Analysis Report kZcCqvNtWa.dll
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Ursnif |
---|
{"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: |
Source: | Code function: | 0_2_001D4C3B |
Source: | DNS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Code function: | 0_2_6E241F14 | |
Source: | Code function: | 0_2_6E2415F1 | |
Source: | Code function: | 0_2_6E2423A5 | |
Source: | Code function: | 0_2_001D1168 | |
Source: | Code function: | 0_2_001DB2F1 |
Source: | Code function: | 0_2_6E242184 | |
Source: | Code function: | 0_2_001DB0CC | |
Source: | Code function: | 0_2_001D696A | |
Source: | Code function: | 0_2_001D1B6A | |
Source: | Code function: | 0_2_6E278960 | |
Source: | Code function: | 0_2_6E282153 | |
Source: | Code function: | 3_2_6E278960 | |
Source: | Code function: | 3_2_6E282153 |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_001D7F56 |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_6E2417FA |
Source: | Static PE information: |
Source: | Code function: | 0_2_6E242129 | |
Source: | Code function: | 0_2_6E242183 | |
Source: | Code function: | 0_2_001DB0CB | |
Source: | Code function: | 0_2_001DAD09 | |
Source: | Code function: | 0_2_6E282774 | |
Source: | Code function: | 0_2_6E25434B | |
Source: | Code function: | 0_2_6E2577AB | |
Source: | Code function: | 0_2_6E252FA4 | |
Source: | Code function: | 0_2_6E252C16 | |
Source: | Code function: | 3_2_6E282774 | |
Source: | Code function: | 3_2_6E25434B | |
Source: | Code function: | 3_2_6E2577AB | |
Source: | Code function: | 3_2_6E252FA4 | |
Source: | Code function: | 3_2_6E252C16 |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 0_2_001D4C3B |
Source: | Code function: | 0_2_6E28636F |
Source: | Code function: | 0_2_6E2417FA |
Source: | Code function: | 0_2_6E2B5770 | |
Source: | Code function: | 0_2_6E2B56A6 | |
Source: | Code function: | 0_2_6E2B52AD | |
Source: | Code function: | 3_2_6E2B5770 | |
Source: | Code function: | 3_2_6E2B56A6 | |
Source: | Code function: | 3_2_6E2B52AD |
Source: | Code function: | 0_2_6E282F08 | |
Source: | Code function: | 0_2_6E28636F | |
Source: | Code function: | 0_2_6E28150C | |
Source: | Code function: | 3_2_6E282F08 | |
Source: | Code function: | 3_2_6E28636F | |
Source: | Code function: | 3_2_6E28150C |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_001D2D6E |
Source: | Code function: | 0_2_6E287660 | |
Source: | Code function: | 3_2_6E287660 |
Source: | Code function: | 0_2_6E241237 |
Source: | Code function: | 0_2_001D2D6E |
Source: | Code function: | 0_2_6E241CDD |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation2 | Path Interception | Process Injection12 | Masquerading1 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection12 | LSASS Memory | Security Software Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | Process Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Rundll321 | NTDS | Account Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing1 | LSA Secrets | System Owner/User Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | File and Directory Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Information Discovery23 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
21% | ReversingLabs | Win32.Trojan.Zusy | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1108168 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
outlook.com | 40.97.153.146 | true | false | high | |
HHN-efz.ms-acdc.office.com | 52.98.171.226 | true | false | high | |
www.outlook.com | unknown | unknown | false | high | |
outlook.office365.com | unknown | unknown | false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 412159 |
Start date: | 12.05.2021 |
Start time: | 13:00:39 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 50s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | kZcCqvNtWa.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.troj.winDLL@14/4@3/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
HHN-efz.ms-acdc.office.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
outlook.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
No context |
---|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 19032 |
Entropy (8bit): | 1.7704690064419406 |
Encrypted: | false |
SSDEEP: | 48:IwBGcprEGwpLWG/ap8wGIpcVdGvnZpvVyGoSqp9VKGo49pmV:r3Z8ZU2gWV6tV8fVd9MV |
MD5: | 13E47D90BC1C1D71FB960BD7DBF91099 |
SHA1: | 17385913779143F5D7281C96EAFF4EA46F7A563A |
SHA-256: | 0E0755C66FE657EF520818206045A6C0D2DD547A64BEBF294700E20579CD3980 |
SHA-512: | 2CD7DFA4FA6918CCAD344592A477369BB5EBF312E5EEF21193C252F06D7A0B303CF6582FA5D9966B9634197D3BDA3BAABD7DD6A6435057C31CF2CD1B67CE3720 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 14936 |
Entropy (8bit): | 1.5448255572685763 |
Encrypted: | false |
SSDEEP: | 48:Iw0GcprdGwpaVG4pQJGrapbSaGQpB6GHHpm:roZHQH6pBSijBg |
MD5: | 75B9311DC327D4B60EDACD38906AAD77 |
SHA1: | F6936702FDCB04C1D892B8E57DD19990B802786D |
SHA-256: | E7BDD1D59779EFA94418DC0D478B7D11D753157B8C20AFBCCD006CF377B3C346 |
SHA-512: | AF51F9501B1D91B0E1B445D6F098C0F3519272D229EB6F8016B63B6C465930900BE9ABD7D9674E40FDD777ACF45E745AEE3B505B4CD210F2E1FCED6B84324873 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21349 |
Entropy (8bit): | 0.2951707289341719 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lw0:kBqoxKAuvScS+0 |
MD5: | F9BEBD0A297294BDC7B8C6114EB819EE |
SHA1: | B1B441E13DB70A0D1E0CC3A2A6190C5C1A91F3D8 |
SHA-256: | 6A30EE99C23AA29DC94019C3BAA95B463123752680D4FE185BF5FA05BEF15F17 |
SHA-512: | 01B70F54D5091580CA105C7F04407B48EE2FFDCD7C77BAA39F871407577F9F4F193BAB3AFB9924BE7DC50568534A226D63EA77FFE8B8F13889DAFE632DA3B498 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12917 |
Entropy (8bit): | 0.39624837245012057 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9lo0F9loU9lWXFhOB:kBqoIv51kB |
MD5: | 4762FCF754568D904969642F670EB3B1 |
SHA1: | 75FC43D947F228DAA1EC1BA2E54562C8FC869D41 |
SHA-256: | 8E4034726C607D15EF4ADEEC4D952A17EAE0ADC1F52AEC4A96752316D7A53060 |
SHA-512: | DBDF57587E7E3EC021A14FC21303A2E7EB7DDF7D66B38D69478566079C5546454C808A3A48786A7524A65ACAD54E076FE832935C5390DBF61B4AFFB0E96DA262 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.324532607203666 |
TrID: |
|
File name: | kZcCqvNtWa.dll |
File size: | 478720 |
MD5: | b9b732dbc6f94c79b5767eb98ebd899a |
SHA1: | 984a3ba5d4fe06265ce23cec82bda6a63b2bb3bc |
SHA256: | 1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4 |
SHA512: | 595b4429e9f13212740ac4f9e12282dc3fdf9e141041695e4fe6302acf7aac2527275cb6a98eec78049758972c946cc62971604f68f7de68ad2350d13bac497a |
SSDEEP: | 12288:4Z31u8+a95+CA9lROexw8P7CbxXTTbWA:4Z31P9wr9lROow8W/ |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C...".J.".J.".J...J.".J.pwJ.".J4mrJ.".J.pqJ.".J.pgJ.".J.p`J.".J...J.".J.".J.#.J.pkJ.".J.pvJ.".J.ppJ.".J.puJ.".JRich.".J....... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x1041953 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x1000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE |
Time Stamp: | 0x608B79B0 [Fri Apr 30 03:29:52 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | a2f0d616525ae6c643810961c7d4fdfe |
Entrypoint Preview |
---|
Instruction |
---|
mov edi, edi |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FEB209FAF67h |
call 00007FEB209FF8CCh |
push dword ptr [ebp+08h] |
mov ecx, dword ptr [ebp+10h] |
mov edx, dword ptr [ebp+0Ch] |
call 00007FEB209FAE51h |
pop ecx |
pop ebp |
retn 000Ch |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
xor ecx, ecx |
cmp eax, dword ptr [01073618h+ecx*8] |
je 00007FEB209FAF75h |
inc ecx |
cmp ecx, 2Dh |
jc 00007FEB209FAF53h |
lea ecx, dword ptr [eax-13h] |
cmp ecx, 11h |
jnbe 00007FEB209FAF70h |
push 0000000Dh |
pop eax |
pop ebp |
ret |
mov eax, dword ptr [0107361Ch+ecx*8] |
pop ebp |
ret |
add eax, FFFFFF44h |
push 0000000Eh |
pop ecx |
cmp ecx, eax |
sbb eax, eax |
and eax, ecx |
add eax, 08h |
pop ebp |
ret |
call 00007FEB209FC836h |
test eax, eax |
jne 00007FEB209FAF68h |
mov eax, 01073780h |
ret |
add eax, 08h |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
mov dword ptr [0108B5ACh], eax |
pop ebp |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
push dword ptr [0108B5ACh] |
call 00007FEB209FC636h |
pop ecx |
test eax, eax |
je 00007FEB209FAF71h |
push dword ptr [ebp+08h] |
call eax |
pop ecx |
test eax, eax |
je 00007FEB209FAF67h |
xor eax, eax |
inc eax |
pop ebp |
ret |
xor eax, eax |
pop ebp |
ret |
mov edi, edi |
push esi |
push edi |
xor esi, esi |
mov edi, 0108B5B8h |
cmp dword ptr [0107378Ch+esi*8], 01h |
jne 00007FEB209FAF80h |
lea eax, dword ptr [00000088h+esi*8] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x72630 | 0x6f | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x71e64 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8d000 | 0x3bc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8e000 | 0x1544 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x49190 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x70c08 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x49000 | 0x15c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4732e | 0x47400 | False | 0.745877878289 | data | 6.57407814817 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x49000 | 0x2969f | 0x29800 | False | 0.65666768637 | data | 5.42368765721 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x73000 | 0x1917c | 0x1400 | False | 0.2435546875 | data | 3.63177828336 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x8d000 | 0x3bc | 0x400 | False | 0.4091796875 | data | 3.09285651514 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x8e000 | 0x2588 | 0x2600 | False | 0.456106085526 | data | 4.61056666922 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x8d058 | 0x364 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | QueryPerformanceCounter, GetVolumeInformationW, GetSystemTime, GetModuleHandleW, GetVersionExW, OpenProcess, GetDateFormatW, FindResourceW, LockResource, GetLocalTime, HeapCreate, CreateFileW, HeapFree, HeapCompact, HeapAlloc, VirtualProtectEx, GetCurrentDirectoryW, SetConsoleCP, SetConsoleOutputCP, GetStringTypeW, GetStringTypeA, GetLocaleInfoA, LoadLibraryA, GetLastError, HeapReAlloc, RtlUnwind, GetCurrentThreadId, GetCommandLineA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapDestroy, VirtualFree, VirtualAlloc, Sleep, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, RaiseException, HeapSize, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount |
ole32.dll | CoCreateInstance, CoUninitialize, OleInitialize, OleUninitialize, CoInitialize |
WINSPOOL.DRV | EnumPrintersW, GetPrinterDataW, GetPrinterW, DocumentPropertiesW, OpenPrinterW, ClosePrinter |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
Eithernothing | 1 | 0x103a020 |
Order | 2 | 0x1039f40 |
Smileschool | 3 | 0x1039b20 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Notice sister Corporation. All rights reserved |
InternalName | Slow |
FileVersion | 3.2.1.380 |
CompanyName | Notice sister Corporation |
ProductName | Notice sister Soil read |
Observe | 38 |
ProductVersion | 3.2.1 |
FileDescription | Notice sister Soil read Skinneed |
OriginalFilename | Tail.dll |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 12, 2021 13:01:22.364706993 CEST | 60985 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:22.421803951 CEST | 53 | 60985 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:22.644109011 CEST | 50200 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:22.692748070 CEST | 51281 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:22.711570978 CEST | 53 | 50200 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:22.749787092 CEST | 53 | 51281 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:23.860627890 CEST | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:23.910384893 CEST | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:24.778978109 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:24.830625057 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:25.658778906 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:25.707258940 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:26.528624058 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:26.587990999 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:26.948482990 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:27.000016928 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:27.806850910 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:27.867090940 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:30.044956923 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:30.093739986 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:32.348197937 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:32.397023916 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:01:33.171554089 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:01:33.223162889 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:02:08.864763975 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:02:08.944426060 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:02:19.656306028 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:02:19.733886957 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:02:57.918824911 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:02:57.967470884 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:02:58.847552061 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:02:58.899087906 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:02:59.686183929 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:02:59.734926939 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:00.798839092 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:00.847754002 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:01.626238108 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:01.675170898 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:02.806885958 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:02.855701923 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:03.114238024 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:03.204421997 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:03.577776909 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:03.626724958 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:04.362020016 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:04.413634062 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:10.289743900 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:10.339876890 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:11.182039022 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:11.239130020 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:23.390181065 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:23.450407982 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:32.916106939 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:32.975302935 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:34.283544064 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:34.332479954 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:35.099181890 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:35.156474113 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
May 12, 2021 13:03:35.310314894 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
May 12, 2021 13:03:35.359015942 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
May 12, 2021 13:03:34.283544064 CEST | 192.168.2.3 | 8.8.8.8 | 0x5e15 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 13:03:35.099181890 CEST | 192.168.2.3 | 8.8.8.8 | 0x73b8 | Standard query (0) | A (IP address) | IN (0x0001) | |
May 12, 2021 13:03:35.310314894 CEST | 192.168.2.3 | 8.8.8.8 | 0x79a2 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
May 12, 2021 13:03:34.332479954 CEST | 8.8.8.8 | 192.168.2.3 | 0x5e15 | No error (0) | 40.97.153.146 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:34.332479954 CEST | 8.8.8.8 | 192.168.2.3 | 0x5e15 | No error (0) | 40.97.161.50 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:34.332479954 CEST | 8.8.8.8 | 192.168.2.3 | 0x5e15 | No error (0) | 40.97.116.82 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:34.332479954 CEST | 8.8.8.8 | 192.168.2.3 | 0x5e15 | No error (0) | 40.97.160.2 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:34.332479954 CEST | 8.8.8.8 | 192.168.2.3 | 0x5e15 | No error (0) | 40.97.148.226 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:34.332479954 CEST | 8.8.8.8 | 192.168.2.3 | 0x5e15 | No error (0) | 40.97.164.146 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:34.332479954 CEST | 8.8.8.8 | 192.168.2.3 | 0x5e15 | No error (0) | 40.97.128.194 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:34.332479954 CEST | 8.8.8.8 | 192.168.2.3 | 0x5e15 | No error (0) | 40.97.156.114 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:35.156474113 CEST | 8.8.8.8 | 192.168.2.3 | 0x73b8 | No error (0) | outlook.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:03:35.156474113 CEST | 8.8.8.8 | 192.168.2.3 | 0x73b8 | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:03:35.156474113 CEST | 8.8.8.8 | 192.168.2.3 | 0x73b8 | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:03:35.156474113 CEST | 8.8.8.8 | 192.168.2.3 | 0x73b8 | No error (0) | HHN-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:03:35.156474113 CEST | 8.8.8.8 | 192.168.2.3 | 0x73b8 | No error (0) | 52.98.171.226 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:35.156474113 CEST | 8.8.8.8 | 192.168.2.3 | 0x73b8 | No error (0) | 40.101.137.82 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:35.156474113 CEST | 8.8.8.8 | 192.168.2.3 | 0x73b8 | No error (0) | 40.101.136.242 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:35.156474113 CEST | 8.8.8.8 | 192.168.2.3 | 0x73b8 | No error (0) | 52.98.152.194 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:35.359015942 CEST | 8.8.8.8 | 192.168.2.3 | 0x79a2 | No error (0) | outlook.ha.office365.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:03:35.359015942 CEST | 8.8.8.8 | 192.168.2.3 | 0x79a2 | No error (0) | outlook.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:03:35.359015942 CEST | 8.8.8.8 | 192.168.2.3 | 0x79a2 | No error (0) | HHN-efz.ms-acdc.office.com | CNAME (Canonical name) | IN (0x0001) | ||
May 12, 2021 13:03:35.359015942 CEST | 8.8.8.8 | 192.168.2.3 | 0x79a2 | No error (0) | 40.101.137.50 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:35.359015942 CEST | 8.8.8.8 | 192.168.2.3 | 0x79a2 | No error (0) | 40.101.136.18 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:35.359015942 CEST | 8.8.8.8 | 192.168.2.3 | 0x79a2 | No error (0) | 52.98.171.226 | A (IP address) | IN (0x0001) | ||
May 12, 2021 13:03:35.359015942 CEST | 8.8.8.8 | 192.168.2.3 | 0x79a2 | No error (0) | 52.98.152.162 | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 13:01:30 |
Start date: | 12/05/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1210000 |
File size: | 116736 bytes |
MD5 hash: | 542795ADF7CC08EFCF675D65310596E8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 13:01:32 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbd0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:01:32 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1310000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:01:32 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1310000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:01:36 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1310000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:01:40 |
Start date: | 12/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1310000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:03:32 |
Start date: | 12/05/2021 |
Path: | C:\Program Files\internet explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff62b4d0000 |
File size: | 823560 bytes |
MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:03:33 |
Start date: | 12/05/2021 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1360000 |
File size: | 822536 bytes |
MD5 hash: | 071277CC2E3DF41EEEA8013E2AB58D5A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 001D4C3B, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
C-Code - Quality: 93% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E241237, Relevance: 15.1, APIs: 10, Instructions: 98threadsleepsynchronizationCOMMON
C-Code - Quality: 79% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 38% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2415F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
C-Code - Quality: 72% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E278960, Relevance: 3.7, Strings: 2, Instructions: 1211COMMON
Strings |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E241F14, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
C-Code - Quality: 68% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 74% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001DAD95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
C-Code - Quality: 51% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 83% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 69% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 74% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D523A, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60sleepmemorytimeCOMMON
C-Code - Quality: 74% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D54DA, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E241F56, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 57% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2410E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111memoryCOMMON
C-Code - Quality: 90% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D6BC0, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
C-Code - Quality: 53% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E24173D, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
C-Code - Quality: 87% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E27FB70, Relevance: 4.7, APIs: 3, Instructions: 242COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D579B, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D8A1D, Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
C-Code - Quality: 53% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E241E32, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
C-Code - Quality: 87% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D59F9, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
C-Code - Quality: 75% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D3F0E, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
C-Code - Quality: 37% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D6456, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E277FA0, Relevance: 1.7, APIs: 1, Instructions: 161COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D497C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
C-Code - Quality: 34% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E281BB1, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2410BC, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
C-Code - Quality: 37% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2830B2, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E241699, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
C-Code - Quality: 85% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D67C4, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
C-Code - Quality: 70% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D4B9D, Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
C-Code - Quality: 92% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E28150C, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 68% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E241CDD, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 49% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E242184, Relevance: .1, Instructions: 77COMMONCrypto
C-Code - Quality: 71% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001DB0CC, Relevance: .1, Instructions: 77COMMONCrypto
C-Code - Quality: 71% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2B52AD, Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2B56A6, Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 66% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E27AA10, Relevance: 19.7, APIs: 13, Instructions: 172COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 27% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D4EEC, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
C-Code - Quality: 73% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D8840, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
C-Code - Quality: 63% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E284BCB, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D3F60, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171stringCOMMON
C-Code - Quality: 88% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D1363, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E283880, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D5722, Relevance: 7.5, APIs: 5, Instructions: 45COMMON
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E280157, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D14CE, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E27DE60, Relevance: 6.3, APIs: 4, Instructions: 282COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E27CE60, Relevance: 6.2, APIs: 4, Instructions: 176COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 46% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D8D85, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
C-Code - Quality: 85% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D12F8, Relevance: 6.1, APIs: 4, Instructions: 124COMMON
C-Code - Quality: 42% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 87% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 38% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D8634, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
C-Code - Quality: 40% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 78% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 68% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D64A0, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
C-Code - Quality: 53% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D8AED, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E281585, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E283FEC, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 50% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D469F, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 37% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D8389, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
C-Code - Quality: 58% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D8FE0, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 001D8007, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
---|
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E277FA0, Relevance: 1.7, APIs: 1, Instructions: 161COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E281BB1, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E2830B2, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 6E28150C, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E27AA10, Relevance: 19.7, APIs: 13, Instructions: 172COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E284BCB, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E283880, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E280157, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E27DE60, Relevance: 6.3, APIs: 4, Instructions: 282COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E27CE60, Relevance: 6.2, APIs: 4, Instructions: 176COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E281585, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6E283FEC, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |