Analysis Report b8fe43e6_by_Libranalysis.dll
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Dridex |
---|
{"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_WER_Critical_HeapCorruption | Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation) | Florian Roth |
| |
SUSP_WER_Critical_HeapCorruption | Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation) | Florian Roth |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
Click to see the 1 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
E-Banking Fraud: |
---|
Yara detected Dridex unpacked file | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | |||
Source: | File read: | |||
Source: | File read: | |||
Source: | File read: |
Source: | Process created: |
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Tries to detect sandboxes / dynamic malware analysis system (file name check) | Show sources |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Thread delayed: |
Source: | Code function: |
Source: | Process created: |
Source: | Code function: |
Source: | Code function: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection11 | Virtualization/Sandbox Evasion11 | OS Credential Dumping | Security Software Discovery11 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection11 | LSASS Memory | Virtualization/Sandbox Evasion11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Account Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Rundll321 | NTDS | System Owner/User Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing3 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery11 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
21% | Metadefender | Browse | ||
30% | ReversingLabs | Win32.Trojan.Phonzy | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File | ||
100% | Avira | TR/ATRAPS.Gen2 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
167.114.113.13 | unknown | Canada | 16276 | OVHFR | true | |
95.138.161.226 | unknown | United Kingdom | 15395 | RACKSPACE-LONGB | true | |
193.200.130.181 | unknown | unknown | 42960 | CLOUD-MANAGEMENT-LLCUS | true |
Private |
---|
IP |
---|
192.168.2.1 |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 404281 |
Start date: | 04.05.2021 |
Start time: | 21:44:04 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 43s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | b8fe43e6_by_Libranalysis.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 38 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.troj.evad.winDLL@24/28@0/4 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
167.114.113.13 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
95.138.161.226 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
193.200.130.181 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
RACKSPACE-LONGB | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CLOUD-MANAGEMENT-LLCUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
OVHFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12696 |
Entropy (8bit): | 3.772807661829043 |
Encrypted: | false |
SSDEEP: | 192:tLi9y0oXyRH4+V/Ojed+iIR/u7sKS274ItWcY:himXyh4+VGjec/u7sKX4ItWcY |
MD5: | 8A2F59A105E101E23E78ACC0218D5756 |
SHA1: | 052FF51A4D5468E70A5B6D67D55AEE22B30CFBA3 |
SHA-256: | 6DD953497B09FD728FE138CC13714D8854C3D5FAC254FB388FC76A5ABCF9FA25 |
SHA-512: | 5008C69E9BE5993EF9F5FF10A83488E75DB27525CFE3BDDE3D537D3DC2230DD2F5F484C43DC61A49D6E3EDDB5315D14D0209BD6C0FC511DCB04A5786065EA182 |
Malicious: | false |
Yara Hits: |
|
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12698 |
Entropy (8bit): | 3.771932163227197 |
Encrypted: | false |
SSDEEP: | 192:hrMeih0oXnRH4+V/Ojed+igR/u7svS274ItWci:9TiPXnh4+VGje0/u7svX4ItWci |
MD5: | 9A9050AF35493FDC046A0F2A5ADA6187 |
SHA1: | C5E499E6FDCA0794741F55ADEE04E1DC38DFEEBE |
SHA-256: | 5D4E9C26992329CD6F1A8B139A71AABA5517CF6C55CF9AFEFED4B9CB709D98C4 |
SHA-512: | 33021E3E5A3AE71853E18399A5AB0ACDFE7C0D71DD41AB31E0A8B07A969BF3DB822948D1C8FF92907B1AFF2D8DAC7AA77ED0040D588A7D098EDEC66A4C14062E |
Malicious: | false |
Yara Hits: |
|
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12764 |
Entropy (8bit): | 3.7717428493022966 |
Encrypted: | false |
SSDEEP: | 192:Jdg5iX0oXCHBUZMX4jed+igR/u7svS274It7cb:DyipXaBUZMX4je0/u7svX4It7cb |
MD5: | 1D9EFCB3DC118BEB1DEB8C569061287B |
SHA1: | 3BB8D01D2175D4833FF49207567C237C1DD91DF8 |
SHA-256: | DC410BDD1213B2F43F8E995271B9A5DEAB187DF17CDD56CCFB312F0FC6F34BEC |
SHA-512: | 4C793C2A5A808B3F6E2821F2F6420D37E051FE373ACEF4B8F7D8F44F814F364619D13AE33BCC25B391D9E317379A9F1D900B5596448B29971F8E5057B4BEA9F6 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12682 |
Entropy (8bit): | 3.768920244119495 |
Encrypted: | false |
SSDEEP: | 192:RmiE0oXNL3HBUZMX4jed+igR/u7svS274ItWcG:MiyXNrBUZMX4je0/u7svX4ItWcG |
MD5: | 6720C3471EEE71B1241EF9B95B04D43E |
SHA1: | 3CF3666D7A351AD8E807367B3CFCA55CCA7B697E |
SHA-256: | 8378EA8DF0C1FF4F15E3312620D5B664B4AF70A23EC0C207BD6B4E99CE12FE40 |
SHA-512: | 07BB14BF42AB7B4C70EB3D9986A4C0D71DD663A8E3AE2D9A0B9DB59E3A84941888DC6B6F48C019F86B92F6AE6B6010C53484944D52A2AC0ED9130E135C30EE6E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12682 |
Entropy (8bit): | 3.7686287414091635 |
Encrypted: | false |
SSDEEP: | 192:9Ai4Oin0oXGVxHBUZMX4jed+igR/u7svS274ItWcW:1iZXGTBUZMX4jeU/u7svX4ItWcW |
MD5: | D5A543FCF617A53047391FA79B6BB0D2 |
SHA1: | C5C806E1DE4F14A0234405E7A168AF03C1C5E61B |
SHA-256: | CBEFF017D5A0096CAE4F8837BE31AE35B840BB6FAFED61AC991DAD5A68E31CD8 |
SHA-512: | CDCD70619E510CBC5A454AB9A738D7F2FC85D1E6FFC6F1D8E7633E13FE07BE9FD2EC1056337DC1BF8E18132EA8A8EAC6A4636A1E14A7A5E6A85AC461FD04FCFA |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10086 |
Entropy (8bit): | 3.7648879788229883 |
Encrypted: | false |
SSDEEP: | 96:t6AXy+y9hAtFaM056tpXIQcQ6c6n+hcEZcw3P+a+z+HbHgzFpAoXOgtYsASonj+K:WWFHUb+hjbjG7g/u7svS274Itb2u |
MD5: | 794F5EE3AFD496B22C5AE33B871528AF |
SHA1: | FA78FB2D08774AB9E94786FA64B44BD346CAE91B |
SHA-256: | 459F9CDC01C84A7BDB1406D46A1FA41434BC1CAC9DB4F1DE3D7F6B34884162FC |
SHA-512: | A6F5BA64E7BAA2A0ED44E1EA999825792BB7FE871AE50D3515983EF65977D0B5A34878D9C0375A2423C3C1F4C2B9761C9C104B566CDD69D44D32492F764A5BF1 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12860 |
Entropy (8bit): | 3.7599037631496284 |
Encrypted: | false |
SSDEEP: | 192:1i5iE0oXKFHVzOMjed+iYs/u7sKS274It7cT:1i5iyXgVzOMjeB/u7sKX4It7cT |
MD5: | 98ABE178E3ABF9EB668F1B1D5872DE2A |
SHA1: | 100975FCBAD81CF2E578A2D2BCE83BC1327AE577 |
SHA-256: | 0E5408D503280B4982C256B7497E8CB1A5415B5C46949BB71A042B1AECD76C0E |
SHA-512: | 26FDC68583DBE7881E2E095C5AC3A892EDC321AD3B725BEF2AA383E6D0FD92E72751C19E2BE11F94C8B9D4C6FB81944A0214C7FDA0CDFB3AA791F6DAD8576090 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8314 |
Entropy (8bit): | 3.6969170915314 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiU069B6YRv61TNgmfT3GS0CprD89bJfsfESjm:RrlsNi/6r6Y561TNgmfTWSIJEfi |
MD5: | 83EE80F83555E155D4E6F8C290163C83 |
SHA1: | 8F75252ADC162668763265392AE51313FE4444FC |
SHA-256: | DA12AA73FD5E4B489EE69F761BAEBB82018DD77F52221C5A7444DCE2BB08CD01 |
SHA-512: | A66B60130741AE37FD38EE5DB251280810FD213533E6A1777415ED94D7CFC0C940333DCE633C7C05CF878494F1DDDC35049745AFBF80038A659606FC63E0882E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8314 |
Entropy (8bit): | 3.6964706101291984 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNifn69l6YRVE61TNgmfT3sS0CprJ89bJ8sf6jm:RrlsNif6v6YjE61TNgmfT8SqJPfX |
MD5: | BCF747BF3D53D1B5A8D14F8F57A0AD2A |
SHA1: | FE6AC825C5A7292A9C99B022B165ABFCC50EEC67 |
SHA-256: | 697F166ECB868306B2457071EF2A8C15B824BC9B82F91E3C07249027155D92C0 |
SHA-512: | 2AA1D7214ACE2C84686C00A226AF6DF7B487EBFD08437168D9DEC4CF662EA6EF269C28926333A4ACC722C0A7489A0048DE5806C1F8F3B296D9ED1984E0E04435 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4665 |
Entropy (8bit): | 4.476151288026438 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zswJgtWI9CMWSC8Beb8fm8M4JCdstN4xFN+q8/YNGnpV4SrSO6d:uITf25lSNzJfN4JPNGvDWHd |
MD5: | 722D834E41F5EEA7B44C740205A252F7 |
SHA1: | 229BE92DE4D92FD57739277B655916D31F3F707D |
SHA-256: | 4C75EF43840CDC5ADB9E0AD416D0589C463B99F3B8C39EFE3B4C244739458E7E |
SHA-512: | 15A566D833F99DD589996AFE8C5C029118F3EDE61B56526FF1F6C5617ED4613995EBE4693B9CE9D19F67644BF7E3F1D6860956088F4FAEC144BCECEA514655AC |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4665 |
Entropy (8bit): | 4.47786313728854 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zswJgtWI9CMWSC8BJ8fm8M4JCdstN4lFfl+q8/YNGPbI4SrSBd:uITf25lSNQJfN4/lPNGjIDWBd |
MD5: | 1202A42B5C8E5659CFD6413F63A8DAD7 |
SHA1: | D28B2CF4C6D8AB56DE9BFC71A49F1F4BB84C0074 |
SHA-256: | 15CA53D0615D6831C000F6635A7C7C1A6C7AD4CFC7985424B341333279687938 |
SHA-512: | 744A7A680B2088A215A97EB5F74CBAE808BFC53C9AA595A8C55AFA7B667CB884C0C764F298A5F2CCF0EFCBE8D23B1FD3C1282E15CB43F1F4944D47BFCE5C9502 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 28502 |
Entropy (8bit): | 2.6942945176282986 |
Encrypted: | false |
SSDEEP: | 192:n8POgUNoY5zp5Drzv/4jsr0Oadvwqz9ArI7yXYTMby:8POgioojnzvzgOaeqpAroyXYQy |
MD5: | B1773058BE36AEE4302D18E663B8A81B |
SHA1: | 299EC23A6B892EF4A76345C28EF3EC80467C5A4C |
SHA-256: | 7902E00AD5C92E18E2548582806B0CFC6A05D714C2E1585B936477D9791D5AE5 |
SHA-512: | B2A93F0C00B097E2ED38CAF3F79DF1165BE0D017560E27DE10F276D65260F6B47D6BD56A38A542E24BBAAD36855FA03C24C2516F44A96ABF2E35BCBCE0809BA4 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8396 |
Entropy (8bit): | 3.6902989247590705 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiBs6ej6YScSUhII9AgmfDHS1tCpBj89benDsfcKm:RrlsNiq6ej6Y5SUhIIKgmfbS1jenofg |
MD5: | BB99E9533D5D06BBDF02132C50BA803D |
SHA1: | 3FA246A35B67B08B02F8FFB0EDFACB44057A1DDD |
SHA-256: | D2548A0CC64A970679B00B8D93728348FBF7803A8BE3647737614937795BDF25 |
SHA-512: | 40DE23583A99DE5F9E4F80668EC678F3F6FF92812FF27E992EDD05849A87E9E4F10670613DF388BC0D6ED26BC567E1CB715DAA9A050D85A81EC187416F8814CF |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4694 |
Entropy (8bit): | 4.435034624349751 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zswJgtWI9CMWSC8Be8fm8M4JVtN4fFpv+q8v7tN4FKcQIcQw6Uredd:uITf25lSNNJvN4nvKpN4FKkw68edd |
MD5: | 0BD45C47BF6D1E098B10F78A1ADEE1C8 |
SHA1: | 51C1DB07CA4DADFE3582629839FEE8ED48AB4D7F |
SHA-256: | 0BAF84C29146615B2223009D1EC1EE3733AEB93941371F2A0545D58E062B0364 |
SHA-512: | FEC80CD0D15836724BB83070861186943BAB6A547167EC3F81AC16FED6EB28AA5F03AEE0C62D5D02E8B685C0C42E9F8B617E5A6254C7200E13E99B35FC5C765E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 52760 |
Entropy (8bit): | 2.2713207437159366 |
Encrypted: | false |
SSDEEP: | 192:+yO0BNeqtlOFdnZn0jqRGVLV49s27TEeyGMVVsinsalBr:YqtSd+mkLVEt7TEeyJVmCs6r |
MD5: | 0158233AA18C40E0BBCD39837FEB5D5D |
SHA1: | C6EB0B4F2FF0D8CBF1A76AD05622336A2C802FAB |
SHA-256: | 62020EC0A58AE7356328D7E580BB9DB8CCCD38D37FF33C39B63D7A888A922C85 |
SHA-512: | E0DB4455F18ABEF7B02D17B9D2F1AD8D33526412D0BEC9F12170F52C969E06A3EF472D681A84ABAD95DEAD155B13EB390431A90C15923912C221EDCAC81B9FEF |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8306 |
Entropy (8bit): | 3.7004534107746396 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiqx6b6Y4m68B5qGgmfTHPSXKCprr89b+n8sftqm:RrlsNi06b6YB6SFgmfTHPSO+nPfB |
MD5: | AD73147E83A8B36DE9D935D5CE911823 |
SHA1: | DF16B467E65CA9C0A643F9804EB6C8C9070B53B8 |
SHA-256: | F4D62A14653CB4E59397969C2FFA45DED665B5D81019DCFDE9B7ECB4142C4A3C |
SHA-512: | 262CC348288C079A06EF4091F5DC7788CFD83298B73286109F9A87E91798A084F12F3DA818E2A4531CB1F2F3A114BD47D29F5AE38EE6B07A3C782C1CF25F360E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4679 |
Entropy (8bit): | 4.513029588501548 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsHJgtWI9CMWSC8Bz8fm8M4JCdsrZFhP+q8/3U1I4SrST6d:uITfp5lSNGJptPviDWT6d |
MD5: | D61212A49486E903CFAC41FC43FA4ED4 |
SHA1: | C3C62001AAE23F5B41B9D51C2CB09D7324128AFD |
SHA-256: | DF121DBD32906946328BE2F2A5125959FBCDDC7C35348ED471F3B291B5D9D4BB |
SHA-512: | E17A119D3AF7D22356AC11561061445DFD9DCD9E09F37E0CEEF380D41E12BF9B3AC78DFD8F65A966A15E666FF0C68C303AA33BABE637D085BD00BE572BB2B87D |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 56348 |
Entropy (8bit): | 2.2519262948222085 |
Encrypted: | false |
SSDEEP: | 192:6E+cRT3TN2/7R3nyB/980h3AMYdaIO/QvTUvIiXJ0hX0OP5VO:5nzTN2TR3y5mGYcIpKxaLP5w |
MD5: | 0BF06EC1B7F66D4DC691E02654A3903C |
SHA1: | 6349B392A4998CF2980617C37A8B9DF3F167F7B5 |
SHA-256: | 6EA0767B7C036D9A06F8577540E65C7BC899129C4E5805DDE3A36EE6D3EAE738 |
SHA-512: | BD1E58BC5B269053CFA0F208ECD68E7B8D2422408B3B547C3992CFCF66171876ADDE9BD1A18102690D9CCBA6F3D2C2C139FA4F1F97EA4590CD9B60ED852DD476 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8380 |
Entropy (8bit): | 3.694319472688357 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiEG6X6YRZ6RNTogmf83HS/CpBSy89b7nrsfoGpm:RrlsNiN6X6Y/6bTogmf83SfL7nwfo5 |
MD5: | F1AE422E7885757B141538712276A4AF |
SHA1: | 6EB97024B123C7BF5F5613F8572E406A67C83143 |
SHA-256: | A8E5A24E5139CDD147D083B0BB222B061A0F1F858697BBF505FA91B5975CA3C5 |
SHA-512: | 294538C6C8963984CE9D4E6FE4B63B3FEA755A77AC2339DAC0812A62BE6214CFD6BBF61ED3E9AB74428F5E4B6C014250648139CE91E2962647E51881316EA0DA |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4766 |
Entropy (8bit): | 4.461945087016917 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsHJgtWI9CMWSC8BO8fm8M4JCdstN4fFk0+q8vjstN4GCI4SrSRd:uITfp5lSN9JfN4+0K2N4KDWRd |
MD5: | E40225169749E2120E155CC0DAB629E8 |
SHA1: | 7A36DFE0110FC29707E678A61737C1F6A7D9612D |
SHA-256: | 6587F41FD60B406CF1A41BB371EB9C77C69A4CE166259359ED0D154C682CA0E8 |
SHA-512: | DB1CF650AEC36129563F49C686C11E446B3FEE506C7CFBF437EC4A65B7F9BD9AAFA9F748EBB7F80A8F3796E5C4EBAD59A2D34717FF5542537E0C60525177EB62 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 47588 |
Entropy (8bit): | 2.2647666627151417 |
Encrypted: | false |
SSDEEP: | 192:8zBH1/JIJ0stBYJDM1A4hEaBqAWVb5kc+VPmvfJDouG:w1/WtgM1euqlb5J+NmvWt |
MD5: | C624C54975037695AADBA22E667207AD |
SHA1: | DA9F2E04A7C603298C4D5684C5192F4B76D75383 |
SHA-256: | A4615F4D24E5F6D2A7E9FAA4472666364044C396461DEE7769D92958AEDD5D8A |
SHA-512: | DEAC489676BC295E026E6709275D228229035F4E08A5F5F0B02B9E49B48AF251D456D8AAB11E2AD89E4EF6F7F8F9F015DC85F24C1F2DE8F2534753D63E4D3655 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 46464 |
Entropy (8bit): | 2.207242542737921 |
Encrypted: | false |
SSDEEP: | 192:3pyDkqZe1c439RJegD4/fEaBqAWVb5LcDIkN4rt3gQaynwyJ:ZMkqZeS439RJPE0uqlb5gDIG4r1aShJ |
MD5: | 74DE84F9202BA5BEE0F4C45A1C83A607 |
SHA1: | F19BD0CE5F2D889351AC012058872D7A0D326361 |
SHA-256: | 74708AE80A0129781BFE633294AB697B51FB8B33720E5A5EF51255D2A1176D0F |
SHA-512: | 8BD1E85FC3D18D0B6CDF7353BA84983FDD22A0AED26F7BB4CA9DCEFF41B2893B2772ACE8E0F7E877FABE3165C4DAE1CC4D0DFAD50C031C3DB0130F206C1A31FF |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8328 |
Entropy (8bit): | 3.7013565765270364 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNi7w646YRd61TNgmfTHPSXKCprv89bXvsf8q9m:RrlsNis646Yr61TNgmfTHPSyXUfo |
MD5: | DF0A87E60A28F36ABD606931DBC3347A |
SHA1: | BDC331AC040BF0340B73E742B3C995B6D73589B7 |
SHA-256: | 20646263FD9765D6E252A9E6E815411E804D3287779CB9B82828AFC3906921DE |
SHA-512: | C38F558AF12539B47DDF249CFFD665C2606513D3854011FBEDE1E2EB2EC7DAEBB645675E9EDC97DD94CDA23025C039FDB82E7D71B66E4067F0EBF835BDC9693E |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4679 |
Entropy (8bit): | 4.51187397978779 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zswJgtWI9CMWSC8Ba8fm8M4JCdsrZFPQ3s+q8/3Ut4SrSOd:uITf25lSNNJpLFvtDWOd |
MD5: | 7DDF29239C186EAED68CB11663BF94E0 |
SHA1: | 4A10C720E62A1C60D984ED7FF1C8CFF35AEC64E0 |
SHA-256: | 7D35A65EA3F4603763BA4A4E2154331496F9473C9A4C397C1B55C8C2F08A0E2F |
SHA-512: | B8C58522BD6FC67DCA0BC13F4EA2870CF811B27569630BADCD84188807428E1068740C46BEE0714D0C4666647F5F8C23E0BEA08D285467A19E9750D30B39556B |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8382 |
Entropy (8bit): | 3.697676034716634 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNipbo6dQW6YRk61TNgmf8eS0Cpr089bXPsfZv9m:RrlsNipU6D6YS61TNgmf8eS9X0fC |
MD5: | 629236D79FB79E55D60E71CE9999CED2 |
SHA1: | 96CAE27EA52419B01C9E8CD2FBB17B2FF0FBA6D3 |
SHA-256: | DB6A18CB1CD727BA3660AA5F873F3027A96B0873F287AA02F36D46DB310074CF |
SHA-512: | FF51CA2ED5D7A5EBACB5A2320865AFEBE5722B9098E77C18EFF7E6B18CD9AB3D94EA683A7C5E34FB8B558248EAE9E075E33C54D4F63AFD6F3DF2A3F68257E77F |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 39812 |
Entropy (8bit): | 2.4677851683162455 |
Encrypted: | false |
SSDEEP: | 192:Kwg9rU538iYqtTUKocLM/7VrIBlw6bihWf4nW:hgVnqKOC8HvihVW |
MD5: | 6E4D42CBA822457AB2C9BF76AFBD2A87 |
SHA1: | 44E60FA16B87D126D49B2E91C22D068E9AB8D3B8 |
SHA-256: | 408509B2CE2759EF0D66DA593008AD1B3CEC919E68EDF0973DC78B76D7398FBC |
SHA-512: | E42D51468E202B349E02753A6528E1FA459C550931518EA83ECCD089DB4A219ECDCC187EBB8B343027A60FF04CB32E0FEE735E8CD5EF2BD7AE5464F7A5371C33 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 41660 |
Entropy (8bit): | 2.403405146292841 |
Encrypted: | false |
SSDEEP: | 192:FWQS1jvp1XqQB15lR2khWUKocLM/7VrI4NHINYvrwxL9nn:hS1znnjFOC88kYKL9n |
MD5: | 3546256C4B742FB4B690D4C4B092ADBC |
SHA1: | 7E9842F533976E6A63C6D6AC9D1045EF989EFDA0 |
SHA-256: | 00E7801DF84931FB42EF7F0A6484ED0A4006D480CFC41F4599C575FED5E7916E |
SHA-512: | 0330E441EC9268DEA42926C58981C4B69BEBD251887557E5C58B537B1FD78E25B220CC3D99997F5EC44E76D0671D66AA0BFDD38CB1B27B28C5E5F51519FED469 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4770 |
Entropy (8bit): | 4.486746150131345 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zswJgtWI9CMWSC8Bm8fm8M4JCds0MF9+q8vjs0K4SrSsd:uITf25lSNBJyQKtKDWsd |
MD5: | 2F3A01531E832F9E3B5F3EBCA8560B49 |
SHA1: | 7FD083A88E658EB16BA411FCE38CED19E0366C45 |
SHA-256: | E8FFC2A0E1438FE2CD751EC38A18A122633B002F64FACA65D83D21C05B93C7B1 |
SHA-512: | 077CA44840F6E45262CF109B54C974479B73D3D38799540519A018B49AC171B5433212831E09FB66A4C368C51E0578527D3906366E8E03D52828A8C22FD824DC |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.536014050371126 |
TrID: |
|
File name: | b8fe43e6_by_Libranalysis.dll |
File size: | 164864 |
MD5: | b8fe43e6e418db516c1deda8d2b1e8d0 |
SHA1: | d6901a2528977ed284f9e6808a73029371cd2ecc |
SHA256: | 6ea1efc4c1dd494c71fbfb23ea1fdc5530f9cbb6602993d96a74a7b014a96ee3 |
SHA512: | 276f9e3def3a672d78128ec30c5fd48ec2946c344d0704c7f80f911f9e3f0f980b30bd486b1b1d8c15f9572f6fabeb0b7627bab785352fe80ef844632aef6ddd |
SSDEEP: | 3072:sk2X+QFg3UutDvUvoU8pz6EJEEhu6Tzace9kuaGA81/YXKHML/vp8AF:yG3rUvoU4JE/Wzan9T7B/CKsL/vy |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.%.0zK.0zK.0zK.0zJ.}{K...3..{K.....P{K...3..zK.V....zK...1..{K......zK.Rich0zK.........................................PE..L.. |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x100241a0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x60903ADD [Mon May 3 18:03:09 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | f108efab351dd21acb187c36805c5bbe |
Entrypoint Preview |
---|
Instruction |
---|
mov edx, eax |
xor eax, eax |
add eax, 00002233h |
cmpss xmm1, xmm2, 03h |
sub eax, 00002233h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
mov edx, 00000000h |
cmpss xmm1, xmm2, 03h |
cmp eax, 01h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
mov eax, 00000000h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x27730 | 0x55 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x27804 | 0x59 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2c000 | 0x3a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2d000 | 0x1220 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x10018 | 0x38 | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x25000 | 0x60 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x23b14 | 0x23400 | False | 0.759010693706 | data | 7.5511794748 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x25000 | 0x2ab4 | 0x2c00 | False | 0.770685369318 | data | 7.47874664505 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.pdata | 0x28000 | 0x336c | 0x1800 | False | 0.78564453125 | MMDF mailbox | 7.42299069747 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x2c000 | 0x3a0 | 0x400 | False | 0.4091796875 | data | 3.06807977608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x2d000 | 0x258 | 0x400 | False | 0.5263671875 | data | 4.16057022331 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x2c060 | 0x33c | data |
Imports |
---|
DLL | Import |
---|---|
msvcrt.dll | memset |
ADVAPI32.dll | RegOverridePredefKey |
ole32.dll | CreatePointerMoniker, CreateStreamOnHGlobal |
USER32.dll | TranslateMessage |
OPENGL32.dll | glTexSubImage1D |
KERNEL32.dll | CloseHandle, OutputDebugStringA, LoadLibraryExW, CreateFileW, GetProfileSectionW, LoadLibraryW, GetProfileSectionA, OpenSemaphoreW |
RASAPI32.dll | RasGetConnectionStatistics |
CLUSAPI.dll | ClusterEnum |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
LoxmtYt | 1 | 0x10027776 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright 2018 |
InternalName | j2pcsc |
FileVersion | 8.0.1710.11 |
Full Version | 1.8.0_171-b11 |
CompanyName | Oracle Corporation |
ProductName | Java(TM) Platform SE 8 |
ProductVersion | 8.0.1710.11 |
FileDescription | Java(TM) Platform SE binary |
OriginalFilename | j2pcsc.dll |
Translation | 0x0000 0x04b0 |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 4, 2021 21:47:10.513834953 CEST | 52238 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:10.562426090 CEST | 53 | 52238 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:47:11.288100004 CEST | 49873 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:11.336699009 CEST | 53 | 49873 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:47:12.193219900 CEST | 53196 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:12.242830038 CEST | 53 | 53196 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:47:13.072216988 CEST | 56777 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:13.123243093 CEST | 53 | 56777 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:47:14.234678984 CEST | 58643 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:14.294538975 CEST | 53 | 58643 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:47:15.158169985 CEST | 60985 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:15.211030006 CEST | 53 | 60985 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:47:16.009810925 CEST | 50200 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:16.068655014 CEST | 53 | 50200 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:47:16.982290030 CEST | 51281 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:17.031006098 CEST | 53 | 51281 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:47:18.049487114 CEST | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:18.098499060 CEST | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:47:19.082519054 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:19.132920027 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:47:50.077451944 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:47:50.228658915 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:48:03.933945894 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:48:03.984332085 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:48:05.810849905 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:48:05.859726906 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:48:06.234451056 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:48:06.294487000 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:48:09.548558950 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:48:09.600003004 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:48:11.579992056 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:48:11.629723072 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:48:13.353601933 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:48:13.404401064 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:49:12.177429914 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:49:12.226418018 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:49:28.486131907 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:49:28.536700964 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:49:36.950227976 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:49:37.002782106 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:49:37.591083050 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:49:37.641452074 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:49:37.702224970 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:49:37.753871918 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:49:39.274626017 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:49:39.324827909 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:49:39.735467911 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:49:39.786880016 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
May 4, 2021 21:50:16.188381910 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
May 4, 2021 21:50:16.240567923 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 21:47:17 |
Start date: | 04/05/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xdb0000 |
File size: | 116736 bytes |
MD5 hash: | 542795ADF7CC08EFCF675D65310596E8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:47:18 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbd0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:47:18 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:47:18 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 21:48:02 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x50000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:48:09 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x50000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:48:11 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 21:48:11 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 21:48:11 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 21:48:12 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 21:48:12 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
General |
---|
Start time: | 21:49:24 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x50000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 21:49:28 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x50000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 21:49:35 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x50000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 21:49:35 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x50000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 21:50:13 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1050000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|