629025 CET | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:44:49.696610928 CET | 61374 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:44:49.748292923 CET | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:05.888565063 CET | 50339 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:05.954570055 CET | 53 | 50339 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:07.742175102 CET | 63307 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:07.792047024 CET | 53 | 63307 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:22.955830097 CET | 49694 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:23.017445087 CET | 53 | 49694 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:29.490305901 CET | 54982 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:29.541260958 CET | 53 | 54982 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:30.131491899 CET | 50010 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:30.181240082 CET | 53 | 50010 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:30.849584103 CET | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:30.950206041 CET | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:31.368204117 CET | 62116 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:31.433454990 CET | 53 | 62116 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:31.986391068 CET | 63816 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:32.055495024 CET | 53 | 63816 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:32.674719095 CET | 55014 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:32.732131958 CET | 53 | 55014 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:33.386050940 CET | 62208 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:33.443485022 CET | 53 | 62208 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:34.287131071 CET | 57574 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:34.347367048 CET | 53 | 57574 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:35.530936956 CET | 51818 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:35.588417053 CET | 53 | 51818 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:36.095642090 CET | 56628 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:36.156138897 CET | 53 | 56628 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:36.366750956 CET | 60778 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:36.416053057 CET | 53 | 60778 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:49.429064035 CET | 53799 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:49.478157043 CET | 53 | 53799 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:50.202363014 CET | 54683 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:50.230230093 CET | 59329 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:45:50.281210899 CET | 53 | 54683 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:45:50.289444923 CET | 53 | 59329 | 8.8.8.8 | 192.168.2.6 |
Feb 24, 2021 10:46:11.232192039 CET | 64021 | 53 | 192.168.2.6 | 8.8.8.8 |
Feb 24, 2021 10:46:11.283066988 CET | 53 | 64021 | 8.8.8.8 | 192.168.2.6 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 24, 2021 10:45:49.429064035 CET | 192.168.2.6 | 8.8.8.8 | 0xd2a9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Feb 24, 2021 10:45:50.202363014 CET | 192.168.2.6 | 8.8.8.8 | 0x8cbf | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 24, 2021 10:45:49.478157043 CET | 8.8.8.8 | 192.168.2.6 | 0xd2a9 | No error (0) | odc-web-geo.onedrive.akadns.net | CNAME (Canonical name) | IN (0x0001) | ||
Feb 24, 2021 10:45:50.281210899 CET | 8.8.8.8 | 192.168.2.6 | 0x8cbf | No error (0) | bl-files.fe.1drv.com | CNAME (Canonical name) | IN (0x0001) | ||
Feb 24, 2021 10:45:50.281210899 CET | 8.8.8.8 | 192.168.2.6 | 0x8cbf | No error (0) | odc-bl-files-geo.onedrive.akadns.net | CNAME (Canonical name) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 10:44:18 |
Start date: | 24/02/2021 |
Path: | C:\Users\user\Desktop\payment.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 225280 bytes |
MD5 hash: | 0780E01F6AC683C0529FB1D40AACA8B4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Visual Basic |
Reputation: | low |
General |
---|
Start time: | 10:45:35 |
Start date: | 24/02/2021 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10000 |
File size: | 64616 bytes |
MD5 hash: | 6FD7592411112729BF6B1F2F6C34899F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 10:45:36 |
Start date: | 24/02/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61de10000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 00410BF4, Relevance: 7.5, APIs: 1, Strings: 2, Instructions: 3027memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410C71, Relevance: 7.5, APIs: 1, Strings: 2, Instructions: 3018memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410B5E, Relevance: 7.5, APIs: 1, Strings: 2, Instructions: 2985memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410CF8, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2939memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004110AC, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2937memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410E88, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2928memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410F06, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2922memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410F8F, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2910memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410E05, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2900memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00411237, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2864memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041156A, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2856memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00411016, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2853memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004115F5, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2851memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041108A, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2846memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00411133, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2845memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041134F, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2838memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004113D2, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2829memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041199B, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2829memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041170E, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2819memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00411464, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2816memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004114E6, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2810memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00411796, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2805memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00411817, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2796memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041191C, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2777memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 45% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 0040411C, Relevance: 3.8, Strings: 1, Instructions: 2502COMMON
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 53% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004319B0, Relevance: 27.1, APIs: 18, Instructions: 144COMMON
C-Code - Quality: 57% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004325F3, Relevance: 21.1, APIs: 14, Instructions: 126COMMON
C-Code - Quality: 51% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 73% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00432896, Relevance: 19.6, APIs: 13, Instructions: 149COMMON
C-Code - Quality: 52% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 54% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004300EA, Relevance: 18.1, APIs: 12, Instructions: 124COMMON
C-Code - Quality: 53% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004302C6, Relevance: 18.1, APIs: 12, Instructions: 123COMMON
C-Code - Quality: 54% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 62% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00431BCF, Relevance: 15.1, APIs: 10, Instructions: 118COMMON
C-Code - Quality: 53% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00431D8F, Relevance: 15.1, APIs: 10, Instructions: 118COMMON
C-Code - Quality: 53% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004306A0, Relevance: 15.1, APIs: 10, Instructions: 114COMMON
C-Code - Quality: 47% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043221C, Relevance: 15.1, APIs: 10, Instructions: 103COMMON
C-Code - Quality: 53% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043239C, Relevance: 15.1, APIs: 10, Instructions: 82COMMON
C-Code - Quality: 63% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 59% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 51% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 49% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00430841, Relevance: 12.1, APIs: 8, Instructions: 98COMMON
C-Code - Quality: 51% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004324D5, Relevance: 12.1, APIs: 8, Instructions: 78COMMON
C-Code - Quality: 54% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00432AD9, Relevance: 12.1, APIs: 8, Instructions: 73COMMON
C-Code - Quality: 51% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00432028, Relevance: 10.6, APIs: 7, Instructions: 67COMMON
C-Code - Quality: 65% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00430B45, Relevance: 10.6, APIs: 7, Instructions: 62COMMON
C-Code - Quality: 57% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042FECC, Relevance: 10.6, APIs: 7, Instructions: 62COMMON
C-Code - Quality: 57% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004305BB, Relevance: 10.6, APIs: 7, Instructions: 58COMMON
C-Code - Quality: 57% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 55% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004327EB, Relevance: 10.5, APIs: 7, Instructions: 40COMMON
C-Code - Quality: 80% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00432BE3, Relevance: 9.1, APIs: 6, Instructions: 72COMMON
C-Code - Quality: 59% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004313FE, Relevance: 9.1, APIs: 6, Instructions: 68COMMON
C-Code - Quality: 49% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004315D8, Relevance: 7.6, APIs: 5, Instructions: 62COMMON
C-Code - Quality: 63% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004317BA, Relevance: 7.6, APIs: 5, Instructions: 62COMMON
C-Code - Quality: 63% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00432E53, Relevance: 7.6, APIs: 5, Instructions: 61COMMON
C-Code - Quality: 66% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043213B, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
C-Code - Quality: 51% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004316D8, Relevance: 7.6, APIs: 5, Instructions: 57COMMON
C-Code - Quality: 54% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00431F57, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
C-Code - Quality: 50% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00430ABF, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
---|
Function 1CF251E6, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1CF23CDC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1CF269C4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1CF26DD2, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1CF26778, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1CF2BE59, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1CF2BE68, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1CE3D450, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1CE3D53C, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1CE3D44B, Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 1CE3D537, Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|