Analysis Report 8OKQ6ogGRx.dll
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_00BB896F |
Source: | DNS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | 0_2_6E0C101B | |
Source: | Code function: | 0_2_6E0C145E | |
Source: | Code function: | 0_2_6E0C23A5 | |
Source: | Code function: | 0_2_00BB1724 | |
Source: | Code function: | 0_2_00BBB301 |
Source: | Code function: | 0_2_6E0C2184 | |
Source: | Code function: | 0_2_00BB62D8 | |
Source: | Code function: | 0_2_00BBB0DC | |
Source: | Code function: | 0_2_00BB8045 | |
Source: | Code function: | 0_2_6E10AF51 | |
Source: | Code function: | 0_2_6E106700 | |
Source: | Code function: | 0_2_6E129DAE | |
Source: | Code function: | 0_2_6E123A47 | |
Source: | Code function: | 0_2_6E127AB1 | |
Source: | Code function: | 0_2_6E114B3B | |
Source: | Code function: | 0_2_6E12035D | |
Source: | Code function: | 0_2_6E1228C3 | |
Source: | Code function: | 0_2_6E10C100 | |
Source: | Code function: | 3_2_6E10AF51 | |
Source: | Code function: | 3_2_6E106700 | |
Source: | Code function: | 3_2_6E129DAE | |
Source: | Code function: | 3_2_6E123A47 | |
Source: | Code function: | 3_2_6E127AB1 | |
Source: | Code function: | 3_2_6E114B3B | |
Source: | Code function: | 3_2_6E12035D | |
Source: | Code function: | 3_2_6E1228C3 | |
Source: | Code function: | 3_2_6E10C100 |
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00BB24C7 |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_6E0C160D |
Source: | Static PE information: |
Source: | Code function: | 0_2_6E0C2129 | |
Source: | Code function: | 0_2_6E0C2183 | |
Source: | Code function: | 0_2_00BBB0DB | |
Source: | Code function: | 0_2_00BBAD19 | |
Source: | Code function: | 0_2_6E10B328 | |
Source: | Code function: | 0_2_6E142220 | |
Source: | Code function: | 0_2_6E142BD1 | |
Source: | Code function: | 3_2_6E0D420F | |
Source: | Code function: | 3_2_6E0D424E | |
Source: | Code function: | 3_2_6E10B328 | |
Source: | Code function: | 3_2_6E0D43CE | |
Source: | Code function: | 3_2_6E0D588C | |
Source: | Code function: | 3_2_6E142220 | |
Source: | Code function: | 3_2_6E142BD1 |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 0_2_00BB896F |
Source: | Code function: | 0_2_6E10C6CB |
Source: | Code function: | 0_2_6E112CFE |
Source: | Code function: | 0_2_6E0C160D |
Source: | Code function: | 0_2_6E141302 | |
Source: | Code function: | 0_2_6E140E3F | |
Source: | Code function: | 0_2_6E141238 | |
Source: | Code function: | 3_2_6E141302 | |
Source: | Code function: | 3_2_6E140E3F | |
Source: | Code function: | 3_2_6E141238 |
Source: | Code function: | 0_2_6E10B830 |
Source: | Code function: | 0_2_6E111090 | |
Source: | Code function: | 0_2_6E1110C1 | |
Source: | Code function: | 3_2_6E111090 | |
Source: | Code function: | 3_2_6E1110C1 |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00BB7EC1 |
Source: | Code function: | 0_2_6E12770D | |
Source: | Code function: | 0_2_6E1277BA | |
Source: | Code function: | 0_2_6E1275E3 | |
Source: | Code function: | 0_2_6E111A40 | |
Source: | Code function: | 0_2_6E127292 | |
Source: | Code function: | 0_2_6E111AC6 | |
Source: | Code function: | 0_2_6E1272EE | |
Source: | Code function: | 0_2_6E12736B | |
Source: | Code function: | 0_2_6E1273EE | |
Source: | Code function: | 0_2_6E12701E | |
Source: | Code function: | 0_2_6E11185F | |
Source: | Code function: | 0_2_6E10A8B9 | |
Source: | Code function: | 3_2_6E12770D | |
Source: | Code function: | 3_2_6E1277BA | |
Source: | Code function: | 3_2_6E1275E3 | |
Source: | Code function: | 3_2_6E111A40 | |
Source: | Code function: | 3_2_6E127292 | |
Source: | Code function: | 3_2_6E111AC6 | |
Source: | Code function: | 3_2_6E1272EE | |
Source: | Code function: | 3_2_6E12736B | |
Source: | Code function: | 3_2_6E1273EE | |
Source: | Code function: | 3_2_6E12701E | |
Source: | Code function: | 3_2_6E11185F | |
Source: | Code function: | 3_2_6E10A8B9 |
Source: | Code function: | 0_2_6E0C195D |
Source: | Code function: | 0_2_00BB7EC1 |
Source: | Code function: | 0_2_6E10CFA3 |
Source: | Code function: | 0_2_6E0C1800 |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation2 | Path Interception | Process Injection12 | Masquerading1 | OS Credential Dumping | System Time Discovery2 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection12 | LSASS Memory | Security Software Discovery3 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Deobfuscate/Decode Files or Information1 | Security Account Manager | Process Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | Account Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Rundll321 | LSA Secrets | System Owner/User Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing1 | Cached Domain Credentials | File and Directory Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Information Discovery23 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108168 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
outlook.com | 40.97.161.50 | true | false | high | |
HHN-efz.ms-acdc.office.com | 40.101.138.2 | true | false | high | |
FRA-efz.ms-acdc.office.com | 40.101.81.162 | true | false | high | |
www.outlook.com | unknown | unknown | false | high | |
outlook.office365.com | unknown | unknown | false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 404147 |
Start date: | 04.05.2021 |
Start time: | 18:50:36 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 14s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | 8OKQ6ogGRx.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 24 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal64.troj.winDLL@12/4@3/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
outlook.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
FRA-efz.ms-acdc.office.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
HHN-efz.ms-acdc.office.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
ASN |
---|
No context |
---|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21592 |
Entropy (8bit): | 1.7594977787918844 |
Encrypted: | false |
SSDEEP: | 48:IwiGcprjGwpL0qUG/ap80qGBZGIpc0qG4fGeGvnZpv0qG4fGvw3Go3qp90qG4fGm:rWZ9Za2wLWk7tkNfk4FMktH |
MD5: | 586DB94373650BC9E3A11F8D83A43119 |
SHA1: | 44830C9A42A7059540F75902D8ACCCD0C2CCC110 |
SHA-256: | CBB34950E8F8B039E5E8A0C56C9F0409E3D51D1418EC7B6FA664F6B7598BBF15 |
SHA-512: | CB3756652C002D04099293D445F789B3E7466756473E5BF50A9EBE635BA65E76D6C36F1C54351A0C11CF2CD9772A70F4F4F67F498FCAD27312D4E7250CF7AE3C |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16984 |
Entropy (8bit): | 1.573944233836972 |
Encrypted: | false |
SSDEEP: | 48:IwMGcprRGwpapG4pQtGrapbShZGQpB2GHHpcIaTGUpG:rQZLQr6NBShzj12IqA |
MD5: | 3ECFC996F83DCA4AA885FF3F72B684AD |
SHA1: | 4D5F1BC278921B850632B9F131CEACF9F6528BAE |
SHA-256: | 94138719C28C299D93F3175DAC56C4A5A1097852F4410206DBDC1364FEA3C108 |
SHA-512: | 47F4F94D461247526ECBF9999F81775CDAC82CE5FA41018ADBDCA8D2D13FF149FCB62E8BA274761AA1EB0FEFDD4CDCABE7E9A631AC00CE72BA31AD0667F360E8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12917 |
Entropy (8bit): | 0.39862566692758644 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9lo0qDF9lo0qJ9lW0qGcGvwywcGtRwi:kBqoI0qS0qM0qGcGvwywcGtRwi |
MD5: | 5AC667C80F587E96B1FA80C48BB205AC |
SHA1: | 8AE06DAFAC5BD829EBDF2585C6BE72B11645F7EC |
SHA-256: | 4603ADFFB302AFD33E6755000AF43E78307809BE6060D50346B41AFFB2655282 |
SHA-512: | DA5BB434493D5023D766CCAD26D075683F287310E2FD53E2C51EDB7B0119B4DA534223D047822E72DF4F31C5838630386575432052267BB45C2FA524E63E2951 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 25657 |
Entropy (8bit): | 0.31341444137710367 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwT9lwT9l2a:kBqoxKAuvScS+sKa |
MD5: | B141DA2A351E435F1D185F48AC4E0FF6 |
SHA1: | A257DD1A9B4D1AB44020E74757AC5C9C69575588 |
SHA-256: | 1D1C565FF314222220A0BDEADB603FCDE1A742DEA5A4210871A6C6E0AAE37C4A |
SHA-512: | 49E24F4266573BEC3E25D738F23A9D169F14FBA3FBC7F4C6F80A9657BBA4B5882A4477734AD04A45FE4EA57F11F1542657F1184D97AD1FD03BA659287AF18D5A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.549322455653532 |
TrID: |
|
File name: | 8OKQ6ogGRx.dll |
File size: | 523264 |
MD5: | e8eae1a820426a722c7cae54ed5bacd8 |
SHA1: | 4d8368f112e0c56e7caccb89724bfdad1999e706 |
SHA256: | eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc |
SHA512: | b75df93529215c6003ddb86bc76a52144b29aec918a40a9dadec7446f67cc2626b67fa1738ed148e81a1c706dded69f609e1cd592cf13034ef9fd2cb21603032 |
SSDEEP: | 12288:CdXaT8lLVrp6I7MsfHqWxSWlNTjGoLYTbgOJpXLH:CdXhp1YCMuFx/jGo0XL |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................^.G.......T......AN.......V.......i.......h.....^.B...............l.......U.......R.......W.....Rich........... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x104a38a |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x1000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x6089CC25 [Wed Apr 28 20:57:09 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 61abfa6d76443dd7d018df0c9cf8b0a5 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FCE58D690B7h |
call 00007FCE58D6F684h |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007FCE58D690BCh |
add esp, 0Ch |
pop ebp |
retn 000Ch |
push 0000000Ch |
push 0107B4A8h |
call 00007FCE58D69FCCh |
xor eax, eax |
inc eax |
mov esi, dword ptr [ebp+0Ch] |
test esi, esi |
jne 00007FCE58D690BEh |
cmp dword ptr [0118E36Ch], esi |
je 00007FCE58D6919Ah |
and dword ptr [ebp-04h], 00000000h |
cmp esi, 01h |
je 00007FCE58D690B7h |
cmp esi, 02h |
jne 00007FCE58D690E7h |
mov ecx, dword ptr [01075238h] |
test ecx, ecx |
je 00007FCE58D690BEh |
push dword ptr [ebp+10h] |
push esi |
push dword ptr [ebp+08h] |
call ecx |
mov dword ptr [ebp-1Ch], eax |
test eax, eax |
je 00007FCE58D69167h |
push dword ptr [ebp+10h] |
push esi |
push dword ptr [ebp+08h] |
call 00007FCE58D68EC6h |
mov dword ptr [ebp-1Ch], eax |
test eax, eax |
je 00007FCE58D69150h |
mov ebx, dword ptr [ebp+10h] |
push ebx |
push esi |
push dword ptr [ebp+08h] |
call 00007FCE58D66926h |
mov edi, eax |
mov dword ptr [ebp-1Ch], edi |
cmp esi, 01h |
jne 00007FCE58D690DAh |
test edi, edi |
jne 00007FCE58D690D6h |
push ebx |
push eax |
push dword ptr [ebp+08h] |
call 00007FCE58D6690Eh |
push ebx |
push edi |
push dword ptr [ebp+08h] |
call 00007FCE58D68E8Ch |
mov eax, dword ptr [01075238h] |
test eax, eax |
je 00007FCE58D690B9h |
push ebx |
push edi |
push dword ptr [ebp+08h] |
call eax |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x7bbd0 | 0x58 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7bc28 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x191000 | 0x498 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x192000 | 0x2818 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6b200 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x7a980 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6b000 | 0x1ac | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6988d | 0x69a00 | False | 0.70416512574 | data | 6.62139930186 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x6b000 | 0x115e0 | 0x11600 | False | 0.471967738309 | data | 5.23669501131 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x7d000 | 0x113300 | 0x1800 | False | 0.333984375 | data | 3.88700180982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x191000 | 0x498 | 0x600 | False | 0.356119791667 | data | 2.99935790597 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x192000 | 0x2818 | 0x2a00 | False | 0.743117559524 | data | 6.59705049508 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x1910a0 | 0x35c | data | English | United States |
RT_MANIFEST | 0x191400 | 0x91 | XML 1.0 document text | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetEnvironmentVariableA, SetStdHandle, SetFilePointerEx, WriteConsoleW, CloseHandle, GetFileAttributesW, GetWindowsDirectoryW, CreateProcessW, OpenMutexW, VirtualProtectEx, EncodePointer, DecodePointer, HeapAlloc, GetSystemTimeAsFileTime, RaiseException, RtlUnwind, GetCommandLineA, GetCurrentThreadId, IsProcessorFeaturePresent, GetLastError, HeapFree, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameW, GetProcessHeap, IsDebuggerPresent, GetTimeZoneInformation, SetLastError, GetCurrentThread, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetTickCount, GetModuleHandleW, CreateSemaphoreW, SetConsoleCtrlHandler, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, EnterCriticalSection, LeaveCriticalSection, FatalAppExitA, FreeLibrary, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, HeapReAlloc, OutputDebugStringW, GetStringTypeW, CreateFileW |
USER32.dll | GetPropW, CreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW |
GDI32.dll | MoveToEx, SetTextColor, SetBkMode, SetBkColor, LineTo, IntersectClipRect, GetClipBox, GetCharWidthW, CreateBitmap |
COMCTL32.dll | ImageList_SetDragCursorImage, ImageList_Draw, PropertySheetW, CreatePropertySheetPageA |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Enterbeen | 1 | 0x1047ed0 |
Multiply | 2 | 0x1047fb0 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Fingergeneral Corporation. All rights reserved |
InternalName | Probable |
FileVersion | 5.5.2.216 Sidedone |
CompanyName | Fingergeneral Corporation |
ProductName | Fingergeneral Wear twenty |
ProductVersion | 5.5.2.216 |
FileDescription | Fingergeneral Wear twenty |
OriginalFilename | turn.dll |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 4, 2021 18:51:18.333254099 CEST | 60985 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:18.338377953 CEST | 50200 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:18.378372908 CEST | 51281 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:18.387293100 CEST | 53 | 50200 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:51:18.408304930 CEST | 53 | 60985 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:51:18.426934004 CEST | 53 | 51281 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:51:19.130103111 CEST | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:19.178749084 CEST | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:51:20.001471043 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:20.050255060 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:51:21.065521002 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:21.117543936 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:51:21.394946098 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:21.456048012 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:51:21.984514952 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:22.033207893 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:51:23.754410982 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:23.811686039 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:51:24.549612045 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:24.601274967 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:51:25.503813982 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:51:25.552414894 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:52:03.254508972 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:52:03.313453913 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:52:15.317749023 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:52:15.390950918 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:52:20.053031921 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:52:20.103934050 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:52:38.655663013 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:52:38.708623886 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:52:56.289465904 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:52:56.348114014 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:53:27.666838884 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:53:27.721466064 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:53:28.937237978 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:53:28.986049891 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:53:29.070245028 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:53:29.073194027 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:53:29.124036074 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:53:29.148881912 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:53:29.954231024 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:53:30.011257887 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:53:30.180514097 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:53:30.229265928 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:53:30.661994934 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:53:30.711884975 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 18:53:32.214960098 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 18:53:32.274662971 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
May 4, 2021 18:53:28.937237978 CEST | 192.168.2.3 | 8.8.8.8 | 0x4990 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 4, 2021 18:53:29.954231024 CEST | 192.168.2.3 | 8.8.8.8 | 0xea33 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 4, 2021 18:53:30.180514097 CEST | 192.168.2.3 | 8.8.8.8 | 0x30ea | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
May 4, 2021 18:53:28.986049891 CEST | 8.8.8.8 | 192.168.2.3 | 0x4990 | No error (0) | 40.97.161.50 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:28.986049891 CEST | 8.8.8.8 | 192.168.2.3 | 0x4990 | No error (0) | 40.97.116.82 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:28.986049891 CEST | 8.8.8.8 | 192.168.2.3 | 0x4990 | No error (0) | 40.97.160.2 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:28.986049891 CEST | 8.8.8.8 | 192.168.2.3 | 0x4990 | No error (0) | 40.97.148.226 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:28.986049891 CEST | 8.8.8.8 | 192.168.2.3 | 0x4990 | No error (0) | 40.97.164.146 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:28.986049891 CEST | 8.8.8.8 | 192.168.2.3 | 0x4990 | No error (0) | 40.97.128.194 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:28.986049891 CEST | 8.8.8.8 | 192.168.2.3 | 0x4990 | No error (0) | 40.97.156.114 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:28.986049891 CEST | 8.8.8.8 | 192.168.2.3 | 0x4990 | No error (0) | 40.97.153.146 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:30.011257887 CEST | 8.8.8.8 | 192.168.2.3 | 0xea33 | No error (0) | outlook.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:53:30.011257887 CEST | 8.8.8.8 | 192.168.2.3 | 0xea33 | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:53:30.011257887 CEST | 8.8.8.8 | 192.168.2.3 | 0xea33 | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:53:30.011257887 CEST | 8.8.8.8 | 192.168.2.3 | 0xea33 | No error (0) | FRA-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:53:30.011257887 CEST | 8.8.8.8 | 192.168.2.3 | 0xea33 | No error (0) | 40.101.81.162 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:30.011257887 CEST | 8.8.8.8 | 192.168.2.3 | 0xea33 | No error (0) | 40.101.12.98 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:30.011257887 CEST | 8.8.8.8 | 192.168.2.3 | 0xea33 | No error (0) | 52.97.176.2 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:30.229265928 CEST | 8.8.8.8 | 192.168.2.3 | 0x30ea | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:53:30.229265928 CEST | 8.8.8.8 | 192.168.2.3 | 0x30ea | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:53:30.229265928 CEST | 8.8.8.8 | 192.168.2.3 | 0x30ea | No error (0) | HHN-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 4, 2021 18:53:30.229265928 CEST | 8.8.8.8 | 192.168.2.3 | 0x30ea | No error (0) | 40.101.138.2 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:30.229265928 CEST | 8.8.8.8 | 192.168.2.3 | 0x30ea | No error (0) | 40.101.137.66 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:30.229265928 CEST | 8.8.8.8 | 192.168.2.3 | 0x30ea | No error (0) | 40.101.138.18 | A (IP address) | IN (0x0001) | ||
May 4, 2021 18:53:30.229265928 CEST | 8.8.8.8 | 192.168.2.3 | 0x30ea | No error (0) | 52.97.233.66 | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 18:51:24 |
Start date: | 04/05/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x50000 |
File size: | 116736 bytes |
MD5 hash: | 542795ADF7CC08EFCF675D65310596E8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 18:51:25 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbd0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:51:25 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:51:25 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:51:28 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9e0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:53:26 |
Start date: | 04/05/2021 |
Path: | C:\Program Files\internet explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e65e0000 |
File size: | 823560 bytes |
MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:53:27 |
Start date: | 04/05/2021 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xfd0000 |
File size: | 822536 bytes |
MD5 hash: | 071277CC2E3DF41EEEA8013E2AB58D5A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 00BB896F, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
C-Code - Quality: 93% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 69% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 38% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C145E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
C-Code - Quality: 72% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C101B, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
C-Code - Quality: 68% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 74% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BBADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
C-Code - Quality: 51% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 83% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C1D6E, Relevance: 15.1, APIs: 10, Instructions: 98threadsleepsynchronizationCOMMON
C-Code - Quality: 79% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 74% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB21C5, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C1E74, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 74% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 57% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C1C4E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97memoryCOMMON
C-Code - Quality: 87% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB769A, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
C-Code - Quality: 53% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C1367, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
C-Code - Quality: 87% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB86F0, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB9958, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
C-Code - Quality: 53% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C10AD, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
C-Code - Quality: 87% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB9A9E, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
C-Code - Quality: 75% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB1D9E, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB5369, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
C-Code - Quality: 37% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB5BF1, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB9CC9, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
C-Code - Quality: 34% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C1FB4, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
C-Code - Quality: 37% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C1B56, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB574A, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
C-Code - Quality: 70% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB1CCE, Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB9D43, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 6E10A8B9, Relevance: 16.7, APIs: 11, Instructions: 162COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 92% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E12770D, Relevance: 6.1, APIs: 4, Instructions: 56COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 68% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C1800, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E10C6CB, Relevance: 3.1, APIs: 2, Instructions: 72COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E1110C1, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 49% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E106700, Relevance: 1.6, Strings: 1, Instructions: 342COMMON
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E111A40, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E111AC6, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E111090, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E10B830, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E0C2184, Relevance: .1, Instructions: 77COMMONCrypto
C-Code - Quality: 71% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BBB0DC, Relevance: .1, Instructions: 77COMMONCrypto
C-Code - Quality: 71% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E140E3F, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E141238, Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 66% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E11DCDC, Relevance: 18.1, APIs: 12, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E10AD06, Relevance: 18.1, APIs: 12, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E11DDB3, Relevance: 16.6, APIs: 11, Instructions: 131COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 27% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB5CB0, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
C-Code - Quality: 73% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB61B9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
C-Code - Quality: 63% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E1135FB, Relevance: 9.1, APIs: 6, Instructions: 112COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB94E5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171stringCOMMON
C-Code - Quality: 88% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BBA0B7, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E11282C, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BBA2D9, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB12ED, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 46% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB57D8, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
C-Code - Quality: 85% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB5574, Relevance: 6.1, APIs: 4, Instructions: 112COMMON
C-Code - Quality: 39% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E1283C5, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 87% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 38% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BBA79A, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
C-Code - Quality: 40% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 78% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 68% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E10F67D, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E10E274, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB7FCE, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
C-Code - Quality: 53% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB891E, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB149B, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 50% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 37% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB6108, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BB5115, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00BBA755, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
---|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 6E10A8B9, Relevance: 16.7, APIs: 11, Instructions: 162COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E12770D, Relevance: 6.1, APIs: 4, Instructions: 56COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E11DCDC, Relevance: 18.1, APIs: 12, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E10AD06, Relevance: 18.1, APIs: 12, Instructions: 84COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E11DDB3, Relevance: 16.6, APIs: 11, Instructions: 131COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E1135FB, Relevance: 9.1, APIs: 6, Instructions: 112COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E11282C, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E1283C5, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E10F67D, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E10E274, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |