Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found Tor onion address
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Modifies Group Policy settings
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Windows Defender Exclusions Added - Registry
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- file.exe (PID: 7288 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: B9882FE8BB7AB2A4D094F9FF5442DF1C) - conhost.exe (PID: 7300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AddInProcess32.exe (PID: 7392 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C) - VtmtVe55Jwcf3rOGIU1yezyh.exe (PID: 7604 cmdline:
"C:\Users\ user\Pictu res\VtmtVe 55Jwcf3rOG IU1yezyh.e xe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA) - u5v8.0.exe (PID: 8120 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\u5v8.0 .exe" MD5: BCF475BE78F3965DD066CA8DABBEB31F) - Qg_Appv5.exe (PID: 3436 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Qg_App v5.exe" MD5: 54D53F5BDB925B3ED005A84B5492447F) - 9wqoiPpK0NIQEBygxfm6h42G.exe (PID: 7740 cmdline:
"C:\Users\ user\Pictu res\9wqoiP pK0NIQEByg xfm6h42G.e xe" MD5: 3953BBAD77CDCB9D5AF2694EED7E6688) - UWxz0MPLJemfxFfuxrp6E5vU.exe (PID: 7488 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\UWxz 0MPLJemfxF fuxrp6E5vU .exe MD5: A1789F6DBB08B8F49452DB52D3829002) - F0mqqGl9pK9gdOm2cnZsC1mR.exe (PID: 4108 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\F0mq qGl9pK9gdO m2cnZsC1mR .exe MD5: D15459E9B9D12244A57809BC383B2757) - i7gUU3MlvTwbsK8r3hAjzW0p.exe (PID: 7988 cmdline:
"C:\Users\ user\Pictu res\i7gUU3 MlvTwbsK8r 3hAjzW0p.e xe" MD5: AAA56797070369AD346FBD9BB6CC5E8B) - Install.exe (PID: 5660 cmdline:
.\Install. exe /nxdid QZJ "38511 8" /S MD5: E77964E011D8880EAE95422769249CA4) - forfiles.exe (PID: 2552 cmdline:
"C:\Window s\System32 \forfiles. exe" /p c: \windows\s ystem32 /m where.exe /c "cmd / C powershe ll -Window Style Hidd en WMIC /N AMESPACE:\ \root\Micr osoft\Wind ows\Defend er PATH MS FT_MpPrefe rence call Add Exclu sionExtens ion=exe Fo rce=True" MD5: D95C443851F70F77427B3183B1619DD3) - conhost.exe (PID: 7532 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7356 cmdline:
/C powersh ell -Windo wStyle Hid den WMIC / NAMESPACE: \\root\Mic rosoft\Win dows\Defen der PATH M SFT_MpPref erence cal l Add Excl usionExten sion=exe F orce=True MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 7688 cmdline:
powershell -WindowSt yle Hidden WMIC /NAM ESPACE:\\r oot\Micros oft\Window s\Defender PATH MSFT _MpPrefere nce call A dd Exclusi onExtensio n=exe Forc e=True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - WMIC.exe (PID: 2624 cmdline:
"C:\Window s\System32 \Wbem\WMIC .exe" /NAM ESPACE:\\r oot\Micros oft\Window s\Defender PATH MSFT _MpPrefere nce call A dd Exclusi onExtensio n=exe Forc e=True MD5: E2DE6500DE1148C7F6027AD50AC8B891) - schtasks.exe (PID: 3060 cmdline:
schtasks / CREATE /TN "bWycNack LSywaqkmgR " /SC once /ST 21:38 :00 /RU "S YSTEM" /TR "\"C:\Use rs\user\Ap pData\Loca l\Temp\JMP ZeWvHhArmq ROvY\NwfPJ CCpQqPYDzK \koEMGMU.e xe\" em /V Nsite_idnL d 385118 / S" /V1 /F MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - yPlMO3UKyKRvoEYPhbGYOyT0.exe (PID: 8132 cmdline:
"C:\Users\ user\Pictu res\yPlMO3 UKyKRvoEYP hbGYOyT0.e xe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA) - u69w.0.exe (PID: 3412 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\u69w.0 .exe" MD5: BCF475BE78F3965DD066CA8DABBEB31F) - u69w.1.exe (PID: 7208 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\u69w.1 .exe" MD5: 397926927BCA55BE4A77839B1C44DE6E) - B46afLBMY0mokUgVdA9CQR52.exe (PID: 5664 cmdline:
"C:\Users\ user\Pictu res\B46afL BMY0mokUgV dA9CQR52.e xe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA) - u4dc.0.exe (PID: 8156 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\u4dc.0 .exe" MD5: BCF475BE78F3965DD066CA8DABBEB31F) - t7IXQJi6R3tWUMJ8f9cQzMWm.exe (PID: 1940 cmdline:
"C:\Users\ user\Pictu res\t7IXQJ i6R3tWUMJ8 f9cQzMWm.e xe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA) - l0nXYBHJHVq6UHyy1YDO9fn3.exe (PID: 4008 cmdline:
"C:\Users\ user\Pictu res\l0nXYB HJHVq6UHyy 1YDO9fn3.e xe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA) - wr6XLbv7Ijp4TImjm1ouF4U2.exe (PID: 8088 cmdline:
"C:\Users\ user\Pictu res\wr6XLb v7Ijp4TImj m1ouF4U2.e xe" MD5: 3953BBAD77CDCB9D5AF2694EED7E6688) - PA8JWMmRYiQsN7iqTjOvjsbW.exe (PID: 8176 cmdline:
"C:\Users\ user\Pictu res\PA8JWM mRYiQsN7iq TjOvjsbW.e xe" MD5: F6C9E6F8396274E57FBA6BE593B90E36) - zUOgRazdYnb35XHU4UIsV9Yc.exe (PID: 7204 cmdline:
"C:\Users\ user\Pictu res\zUOgRa zdYnb35XHU 4UIsV9Yc.e xe" MD5: F6C9E6F8396274E57FBA6BE593B90E36) - 6dpl9L7LbyabhVQNXZXXKjGL.exe (PID: 5812 cmdline:
"C:\Users\ user\Pictu res\6dpl9L 7LbyabhVQN XZXXKjGL.e xe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA) - 0FR80IiNvxJZyXnpOgiDlYNV.exe (PID: 4252 cmdline:
"C:\Users\ user\Pictu res\0FR80I iNvxJZyXnp OgiDlYNV.e xe" MD5: F6C9E6F8396274E57FBA6BE593B90E36) - 68bEfZA6FBu6lC5BaADYSIdx.exe (PID: 7592 cmdline:
"C:\Users\ user\Pictu res\68bEfZ A6FBu6lC5B aADYSIdx.e xe" MD5: F6C9E6F8396274E57FBA6BE593B90E36) - ikL90ODaFTS7N6FbOffM2D1B.exe (PID: 7852 cmdline:
"C:\Users\ user\Pictu res\ikL90O DaFTS7N6Fb OffM2D1B.e xe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA) - ka1rT1Ln7XhH1aQSgOeo3013.exe (PID: 3956 cmdline:
"C:\Users\ user\Pictu res\ka1rT1 Ln7XhH1aQS gOeo3013.e xe" MD5: 3953BBAD77CDCB9D5AF2694EED7E6688) - G3pV8gTsWQBVrGpK4ooPrlxI.exe (PID: 5416 cmdline:
"C:\Users\ user\Pictu res\G3pV8g TsWQBVrGpK 4ooPrlxI.e xe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA) - vU4jsQbpuBQoMcavMx7b1jzX.exe (PID: 1588 cmdline:
"C:\Users\ user\Pictu res\vU4jsQ bpuBQoMcav Mx7b1jzX.e xe" --sile nt --allus ers=0 MD5: 409B00F4B0A921D4691FE3EFB0AD4092) - OYqxk9G3x4R05N4I0KLZXbXg.exe (PID: 6752 cmdline:
"C:\Users\ user\Pictu res\OYqxk9 G3x4R05N4I 0KLZXbXg.e xe" MD5: F6C9E6F8396274E57FBA6BE593B90E36) - nxx62MIcAq1mLUazdUlt2emv.exe (PID: 4172 cmdline:
"C:\Users\ user\Pictu res\nxx62M IcAq1mLUaz dUlt2emv.e xe" --sile nt --allus ers=0 MD5: 2CF99CA2E0CB98555FCA7D2FB3187553)
- svchost.exe (PID: 7860 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7868 cmdline:
C:\Windows \System32\ svchost.ex e -k NetSv cs -p -s N caSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7876 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -s WPD BusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cmd.exe (PID: 1168 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Microso ft\Windows \Start Men u\Programs \Startup\E CVVQonpjDv aVVq8u9A57 jpg.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - H6XhhPCeuwAb2QQK3C3B1Lwl.exe (PID: 3572 cmdline:
"C:\Users\ user\AppDa ta\Local\H 6XhhPCeuwA b2QQK3C3B1 Lwl.exe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA)
- koEMGMU.exe (PID: 4868 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\JMPZeWv HhArmqROvY \NwfPJCCpQ qPYDzK\koE MGMU.exe e m /VNsite_ idnLd 3851 18 /S MD5: E77964E011D8880EAE95422769249CA4)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Glupteba | Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
MALWARE_Win_zgRAT | Detects zgRAT | ditekSHen |
| |
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
Click to see the 8 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
Click to see the 36 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_MarsStealer | Yara detected Mars stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_MarsStealer | Yara detected Mars stealer | Joe Security | ||
JoeSecurity_Glupteba | Yara detected Glupteba | Joe Security | ||
Click to see the 15 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Compliance |
---|
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: | ||
Source: | Unpacked PE file: |
Source: | File created: | ||
Source: | File created: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Change of critical system settings |
---|
Source: | Registry key created or modified: | ||
Source: | Registry key created or modified: | ||
Source: | Registry key created or modified: | ||
Source: | Registry key created or modified: |
Source: | Code function: | 4_2_0041D9E1 | |
Source: | Code function: | 11_2_0041D9E1 | |
Source: | Code function: | 11_2_05BCDC48 | |
Source: | Code function: | 19_2_0041D9E1 | |
Source: | Code function: | 19_2_05CFDC48 | |
Source: | Code function: | 21_2_0041D9E1 | |
Source: | Code function: | 21_2_041DDC48 |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Networking |
---|
Source: | URLs: |
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: |
Source: | String found in binary or memory: |