Edit tour
Windows
Analysis Report
97NT8DO3JB.exe
Overview
General Information
| Sample name: | 97NT8DO3JB.exerenamed because original name is a hash value |
| Original sample name: | 3415aaebe725006cfa66320863c1bb8a.exe |
| Analysis ID: | 1428958 |
| MD5: | 3415aaebe725006cfa66320863c1bb8a |
| SHA1: | 37cb513d1f01f9ec819b62ca8ff1b591ae4c8669 |
| SHA256: | ee36bc6d088eefecf233a4592027abfe4934fdd240afd39dc654da60e49b710c |
| Tags: | 32exeGCleanertrojan |
| Infos: |  |
 | |
Detection
GCleaner
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected GCleaner
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match
Classification
- System is w10x64
97NT8DO3JB.exe (PID: 6640 cmdline: "C:\Users\ user\Deskt op\97NT8DO 3JB.exe" MD5: 3415AAEBE725006CFA66320863C1BB8A) 
WerFault.exe (PID: 6856 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 640 -s 744 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 3484 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 640 -s 764 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7040 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 640 -s 780 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 3264 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 640 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 6404 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 640 -s 904 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 6844 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 640 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7092 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 640 -s 137 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) 
cmd.exe (PID: 2516 cmdline: "C:\Window s\System32 \cmd.exe" /c taskkil l /im "97N T8DO3JB.ex e" /f & er ase "C:\Us ers\user\D esktop\97N T8DO3JB.ex e" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7056 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
taskkill.exe (PID: 1720 cmdline: taskkill / im "97NT8D O3JB.exe" /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - WerFault.exe (PID: 7148 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 640 -s 133 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - SIHClient.exe (PID: 2516 cmdline:
C:\Windows \System32\ sihclient. exe /cv mY xTU7XVgUSO C2w2/zVglw .0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| GCleaner | No Attribution |
{"C2 addresses": ["185.172.128.90"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 04/19/24-22:35:59.183264 |
| SID: | 2856233 |
| Source Port: | 49730 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Joe Sandbox ML: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | File created: | ||
| Source: | File created: | ||
| Source: | Code function: | 0_2_00404710 | |
| Source: | Code function: | 0_2_00409860 | |
| Source: | Code function: | 0_2_00413C49 | |
| Source: | Code function: | 0_2_00413464 | |
| Source: | Code function: | 0_2_00421D42 | |
| Source: | Code function: | 0_2_03679AC7 | |
| Source: | Code function: | 0_2_03674977 | |
| Source: | Code function: | 0_2_036836CB | |
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_01B2F826 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Command line argument: | 0_2_00404710 | |
| Source: | Command line argument: | 0_2_03674977 | |
| Source: | Command line argument: | 0_2_03674977 | |
| Source: | Command line argument: | 0_2_03674977 | |
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | ||
| Source: | File read: | ||
| Source: | File read: | ||
| Source: | File read: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_0041004B | |
| Source: | Code function: | 0_2_00408591 | |
| Source: | Code function: | 0_2_01B32924 | |
| Source: | Code function: | 0_2_01B328C8 | |
| Source: | Code function: | 0_2_01B3530A | |
| Source: | Code function: | 0_2_01B31A1F | |
| Source: | Code function: | 0_2_01B33E5B | |
| Source: | Code function: | 0_2_01B305B9 | |
| Source: | Code function: | 0_2_01B3460A | |
| Source: | Code function: | 0_2_01B33E5B | |
| Source: | Code function: | 0_2_01B3460A | |
| Source: | Code function: | 0_2_01B305DD | |
| Source: | Code function: | 0_2_01B32800 | |
| Source: | Code function: | 0_2_01B32FDE | |
| Source: | Code function: | 0_2_01B31F32 | |
| Source: | Code function: | 0_2_01B33708 | |
| Source: | Code function: | 0_2_01B33E5B | |
| Source: | Code function: | 0_2_01B33E5B | |
| Source: | Code function: | 0_2_01B3460A | |
| Source: | Code function: | 0_2_01B33E5B | |
| Source: | Code function: | 0_2_01B33E5B | |
| Source: | Code function: | 0_2_03684217 | |
| Source: | Code function: | 0_2_036802B2 | |
| Source: | Code function: | 0_2_0368480E | |
| Source: | Code function: | 0_2_0368C709 | |
| Source: | Code function: | 0_2_036787F8 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040C17B | |
| Source: | Code function: | 0_2_00411192 | |
| Source: | Code function: | 0_2_0040C681 | |
| Source: | Code function: | 0_2_01B2F103 | |
| Source: | Code function: | 0_2_036813F9 | |
| Source: | Code function: | 0_2_0367092B | |
| Source: | Code function: | 0_2_0367C8E8 | |
| Source: | Code function: | 0_2_03670D90 | |
| Source: | Code function: | 0_2_00416A7C | |
| Source: | Process token adjusted: | ||
| Source: | Code function: | 0_2_00408809 | |
| Source: | Code function: | 0_2_0040C17B | |
| Source: | Code function: | 0_2_00407C96 | |
| Source: | Code function: | 0_2_00408675 | |
| Source: | Code function: | 0_2_0367C3E2 | |
| Source: | Code function: | 0_2_03678A70 | |
| Source: | Code function: | 0_2_036788DC | |
| Source: | Code function: | 0_2_03677EFD | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | ||
| Source: | Code function: | 0_2_00408873 | |
| Source: | Code function: | 0_2_0041897A | |
| Source: | Code function: | 0_2_0041892F | |
| Source: | Code function: | 0_2_00418A15 | |
| Source: | Code function: | 0_2_00418AA0 | |
| Source: | Code function: | 0_2_004112A2 | |
| Source: | Code function: | 0_2_00418CF3 | |
| Source: | Code function: | 0_2_00418E19 | |
| Source: | Code function: | 0_2_00418F1F | |
| Source: | Code function: | 0_2_004117C4 | |
| Source: | Code function: | 0_2_00418FEE | |
| Source: | Code function: | 0_2_03688BE1 | |
| Source: | Code function: | 0_2_03688B96 | |
| Source: | Code function: | 0_2_03689255 | |
| Source: | Code function: | 0_2_03681A2B | |
| Source: | Code function: | 0_2_03689186 | |
| Source: | Code function: | 0_2_03689080 | |
| Source: | Code function: | 0_2_03688F5A | |
| Source: | Code function: | 0_2_03681509 | |
| Source: | Code function: | 0_2_03688D07 | |
| Source: | Code function: | 0_2_03688C7C | |
| Source: | Code function: | 0_2_0040CA21 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 21 Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 11 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 51 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 3 Virtualization/Sandbox Evasion | Security Account Manager | 3 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 2 Software Packing | DCSync | 43 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1361904 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.172.128.90 | unknown | Russian Federation | 50916 | NADYMSS-ASRU | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1428958 |
| Start date and time: | 2024-04-19 22:35:07 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 39s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 26 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 97NT8DO3JB.exerenamed because original name is a hash value |
| Original Sample Name: | 3415aaebe725006cfa66320863c1bb8a.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@15/39@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.85.23.86, 20.189.173.20, 13.85.23.206, 20.3.187.198
- Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtCreateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: 97NT8DO3JB.exe
| Time | Type | Description |
|---|---|---|
| 22:36:13 | API Interceptor | |
| 22:36:14 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 185.172.128.90 | Get hash | malicious | GCleaner | Browse |
| |
| Get hash | malicious | GCleaner | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | GCleaner | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| NADYMSS-ASRU | Get hash | malicious | GCleaner | Browse |
| |
| Get hash | malicious | GCleaner | Browse |
| ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Glupteba, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
|
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_97NT8DO3JB.exe_504654aafbb45967f4acb4ca8e5b93132f2f_1bd0a4a3_1630c49f-2354-49a2-9ab8-dc030df3b2ee\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9348969705804512 |
| Encrypted: | false |
| SSDEEP: | 96:/VWQ+sJhq7oA7RT6tQXIDcQnc6rCcEhcw3rD+HbHg/8BRTf3o8Fa99Oy4H9nFED/:NR+/X056r4jlQjzuiFyZ24IO8qaZ |
| MD5: | 035D76EAD663BDE83E4CEDA1AD113D56 |
| SHA1: | 5CDF35C30769BA1E2410B1FF6E1B1413EBE6A3A1 |
| SHA-256: | 86937FBACADFFAB5A88B77FED8493CB774CA2C6E0B52DD86C78FD4CD63FC159D |
| SHA-512: | 795A9A945A85A0A135CEC6304D33CAE72ABEC9B1C3322D43476CFDF2C5D40F15D28EF0FF63AC929471F6B4C12F89E70C8AEBDC81F99B8C84CD7DD74D9CE57CC2 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_97NT8DO3JB.exe_504654aafbb45967f4acb4ca8e5b93132f2f_1bd0a4a3_3a48af57-569b-4ab4-b9ea-256268bf1ad0\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.838076749570067 |
| Encrypted: | false |
| SSDEEP: | 96:rZbUsJhq7oA7RT6tQXIDcQnc6rCcEhcw3rD+HbHg/8BRTf3o8Fa99Oy4H9nFEDKI:VbU/X056r4jlGzuiFyZ24IO8qaZ |
| MD5: | C2C80305F024831DA86240EA4ACA1226 |
| SHA1: | 00C393BF8B9B15165E378BBC5D1BDD5C82865F84 |
| SHA-256: | 2F780FA577C9C6645FE124641FCE0DEBFF91C1F3B3DC708E3410B288FBB6987A |
| SHA-512: | 145D841D72547375CE605C927C34BA79FA24AA85667F98591EF940C87CE572C802DEA2312DB58474405EB6D891A9A7FFAC0C75ED9962CC46C621EFCB4A567290 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_97NT8DO3JB.exe_504654aafbb45967f4acb4ca8e5b93132f2f_1bd0a4a3_5c38cd1d-3bce-4550-bdcf-bb046d0ffe19\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.837800102979353 |
| Encrypted: | false |
| SSDEEP: | 96:MSwqsJhq7oA7RT6tQXIDcQnc6rCcEhcw3rD+HbHg/8BRTf3o8Fa99Oy4H9nFEDKI:Aq/X056r4jlGzuiFyZ24IO8qaZ |
| MD5: | 600C06EF771DBEBF3ED0C34EAB3E6770 |
| SHA1: | 5932D3C9F1F69A22D1A922BBF047D7E0ADD33AE3 |
| SHA-256: | 6E8513ADC1590662798AAFFC70C67159269B458AE5F3789EA8217EC5D5944469 |
| SHA-512: | 53F2F98A9005B64D1D42342DF7BCEFFE53886EB4259A61B7B0D4519AC77A45CD765FED3A6F0A5C9B4BD2F4B7CB95863E41A9025149D3859F43081A64AC97B800 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_97NT8DO3JB.exe_504654aafbb45967f4acb4ca8e5b93132f2f_1bd0a4a3_8fd0dd96-51df-4555-aa5e-8b9425c46166\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8533329825053435 |
| Encrypted: | false |
| SSDEEP: | 96:WnJsJhq7oA7RT6tQXIDcQnc6rCcEhcw3rD+HbHg/8BRTf3o8Fa99Oy4H9nFEDKVQ:GJ/X056r4jlszuiFyZ24IO8qaZ |
| MD5: | 5E20AFC5000113B238A8E5223EAC480E |
| SHA1: | 9ACA9B44AE204A6F69E03CF2A10A687CA48951DE |
| SHA-256: | BA773C1A4EFBA5EA4B5045FA17B360C1ED7ECA82CE841C86549F45047FECB91A |
| SHA-512: | 9905407E2DB101015832CACFFE08089E15AE97B0573AEC97ADE389CC5CC6884464E5EC9A0E40B2665F6B82A4929B0089D3528388E83CE27E70AC1A5C9646E252 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_97NT8DO3JB.exe_504654aafbb45967f4acb4ca8e5b93132f2f_1bd0a4a3_acc9e967-ff41-4224-90bc-0f98e5eb772f\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8536184171996241 |
| Encrypted: | false |
| SSDEEP: | 96:6Zp6sJhq7oA7RT6tQXIDcQnc6rCcEhcw3rD+HbHg/8BRTf3o8Fa99Oy4H9nFEDKW:ip6/X056r4jlszuiFyZ24IO8qaZ |
| MD5: | 135A69AB7E22A4E0AB9C3C9CD94DC7AC |
| SHA1: | 2004A6ED569F7C8AA204BF8B7FD909880C37C7AF |
| SHA-256: | E4F4DFC13AE1A3587A2ABF86779B4D04C44EDA0945C81846EA24FEFE421AAA36 |
| SHA-512: | B010F968FE868A08FDC14C6648215D9CD1A829D05ADB6BFE56863EA1F8A89BD7D91C6C7047F50535595A9A0AF2791FEED71E807BE37EF8FD20A4FB3F42519ABD |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_97NT8DO3JB.exe_504654aafbb45967f4acb4ca8e5b93132f2f_1bd0a4a3_cdb61ca0-0229-40fc-b9c9-8fe9029a2de5\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8379341897745287 |
| Encrypted: | false |
| SSDEEP: | 96:h0rThWsJhq7oA7RT6tQXIDcQnc6rCcEhcw3rD+HbHg/8BRTf3o8Fa99Oy4H9nFE7:inhW/X056r4jlGzuiFyZ24IO8qaZ |
| MD5: | F9A5C4E8681FB2C6AF4A0329EA1A04DD |
| SHA1: | 8F881ACADA39921F103DEBC0435D3B3334AD7834 |
| SHA-256: | F911D2D4FB66FA54031FDBFB6805ACB001EB0117FA564504CA9D3C3322F49A6C |
| SHA-512: | 5286FC98761BD588E07953A27B5D0988B786B91F8E2B04AF46BFA706D3ADA37519B9DBC84470174A7404AA15510743680F58C6CDF354377E559F033BB63A271A |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_97NT8DO3JB.exe_504654aafbb45967f4acb4ca8e5b93132f2f_1bd0a4a3_ef6f7bd1-c393-4e57-b46f-a509222f2e19\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8379608512476548 |
| Encrypted: | false |
| SSDEEP: | 96:xL3DJsJhq7oA7RT6tQXIDcQnc6rCcEhcw3rD+HbHg/8BRTf3o8Fa99Oy4H9nFEDn:JJ/X056r4jlGzuiFyZ24IO8qaZ |
| MD5: | 64A14072E6166B21D50E4B0B3BB0A464 |
| SHA1: | F6F7B68EC27E9DE4B852E84CB8C9E4788CDB5865 |
| SHA-256: | 5602771EF574D5577CD5AE3D641500C544395C0E5B7283AB3D08AA55547FB84D |
| SHA-512: | 0D868E410712A47010D22A4CE059C1FA757BD4DB3E396488CA90166E45FD21A0DCA6B4950C444FD93FE441F81847A32041DC62BE156DE5298739DF3535D07E7A |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_97NT8DO3JB.exe_6be156e7f6408b6a57b6e7c3a2ce735a1cd81ea8_1bd0a4a3_0ed49d18-13ae-42ea-852a-2af280a287d7\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9993532650240066 |
| Encrypted: | false |
| SSDEEP: | 192:K35Wx/2O0QC+g5VLjlQQedzuiFyZ24IO83aZ:Dx/21QC+g5VLjwzuiFyY4IO83a |
| MD5: | 2126C7EA78C422FFC343731ED386C7E8 |
| SHA1: | 1189A10E8E9CF6AB1ED9C5983F7A7078D6128E33 |
| SHA-256: | 279A99D6EF2175E276C6EC697E271AB5666F7903D6DD3DB1763EFEE8DFA11A1F |
| SHA-512: | 83761C8BF26C70F9627F27D5027D7E7590FE7D23A044C52F5D21F7C55E45973A048E9C08B4553AC6137CF1A86E0AC1BC181BD3C3AD08886689B5FB50B4DA61B1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 63042 |
| Entropy (8bit): | 2.179482889297243 |
| Encrypted: | false |
| SSDEEP: | 384:SLYhd/Gz1rs5xNfYCht64fb8sZiXwZGv9tNX7Eb8t85:SUfuzZANf6kb1iXwZGv9teX |
| MD5: | BEAB51F5B069DA9179DA894B48E3A1B8 |
| SHA1: | CBC1BEC6B7FA4D27B128202685FD72EED40D62DD |
| SHA-256: | 9B6D53B13D9BA5FC89DB6F5018782FA7299B60A903E0C92A947A206A533C0763 |
| SHA-512: | AEDB37AFCE4E513E403E82FABFCB52FAF551D5B36EC6FBD607E4C9EC19A6061D2696A2DC7C349CBA23045AAB87E9C70E792673179BD513DB8D0DF79B7F23096D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8422 |
| Entropy (8bit): | 3.701296333134444 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJR/6I7+De6Y9cSUl7gmfb9pB089bvvsfQTFm:R6lXJZ6I776YGSUl7gmfbDvUfQs |
| MD5: | EB2A47F8A5E5B9201D7CE2223AA8B0EE |
| SHA1: | 678A8118200B565A4A42F8B8C35802DDDEDDCC29 |
| SHA-256: | F66A7A0CF55D73B4B7F914E598C6EAE2065883C12BF7EACEF27EAB9A7E126607 |
| SHA-512: | 7F6054F7A4CCDB1AD38590095FAB1329C60EE3A18A6FCF389BE8B6A38028D40A280ED6B16C740415BD2BC59D35F097162AC93AD8FEE8387FED18C8D0F2EE4095 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.497921325789048 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs8Jg77aI9TiZWpW8VYgYm8M4JmvgJF3+q8vZgEMdtd:uIjf6I7Uo7VcJ7KDMdtd |
| MD5: | 256B8567313590FD979799CF3377AFEC |
| SHA1: | 8026512D359A1FC8F7B5F80CBE73F4AF0F73DD9D |
| SHA-256: | 01657161DDA39B5C9F0FAC12CA9E4A518E79CD183162908C80A580792382A5FB |
| SHA-512: | DAD11881042BF9983B6B208D50E15C761B6C1AB3100B60E60A3E2568325F853976ECB20D42EC6F8251EC3CAF4E073C0CA3F834B2EF34DD1237242B1290DD49BB |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 62934 |
| Entropy (8bit): | 2.205692407842432 |
| Encrypted: | false |
| SSDEEP: | 384:sYhd/tzm9wfYCgs1mlt64fb8sZiLwZGv9tN+rbBt5k:Xf1z2wUZ6kb1iLwZGv9tke |
| MD5: | 4A6E46C3546CCEB0AC2F4DD3835756BF |
| SHA1: | F2E947E81861A280D618A954E160E31ED4261C6F |
| SHA-256: | A7537F381951042E64B8DABA3B9FB6EF5C657174218AEC69EA0FF9E015CFE900 |
| SHA-512: | 8404EEA536ACA64A4DFEC3EE094324870429B2F89F7265F2C62493C8845A0AF694F1DEBF3F12FF38F1BAD5394E3B291AC8EE8CC81B2457BD67D381251271F326 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8422 |
| Entropy (8bit): | 3.700517173587705 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJR36I7F6Y9OSUJLgmfb9pBv89bvvsfd7Fm:R6lXJB6I7F6Y0SUJLgmfbyvUfd0 |
| MD5: | 13BBD71994F9E5B86A45AC9DA241A4EF |
| SHA1: | 56F1BFE2062D7B4708BB8FF29CFDE94708135123 |
| SHA-256: | 9BEC0009356E05A7114E9D394A1C1F521C6BFF0E8F56F50979CA161B32FC4866 |
| SHA-512: | 738139030134F4DD80AB660CEC77C867F07A0A4F120FFDF970A14807138A5C2FCDA1CFF169BA4AC88CDF1F896F1F2F2CEB9547D647883D9E7104AD372ED7AAA6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.495967764947495 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs8Jg77aI9TiZWpW8VYVHYm8M4JmvgJFGm+q8vZgEMdtd:uIjf6I7Uo7VNJ6mKDMdtd |
| MD5: | 3302B3AEF809A491F8347AFB2520634B |
| SHA1: | 46011092EEDB373C03B0EACE8912DB8EF3CBE9E5 |
| SHA-256: | 9861BC4C0885BEF7611F0B72212E03C9652E5E21B0DA604801230F7273EA6262 |
| SHA-512: | CD7296D9BAE64A1331E005063747872F9F319983245E7E9566F1FA1247D5959A2F7C3F9B754266E05371E2E6549C7731CE8BD0AA574F987C0C28FFCEA0D03592 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 72626 |
| Entropy (8bit): | 1.96689297268973 |
| Encrypted: | false |
| SSDEEP: | 384:9IgeBSTusIz6m7hCNsaiHsZiLwZGv9tNdqbTzFAFhi:9BewT9Iz6iOpiLwZGv9tSVAFh |
| MD5: | A0C9BA418A370AFFB5182CECB8EE926A |
| SHA1: | 74DFD3858333E0E51E64DA563B94E67308439627 |
| SHA-256: | 66C08C1028934D700CE252D8FC72AA93D257F19F90AE65EDA72CFF7AE65663AF |
| SHA-512: | ADF897061731E64412A19FB52835789551C4BC6559BC526CB13EC72501F7ED3D887D61F22DD1FFE7DA1B9BC607622C2529C98659240CDDC2AADA1A5D2F9D3D8A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8424 |
| Entropy (8bit): | 3.7002567570843024 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJRt6IYiY6Y9qSU1SaMgmfb9pBRC89bmvsfHCm:R6lXJb6IYV6YgSUspgmfbr7mUfz |
| MD5: | C8EC941A965240067D2C85C6BBE715EC |
| SHA1: | 4D971AD7950508F5A5A9B9A13356AD5604376EB9 |
| SHA-256: | B6B0829197BCD252F352FB1DBADD4311B7A1E18976C7BA48B266CDCDF688BF52 |
| SHA-512: | DE43D4815999BB5F4D4EE3C14D52AA5497FEE698B07EAA6425DC6918F1B6C75FCC797E929B6B1C0C1D76F95652E6085366E21538CCBCF0BAE8F7E472589CE501 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.498803148095946 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs8Jg77aI9TiZWpW8VY9Ym8M4JmvgJF5+q8vZgEMdtd:uIjf6I7Uo7VpJdKDMdtd |
| MD5: | D0E59A761018F4F7825E019B0131B5F5 |
| SHA1: | E2FB86731AF2512AD95A4C4A5B53601109FBFB85 |
| SHA-256: | E9C45C745EB17BEB8B98E823A4F6BD6C947CF629F8E5AA842E82B98D4DC80FFE |
| SHA-512: | 9842A82C55A3789896F2D9ADB8073E766869E4E106F9F0FAFE70DB3AB19E83D1DC2A27A6D84BA3592A53BE054496DC2061B4B68F6E1987DF8A94F521B34B4728 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 72182 |
| Entropy (8bit): | 1.977518764563967 |
| Encrypted: | false |
| SSDEEP: | 384:7geBSTC2pzWn73sC8CL7sZiLwZGv9tNdJbg2Qbi:MewTC2pzW73wiLwZGv9tREu |
| MD5: | CC820A1056EE9DF22DC2B2D9EEBDED2C |
| SHA1: | DBD61611195136A09BBDADDFADCE44CB0FE9B377 |
| SHA-256: | 2376300C9D58A1A96E122B56FEF4AE0C16966C58FEC8067DDB63B86EEE288921 |
| SHA-512: | 803708667B69F4088876ADB31B123DCDCEECD0001C4438ECD09F2F33E42C4AB2CEDE400A59243522B1E19130B709AC9EEBBFF96EC1034C4CFA06F3A2C14D074C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8424 |
| Entropy (8bit): | 3.69953998339207 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJRz6IYAgY6Y9flSU+Cagmfb9pBa89b9vsfJfm:R6lXJF6IYi6YllSUFagmfbR9UfM |
| MD5: | 2209485B54F925EE1D2FEDB7F7BFE9CF |
| SHA1: | B411E629E1171B59AD9CEBC3D76E46E70529C6F3 |
| SHA-256: | E26EF78D10D74175C57DFA8ECD20A459FF1931A2A2C8B24B8D93E87208572587 |
| SHA-512: | EFD97C1387CB9A1813FE63166BBA644C0D4DC747BDF7C9F44BE941AD48972D68858F7ECD0C3B438262FF1DE7FE4C611EBFF17A5A691DADC8DBC633F22ADCA044 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.496981466706677 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs8Jg77aI9TiZWpW8VY8Ym8M4JmvgJFu7G+q8vZgEMdtd:uIjf6I7Uo7VEJrKDMdtd |
| MD5: | EF7B059815C212FAF89444FE7EC3DF55 |
| SHA1: | E9114C1FCE841B41651EA040A37051AA596BFE67 |
| SHA-256: | ABD9BBD3FC46D7B0F65BF3AA436A186B4380269F5804D2ED783C61BF59CF2ACB |
| SHA-512: | 9881BD5A8D0F7C554F726530C7152D130417761C161E3BBB60EB62E356C2CA8476C0E16CC2F27D79D537F011421C3E735955598358792765A4D9D5628BB7CB8A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 79226 |
| Entropy (8bit): | 1.9443747809616283 |
| Encrypted: | false |
| SSDEEP: | 384:LiJozf1Az78LsGUTMCoCxLwZGv9tNdkbHeDdZiUnK:cif1Az7uMT1LwZGv9tIAwA |
| MD5: | 4414C3FB3227B3739C7D344A51582862 |
| SHA1: | 0F80C0F2914E6D80A88D3C0E054F490564E2029A |
| SHA-256: | A3F5CF042FB94D7FCFA315E9218A81457899C1AF8CE5FD1BBD3D12DCBE41395F |
| SHA-512: | D8105F4608F188060429D36245639B19550D9D9DED0C216FE003FBC32014857253EC9BEC60439A5DA18936D67278BA2F48C712275C8CD57D8D75AB44EED10E42 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8424 |
| Entropy (8bit): | 3.702545806150804 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJRo6I7f6Y93SU+Ougmfb9pBM89b9vsf0yfm:R6lXJe6I7f6Y9SUxugmfbL9Uf2 |
| MD5: | DF6525B60E45DF0290330CAC3EACAD8D |
| SHA1: | 2F6761E0A543A46263A0C3458A743DADFFA0E419 |
| SHA-256: | 2045D00BE9805BF895557F433487616326080C6CE9791AAFF4D27F3A0E72CC68 |
| SHA-512: | 68F1EBD9C37D43008B93E4762BDABD2DAAAE5B7A8B78AC716C7013B5F2442485D3BF997629934B12C9DB7759E6870E791BB4E6DE39274735379256274592A790 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.499719271758813 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs8Jg77aI9TiZWpW8VYxYm8M4JmvgJF9+q8vZgEMdtd:uIjf6I7Uo7VBJ5KDMdtd |
| MD5: | 213886DE21F1EC080C52E83C618F477E |
| SHA1: | 528CEACF927C20389EBB39A07911512055BE0C75 |
| SHA-256: | 9AC4E0182D16DB44C21EAA9C3C1F3388EAA15F697576BADE5C9AF7EB5D0F5016 |
| SHA-512: | 27621368E820CE95D44CF631B51E785B4EB6A6337A4591611F0FEFF9543A739437EC5FB696C59D33F115F3C17851C3BD6D38A93F4BE13E107A421A52A561F21D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 87836 |
| Entropy (8bit): | 1.9479653214456283 |
| Encrypted: | false |
| SSDEEP: | 384:UUf9u7DMz+A8lOqo0AMCD4sQQXxLwZGv9tNd2bJaf3mZqzGEG:pu3MzHqlAc2LwZGv9te4fmE |
| MD5: | 766F5A9227BC924B351B63FCF39CA8B5 |
| SHA1: | DA5E563C2DD1B9A68F60E01403BBE7A8CBA9B3B3 |
| SHA-256: | 50708A508A8EC486A9D0291EAC6B8136D3EA07A922CA16B096D2DACA65971EF4 |
| SHA-512: | 8A4CAC019D44DF93D308A2F99208FB5FBFFAAE604448F98462E69190BBD00A4A83945E3B6CD123F4D2F31195679331E40A3DEA24A40FF08686F1AE44AD057EEC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8424 |
| Entropy (8bit): | 3.7025389537116156 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJRH6IFM6Y90SU+Ougmfb9pBa89b0vsfBcm:R6lXJx6IFM6Y+SUxugmfbR0Ufv |
| MD5: | 74119FC89F5CF4F9C7076EBE7A33EDA1 |
| SHA1: | 7F255AD8666B9950AD800EF628182CA7B74769B0 |
| SHA-256: | E723C1D859EC51920CCAEA3A01C0BC505F136979E6BA3800DEE01C839D2E3E61 |
| SHA-512: | 363E81EC78C1617C39ED657D2F46B6DEACDB19B5741B3594F36E4D2EA6651E808117EA4BBE56F01FF8C642172AE309D150B537FBC63C2A51617F1811292A73BC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.499065197313322 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs8Jg77aI9TiZWpW8VYqYm8M4JmvgJFUq+q8vZgEMdtd:uIjf6I7Uo7V+JQqKDMdtd |
| MD5: | 1A1C42B06A908575B726E0021E569ECE |
| SHA1: | 6EC5E78F2A5FF5DDD0F4F2E0CA2C9CAD84D0A767 |
| SHA-256: | 214FCA09C032E57142F943CF956AC73D0104EEF3107DC2F9530BA3E057D560C7 |
| SHA-512: | 9FBFC9A78E75DEE7BB346FE6DC78E47526C78AC29AD26E9AF7EF94FAF47B13C1EDBA17462334537ADA62206EA772584BBBB39050460CFC1643BB5030393CB804 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 102806 |
| Entropy (8bit): | 2.132224330218717 |
| Encrypted: | false |
| SSDEEP: | 768:ZIP6mFztlAqiUyY8m4G2kLwwmv9t6Ezw:CrAqbyY8m4GQFkEzw |
| MD5: | 866AA522636C818AE2CB2A8FADBFEC51 |
| SHA1: | B363CCE45DF8333639C746DF74567367AB35F07E |
| SHA-256: | E80417E8FED8F3250B3CCF873A6BDF4C054F01FA9BB7A96D65D92E006CD3E0C9 |
| SHA-512: | 01AB821DB34152BAA4B0C6599BC6C15EABBAD0202F646D880C0CEBA212E1A6F8EF0A9582631DA4BEA18724F7BE096A2408EB27DA7CF6D403D3351E21D4156E0F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8424 |
| Entropy (8bit): | 3.7021033342648515 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJRE606Y9nSU+Oigmfb9pBRC89b6vsfROem:R6lXJy606YtSUxigmfbr76UfE |
| MD5: | 8258AE798D1586299A1298CB94E4F7C9 |
| SHA1: | 272DD6187908911BFCC19788B002A32852BF033D |
| SHA-256: | A6C5CEFAC42357DF0F5942738A59FD6A3F7F978E6A367E9DD4AB909852DEAC8C |
| SHA-512: | AFAA51F0F258E23505D0E65856EDFC982FD048FE8D21B4B2694E83C03EC7303B228E5D1680B78F8AF374E16F8E46B7314CA32CBB8011E13D5F03658FCF0B51AF |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.5004787617362885 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs8Jg77aI9TiZWpW8VYaYm8M4JmvgJFI+q8vZgEMdtd:uIjf6I7Uo7V+J8KDMdtd |
| MD5: | 5FF5BCD084A3719B3F7A1098557FE819 |
| SHA1: | 011DE3515A49FA48FD0DEB2910CF6518418B3A5E |
| SHA-256: | FF6ED739F72C3924592296909C3854D45C9299BE2B73EE0268ACD2F9CFF00FD2 |
| SHA-512: | 41A5B31BABF0655EDF15697DE708417AFC54D40B9113B72CEC4E780E733A2965DDA32AE45726BADB6AF43D775A7F317A74B85AD0775AA1AF3B59BAC3BA5258EC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 46270 |
| Entropy (8bit): | 2.6218383726358687 |
| Encrypted: | false |
| SSDEEP: | 384:G+BM+xMz8T/Y05wwyn9tNQ/O5hMWS//Iaa0Xx:frxMz8bY05wwyn9t2QObB |
| MD5: | CFE0803A8C5F3877AC6FD7B40E03B761 |
| SHA1: | A3A72B5DB1CC68445A77BED8FDAB0F57F902F7F3 |
| SHA-256: | 3FEED9E58276EAE0B79F4134F1D15E379DE04F60817EE8EB54BCC358048D463E |
| SHA-512: | 41CCEE30656FBBA292B86612E3C6221DD886AD88897C6F59EBDCA1CB1320B05E1AF4440BDAFA96917D16A706A3395AF57F226968611C13891C53C13BC6E21365 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8322 |
| Entropy (8bit): | 3.6958134490654766 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJRA6fm56Y94SU7ZrgmfbRTpDT89bNvsfrSvm:R6lXJ26+56YiSUNrgmfbRSNUff |
| MD5: | 097F312D665C6EC0C6A49928A8A62E08 |
| SHA1: | 96EF7170D07771DAA1222BE161F643FE4E37E767 |
| SHA-256: | 7BCDA41F119B2C0A58EE471F8F0E8DE1ECA517EB7E8B018F40E23B532BDED9E3 |
| SHA-512: | B1CC74A4B207173E2231DD7531D925CFEB8814FC0919D8766B444EB2EC4D4858BF061F49FE284499739286EA301033C884BAE2BE71E7366F3704C16A4AC5E6D6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4579 |
| Entropy (8bit): | 4.4801595545485595 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs8Jg77aI9TiZWpW8VY+Ym8M4JmvgZ5FD+q8Ns12Mdtd:uIjf6I7Uo7VOJBsMdtd |
| MD5: | 820B0BFABB1F4E6F1D86247DF76C4449 |
| SHA1: | 8D6D3EE9200E2529E905C068085D5277E266D879 |
| SHA-256: | 1562B6959781E5F776E2DF754070CD9F30F3845C84AD5E9C4407EAE5A1D4BE3B |
| SHA-512: | CC447E0E2C0DA99DA88F42FFCE7EB3D27533133B41CCF01B976017E3B16143FFB8D5BC884AD33A024601C39542A1ED3ED2A05AD404FD25AEFCC394C20A0E4B2E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\97NT8DO3JB.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\SIHClient.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 3.1738926569439885 |
| Encrypted: | false |
| SSDEEP: | 96:Fh1IbH45Dw75+ywGsrWdoxDYx2g9Ic3kZrBYcbIaSJlcBE6JLTGwU06Ux:Fhk45Dm5jDvoZ+JacWB7bHimE6E26Ux |
| MD5: | 578555AAFDA6FBE2C76A31EF4C5D03E3 |
| SHA1: | 336A957671E9FE1297776E8E8EC3942DB56397B9 |
| SHA-256: | 65E0F9E24053567A949F627DA34164DB1F2C13034A85DAC4DE2FBBFBA5BA603F |
| SHA-512: | 7B416966BA04FEE3A6BAC7C53D0FC6ABE60037B1A8F1FE12B8E8601D34E0BFCE58D0D6DC98F52B35E862E05854B47B84A32C0896C4A12CE500D9EE93BF9E8F38 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\SIHClient.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 17126 |
| Entropy (8bit): | 7.3117215578334935 |
| Encrypted: | false |
| SSDEEP: | 192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W |
| MD5: | 1B6460EE0273E97C251F7A67F49ACDB4 |
| SHA1: | 4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8 |
| SHA-256: | 3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A |
| SHA-512: | 3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\SIHClient.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 24490 |
| Entropy (8bit): | 7.629144636744632 |
| Encrypted: | false |
| SSDEEP: | 384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c |
| MD5: | ACD24F781C0C8F48A0BD86A0E9F2A154 |
| SHA1: | 93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323 |
| SHA-256: | 5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49 |
| SHA-512: | 7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\SIHClient.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 17395 |
| Entropy (8bit): | 7.297808060361236 |
| Encrypted: | false |
| SSDEEP: | 192:Y++BFO7SCP3yalzqDHt8Axz5GIqMvus/qnajBMWj6AkKFZYECUqY7S8Zuo1nqnaC:lCksHqzj0l9P6AnCUTZZl9lRo |
| MD5: | E97660B7AB6838D0D96B5C6BB4328753 |
| SHA1: | AA104E62A8166E23D89C4769EC382EF345299D28 |
| SHA-256: | 2BA13EB8A2705B01E54067B2A4FFC17CA2EB376EE3F3BA8D9C5FACE8C5AC1279 |
| SHA-512: | E867FE411239AD8EB66342C9522D48DBC9BB872210CD14B4C734661C4966AEC8CF022C510284B70736049E1F98C4EDA18651C7F7A3B7F6E1DEF782F4F89E8FB2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\SIHClient.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 25457 |
| Entropy (8bit): | 7.655665945183416 |
| Encrypted: | false |
| SSDEEP: | 384:i9eD3oXHzqAAteICxU2L/l/dVCmMMx2GCq3fQkclmIO+WccCuqvXolUjx2:3AhAteHq2L/l/dkMxjCgF+WcmqvS |
| MD5: | 9D27F0ECE5019003D4415EB80973B81A |
| SHA1: | 39C19D8842C0201FD203F6D1EA79CEBD2E880970 |
| SHA-256: | 331D51A091FFA84C2959F2A5971EEC6EC976F00B84473E4861D72CBED4C97203 |
| SHA-512: | 8DF4CBDF4248743F50DFB41B0E6CC94C61227505288B23742EA0E9C86A8FA71D2AA84621D094D867C91BA4B551256E7FDD28ADE5ABA6C23F68CD80A4768922E1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.465449364410048 |
| Encrypted: | false |
| SSDEEP: | 6144:GIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSbH:rXD94+WlLZMM6YFHW+H |
| MD5: | 5DED8E3757584F70B5129008A82946B0 |
| SHA1: | 51E5EA1BD45BC384BB7B8327FAB71BB42EF3A424 |
| SHA-256: | 89871949A5FA33A366FC2FA35CC1255D844D58852A13C2E2B47B5AF035E5EF37 |
| SHA-512: | 8C465C1E58144EB9BE00E63F494A47AADA825042A2CD94C4F3476AD8416EA7EA24CB1DCB9A77277E6981435E2D38F2B75CA8E2610755178938C2B99CCD118234 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.51095950250924 |
| TrID: |
|
| File name: | 97NT8DO3JB.exe |
| File size: | 388'096 bytes |
| MD5: | 3415aaebe725006cfa66320863c1bb8a |
| SHA1: | 37cb513d1f01f9ec819b62ca8ff1b591ae4c8669 |
| SHA256: | ee36bc6d088eefecf233a4592027abfe4934fdd240afd39dc654da60e49b710c |
| SHA512: | 537dcf54adfef9facb47eb7b57e37aa8d530abe07c9097466ba4acb3e2723d6349973e1c9aea0ce54ac0dffd72de4c4c3e43f2dee8897b5adfc14ec8b2e96385 |
| SSDEEP: | 6144:/M2FZoaWs0RraGCf9yqWK+a6m9V5wHCIvGSp:/M2j+s0RrJwW1a6m76tGS |
| TLSH: | B0845A03B2E2BC61E52247325F6DBAEC372EF8614EA56B5F2358AE1F05701B1D613721 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............G...G...G...G...G..:G...G..;G:..G..HG...G...G...GOL>G...G...G...GOL.G...GRich...G........................PE..L......e... |
 | |
| Icon Hash: | 410545494945410d |
| Entrypoint: | 0x40692b |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x650DA5AC [Fri Sep 22 14:33:16 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 7b633a270c7c42fd79f7a13bab792dbe |
| Instruction |
|---|
| call 00007FA7C8F0E199h |
| jmp 00007FA7C8F03BF5h |
| push 00000014h |
| push 00424C40h |
| call 00007FA7C8F0B0A4h |
| call 00007FA7C8F05FE3h |
| movzx esi, ax |
| push 00000002h |
| call 00007FA7C8F0E12Ch |
| pop ecx |
| mov eax, 00005A4Dh |
| cmp word ptr [00400000h], ax |
| je 00007FA7C8F03BF6h |
| xor ebx, ebx |
| jmp 00007FA7C8F03C25h |
| mov eax, dword ptr [0040003Ch] |
| cmp dword ptr [eax+00400000h], 00004550h |
| jne 00007FA7C8F03BDDh |
| mov ecx, 0000010Bh |
| cmp word ptr [eax+00400018h], cx |
| jne 00007FA7C8F03BCFh |
| xor ebx, ebx |
| cmp dword ptr [eax+00400074h], 0Eh |
| jbe 00007FA7C8F03BFBh |
| cmp dword ptr [eax+004000E8h], ebx |
| setne bl |
| mov dword ptr [ebp-1Ch], ebx |
| call 00007FA7C8F0A97Ah |
| test eax, eax |
| jne 00007FA7C8F03BFAh |
| push 0000001Ch |
| call 00007FA7C8F03CD1h |
| pop ecx |
| call 00007FA7C8F0A16Eh |
| test eax, eax |
| jne 00007FA7C8F03BFAh |
| push 00000010h |
| call 00007FA7C8F03CC0h |
| pop ecx |
| call 00007FA7C8F0E1A5h |
| and dword ptr [ebp-04h], 00000000h |
| call 00007FA7C8F0D34Bh |
| test eax, eax |
| jns 00007FA7C8F03BFAh |
| push 0000001Bh |
| call 00007FA7C8F03CA6h |
| pop ecx |
| call dword ptr [0041B0E0h] |
| mov dword ptr [01A10A44h], eax |
| call 00007FA7C8F0E1C0h |
| mov dword ptr [004488ECh], eax |
| call 00007FA7C8F0DB63h |
| test eax, eax |
| jns 00007FA7C8F03BFAh |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x251f4 | 0x78 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1611000 | 0x17d78 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1b230 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x23cd8 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x23c90 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1b000 | 0x1ac | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1951a | 0x19600 | ea6bda6eaffcd71e3cb3b840f7f54cf4 | False | 0.5763739224137931 | data | 6.682046055999516 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x1b000 | 0xabf4 | 0xac00 | 0d1b4c63d26089c531a5da1016d15edb | False | 0.43518350290697677 | data | 5.094850793149334 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x26000 | 0x15eaa48 | 0x22800 | be618370f12683f44e27b8c45c4e9934 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x1611000 | 0x17d78 | 0x17e00 | df4394e1b46f5be823c978195c4f3ac0 | False | 0.3162017342931937 | data | 4.1099711857255254 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x1623a90 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.26439232409381663 | ||
| RT_CURSOR | 0x1624938 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.3686823104693141 | ||
| RT_CURSOR | 0x16251e0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.49060693641618497 | ||
| RT_CURSOR | 0x1625778 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | 0.4375 | ||
| RT_CURSOR | 0x16258a8 | 0xb0 | Device independent bitmap graphic, 16 x 32 x 1, image size 0 | 0.44886363636363635 | ||
| RT_CURSOR | 0x1625980 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.27238805970149255 | ||
| RT_CURSOR | 0x1626828 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.375 | ||
| RT_CURSOR | 0x16270d0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.5057803468208093 | ||
| RT_ICON | 0x1611880 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.4118663594470046 |
| RT_ICON | 0x1611f48 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.1671161825726141 |
| RT_ICON | 0x16144f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.21808510638297873 |
| RT_ICON | 0x1614988 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.4118663594470046 |
| RT_ICON | 0x1615050 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.1671161825726141 |
| RT_ICON | 0x16175f8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.21808510638297873 |
| RT_ICON | 0x1617a90 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Romanian | Romania | 0.3694029850746269 |
| RT_ICON | 0x1618938 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Romanian | Romania | 0.45712996389891697 |
| RT_ICON | 0x16191e0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.45910138248847926 |
| RT_ICON | 0x16198a8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Romanian | Romania | 0.44942196531791906 |
| RT_ICON | 0x1619e10 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.266597510373444 |
| RT_ICON | 0x161c3b8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Romanian | Romania | 0.30558161350844276 |
| RT_ICON | 0x161d460 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.35904255319148937 |
| RT_ICON | 0x161d930 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Romanian | Romania | 0.5676972281449894 |
| RT_ICON | 0x161e7d8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Romanian | Romania | 0.5464801444043321 |
| RT_ICON | 0x161f080 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Romanian | Romania | 0.6184971098265896 |
| RT_ICON | 0x161f5e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.462448132780083 |
| RT_ICON | 0x1621b90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Romanian | Romania | 0.48686679174484054 |
| RT_ICON | 0x1622c38 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Romanian | Romania | 0.4954918032786885 |
| RT_ICON | 0x16235c0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.44769503546099293 |
| RT_STRING | 0x1627848 | 0x3f0 | data | Romanian | Romania | 0.46726190476190477 |
| RT_STRING | 0x1627c38 | 0x48a | data | Romanian | Romania | 0.45008605851979344 |
| RT_STRING | 0x16280c8 | 0x13e | data | Romanian | Romania | 0.5283018867924528 |
| RT_STRING | 0x1628208 | 0x35e | data | Romanian | Romania | 0.46867749419953597 |
| RT_STRING | 0x1628568 | 0x55e | data | Romanian | Romania | 0.44250363901018924 |
| RT_STRING | 0x1628ac8 | 0x2ac | data | Romanian | Romania | 0.4722222222222222 |
| RT_GROUP_CURSOR | 0x1625748 | 0x30 | data | 0.9375 | ||
| RT_GROUP_CURSOR | 0x1625958 | 0x22 | data | 1.0588235294117647 | ||
| RT_GROUP_CURSOR | 0x1627638 | 0x30 | data | 0.9375 | ||
| RT_GROUP_ICON | 0x1623a28 | 0x68 | data | Romanian | Romania | 0.7115384615384616 |
| RT_GROUP_ICON | 0x1614958 | 0x30 | data | Romanian | Romania | 0.9375 |
| RT_GROUP_ICON | 0x161d8c8 | 0x68 | data | Romanian | Romania | 0.7115384615384616 |
| RT_GROUP_ICON | 0x1617a60 | 0x30 | data | Romanian | Romania | 1.0 |
| RT_VERSION | 0x1627668 | 0x1e0 | data | 0.5604166666666667 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetLocaleInfoA, LocalCompact, LoadLibraryExW, ReadConsoleOutputAttribute, AddConsoleAliasW, CreateHardLinkA, GetTickCount, CreateRemoteThread, GetWindowsDirectoryA, GetVolumeInformationA, LoadLibraryW, ReadConsoleInputA, CopyFileW, ReadProcessMemory, WriteConsoleW, GetModuleFileNameW, GetCompressedFileSizeA, GetTempPathW, SetThreadLocale, GetNumaProcessorNode, SetLastError, FindVolumeMountPointClose, CreateTimerQueueTimer, SetStdHandle, SetFileAttributesA, WriteConsoleA, LocalAlloc, SetCalendarInfoW, GetExitCodeThread, AddAtomW, RemoveDirectoryW, GlobalFindAtomW, GetOEMCP, VirtualProtect, AddConsoleAliasA, CreateFileW, GetComputerNameA, FindFirstChangeNotificationW, GetLastError, GetSystemDefaultLangID, OutputDebugStringW, FlushFileBuffers, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapFree, IsProcessorFeaturePresent, GetCommandLineA, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, IsValidCodePage, GetACP, GetCurrentThreadId, IsDebuggerPresent, GetProcessHeap, ExitProcess, GetModuleHandleExW, HeapSize, GetStdHandle, GetFileType, CloseHandle, GetModuleFileNameA, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, ReadFile, SetFilePointerEx, GetConsoleCP, GetConsoleMode |
| USER32.dll | GetMenuItemID |
| GDI32.dll | GetCharacterPlacementW |
| ADVAPI32.dll | DeregisterEventSource |
| WINHTTP.dll | WinHttpConnect |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Romanian | Romania |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 04/19/24-22:35:59.183264 | TCP | 2856233 | ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) | 49730 | 80 | 192.168.2.4 | 185.172.128.90 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 19, 2024 22:35:58.980036974 CEST | 49730 | 80 | 192.168.2.4 | 185.172.128.90 |
| Apr 19, 2024 22:35:59.182888985 CEST | 80 | 49730 | 185.172.128.90 | 192.168.2.4 |
| Apr 19, 2024 22:35:59.183034897 CEST | 49730 | 80 | 192.168.2.4 | 185.172.128.90 |
| Apr 19, 2024 22:35:59.183264017 CEST | 49730 | 80 | 192.168.2.4 | 185.172.128.90 |
| Apr 19, 2024 22:35:59.386101961 CEST | 80 | 49730 | 185.172.128.90 | 192.168.2.4 |
| Apr 19, 2024 22:36:00.628887892 CEST | 80 | 49730 | 185.172.128.90 | 192.168.2.4 |
| Apr 19, 2024 22:36:00.629064083 CEST | 49730 | 80 | 192.168.2.4 | 185.172.128.90 |
| Apr 19, 2024 22:36:06.866122961 CEST | 80 | 49730 | 185.172.128.90 | 192.168.2.4 |
| Apr 19, 2024 22:36:06.866159916 CEST | 80 | 49730 | 185.172.128.90 | 192.168.2.4 |
| Apr 19, 2024 22:36:06.866333008 CEST | 49730 | 80 | 192.168.2.4 | 185.172.128.90 |
| Apr 19, 2024 22:36:06.866333008 CEST | 49730 | 80 | 192.168.2.4 | 185.172.128.90 |
| Apr 19, 2024 22:36:06.910639048 CEST | 80 | 49730 | 185.172.128.90 | 192.168.2.4 |
| Apr 19, 2024 22:36:06.910850048 CEST | 49730 | 80 | 192.168.2.4 | 185.172.128.90 |
| Apr 19, 2024 22:36:15.832154036 CEST | 49730 | 80 | 192.168.2.4 | 185.172.128.90 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 185.172.128.90 | 80 | 6640 | C:\Users\user\Desktop\97NT8DO3JB.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Apr 19, 2024 22:35:59.183264017 CEST | 411 | OUT | |
| Apr 19, 2024 22:36:00.628887892 CEST | 204 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 22:35:53 |
| Start date: | 19/04/2024 |
| Path: | C:\Users\user\Desktop\97NT8DO3JB.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 388'096 bytes |
| MD5 hash: | 3415AAEBE725006CFA66320863C1BB8A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 22:35:53 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 22:35:54 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 22:35:55 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 22:35:55 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 22:35:56 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 22:35:56 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 22:35:59 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 22:36:00 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 22:36:00 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 22:36:00 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\taskkill.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2d0000 |
| File size: | 74'240 bytes |
| MD5 hash: | CA313FD7E6C2A778FFD21CFB5C1C56CD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 22:36:00 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x620000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 22 |
| Start time: | 22:36:12 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\System32\SIHClient.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7007e0000 |
| File size: | 380'720 bytes |
| MD5 hash: | 8BE47315BF30475EEECE8E39599E9273 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 2.5% |
| Dynamic/Decrypted Code Coverage: | 7.2% |
| Signature Coverage: | 12.3% |
| Total number of Nodes: | 390 |
| Total number of Limit Nodes: | 6 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01B2F826 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D70 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 311networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403180 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403280 Relevance: 4.6, APIs: 3, Instructions: 51COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03670E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01B2F4E5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418FEE Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03689080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418E19 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036788DC Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408675 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03688D07 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418AA0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040CA21 Relevance: 3.0, APIs: 2, Instructions: 34timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408873 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03688F5A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418CF3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03689186 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418F1F Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03681509 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004112A2 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03678A70 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408809 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03679AC7 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00416A7C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00421D42 Relevance: 1.2, Instructions: 1240COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00413C49 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00409860 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01B2F103 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03670D90 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036813F9 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00411192 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367D2D7 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D070 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00407F24 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041701E Relevance: 18.4, APIs: 12, Instructions: 373COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367B189 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040AF22 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03680E8F Relevance: 15.1, APIs: 10, Instructions: 69COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00410C28 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036876A4 Relevance: 13.7, APIs: 9, Instructions: 199COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041743D Relevance: 13.7, APIs: 9, Instructions: 199COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03671FD7 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 311networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0368690E Relevance: 12.2, APIs: 8, Instructions: 203COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004166A7 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00407A99 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041146B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03677D00 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03675FD7 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405D70 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040BD87 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040C6C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041A8A9 Relevance: 7.7, APIs: 5, Instructions: 244COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004121BC Relevance: 7.7, APIs: 5, Instructions: 199COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03672E87 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036857E8 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00415581 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036733E7 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408094 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367EAAE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040E847 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367B533 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040B2CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |