Edit tour
Windows
Analysis Report
BJp3aUvrt9
Overview
General Information
| Sample Name: | BJp3aUvrt9 (renamed file extension from none to dll) |
| Analysis ID: | 628121 |
| MD5: | 9046f78804227bd742d558325fa8f4c0 |
| SHA1: | 37ddabb88b909290e1da368f275448a880887482 |
| SHA256: | e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d |
| Tags: | dll |
| Infos: |  |
 | |
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll32.exe (PID: 6424 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\BJp 3aUvrt9.dl l" MD5: 7DEB5DB86C0AC789123DEC286286B938) 
cmd.exe (PID: 6452 cmdline: cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\BJp 3aUvrt9.dl l",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D) 
rundll32.exe (PID: 6472 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\BJp3 aUvrt9.dll ",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) 
WerFault.exe (PID: 6532 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 424 -s 388 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 6604 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 424 -s 396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 6800 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 424 -s 424 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
{"RSA Public Key": "uFHdIp1dwWhvkEA2yTiBbeuMW6YDB1lsKD5xr+wbKQpSTgCxKW/AXnU7L/HiYIBOAaOvelJb2/pY2jRw/FTeNeGEktAn4DWXMKOPXXT0NA64cjWTlmZ01c3ZQu3caOM/Vp3zMRoE3uvOCFkw5pB9m5AVXCHf7c66rMBTCpzNlB06TLav0Zslv7QoNXagpBRObC3w6aRV9zoEMPsKo8dDtjcXrpjT3cmo/nK2BeLeCRHw4m+Z1wNt/QFKG0JSvLN7KWGp2TqLTGCk8sWmJopJGBcCeH8dEEcUduFFgdi8Cilu/K4cd0diqylW1QdRW2VJSAgt/TyNLQ8XGjESLVVFp5dI5rtAU8yovXe+vZ9IsF8=", "c2_domain": ["config.edge.skype.com", "185.189.151.28", "185.189.151.70"], "botnet": "3000", "server": "50", "serpent_key": "noA8W2qeaw7z6wk9", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Click to see the 6 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.313.107.42.1649754802033203 05/17/22-11:01:06.002753 |
| SID: | 2033203 |
| Source Port: | 49754 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 2_2_010F5FBB | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 2_2_010F1CA5 | |
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 2_2_010F5FBB | |
System Summary | |
|---|
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Code function: | 2_2_008F2274 | |
| Source: | Code function: | 2_2_010F4BF1 | |
| Source: | Code function: | 2_2_010F1645 | |
| Source: | Code function: | 2_2_010F829C | |
| Source: | Code function: | 2_2_008F1308 | |
| Source: | Code function: | 2_2_008F1000 | |
| Source: | Code function: | 2_2_008F2067 | |
| Source: | Code function: | 2_2_008F2495 | |
| Source: | Code function: | 2_2_010F4321 | |
| Source: | Code function: | 2_2_010F84C1 | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_010F68BD | |
| Source: | Process created: | ||
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Code function: | 2_2_008F2219 | |
| Source: | Code function: | 2_2_008F2273 | |
| Source: | Code function: | 2_2_010F829B | |
| Source: | Code function: | 2_2_010F7EA9 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_008F15E3 | |
| Source: | Static PE information: | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | ||
| Source: | Check user administrative privileges: | ||
| Source: | Binary or memory string: | ||
Anti Debugging | |
|---|
| Source: | Debugger detection routine: | ||
| Source: | Code function: | 2_2_008F15E3 | |
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 2_2_010F3365 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_008F1C83 | |
| Source: | Code function: | 2_2_008F10C4 | |
| Source: | Code function: | 2_2_010F3365 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 111 Process Injection | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 Data Encrypted for Impact |
| Default Accounts | 12 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 111 Process Injection | LSASS Memory | 111 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Rundll32 | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 Remote System Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 114 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 32% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | HEUR/AGEN.1245293 | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| false |
| low |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.189.151.70 | unknown | Switzerland | 51395 | AS-SOFTPLUSCH | true | |
| 185.189.151.28 | unknown | Switzerland | 51395 | AS-SOFTPLUSCH | true |
| Joe Sandbox Version: | 34.0.0 Boulder Opal |
| Analysis ID: | 628121 |
| Start date and time: 17/05/202210:59:07 | 2022-05-17 10:59:07 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 52s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | BJp3aUvrt9 (renamed file extension from none to dll) |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 36 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winDLL@8/12@0/2 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 52.182.143.212, 13.107.42.16
- Excluded domains from analysis (whitelisted): fs.microsoft.com, config.edge.skype.com.trafficmanager.net, arc.msn.com, ris.api.iris.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 11:00:28 | API Interceptor | |
| 11:01:00 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 185.189.151.70 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| 185.189.151.28 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| AS-SOFTPLUSCH | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_13ec5c98984773435626ad7d5b7558cb4938ccf_7cac0383_1985ef9c\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7490316764233721 |
| Encrypted: | false |
| SSDEEP: | 96:gG6uFxLWJnYyCy9haot7JnOpXIQcQac6pcEccw35+a+z+HbHgIVG4rmMXL9iVffk:xbGnaH0tGtjbq/u7skS274ItW |
| MD5: | 24141771F0348D4D2165E1C941A1787B |
| SHA1: | 9547CBA944AE3D174D3CEC21B225C3F54AB002DF |
| SHA-256: | ABB363145D8BCAFB5E2786F6AEC6B37A633B62DB331E531EFDD265EE6371D88D |
| SHA-512: | 237007822C3FB9D4614D327742330E58707753128FE980A2D24D4FB530461B645E8D4E00B82DC190E762E79820ACA3424B468226728D7DF8B88D5C4CD3221138 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_61eae61638761e2a39674020347ca413fb22393_7cac0383_19cdd4c1\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7419357989377661 |
| Encrypted: | false |
| SSDEEP: | 96:UfiBTWJnYypy9haFCj+kSZpXIQcQac6pcEccw35+a+z+HbHgIVG4rmMXL9iVff9o:yiBCnXH0tGtjbq/u7s/S274Itb |
| MD5: | 22BEBF100C00B60C01CD3402F3B3779B |
| SHA1: | 200682AEFFBEA38E807BF478AC5A74612C870AC6 |
| SHA-256: | 7BDC06AB615B766001F79167D9C844ABB7463A379739C0FC099B9D176ADD1ABF |
| SHA-512: | 0761F41B6B3210F299F3FB985F3FBCECDDE0EC468A6EF9DD5486541CA0807331254F276C78B4CB134A16DBA030D9CC3CCA9C9CB103FC54DE27F96626EEE3FCFA |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_b75bd23440526356a090f9cb45508f9dce6e86_7cac0383_1ada168d\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7452090624012112 |
| Encrypted: | false |
| SSDEEP: | 96:ctF/k8WJnYymy9haFCjmfIpXIQcQsc6LcENcw3CM+a+z+HbHgIVG4rmMXL9iVffk:kmxnXHSPX7jbq/u7skS274ItW |
| MD5: | D39E373EA80BDB4ABEA47E895F4CDB01 |
| SHA1: | C175A2016669C7E8C44BDF09002D5BDF1C4F24F7 |
| SHA-256: | BEE31382B92DAFF45275431A897D4A8D0D2028075B05A75555752C54D8C58E74 |
| SHA-512: | 601E58D0DA8F7E1051A95F095ED7579C3D72F917EFA0D780A481E89A95280B48582835AB7F7E715A9845AFA8B8FFE71382368CC227C1B7A986A045B0364A33B3 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4558 |
| Entropy (8bit): | 4.428766017452063 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zshJgtWI9kiWgc8sqYjz38fm8M4J2+A+XFqz+q84fSvg2KcQIcQw0hdd:uITfzPjgrsqYPcJ/qMnKkw0hdd |
| MD5: | AA35D5A5B6894F05AC4C0E9A9332472F |
| SHA1: | 494B810764D38A322B11D47A081871CE22B83BA7 |
| SHA-256: | 31F35E36D5DA16819901B80714ACBD7C4EBB1D5910A42472EB79E48AE52E1A83 |
| SHA-512: | 040CB17A5E12566F27FCB923158FDCDF70B6ABA1840C3F818D0F1B82E77FFADCE5FDD1981B8F8B34118F40C6C36749DA251A95CF4AF50093E438E0D2A693AEF4 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 47674 |
| Entropy (8bit): | 2.2871381466825977 |
| Encrypted: | false |
| SSDEEP: | 384:8PezsKaQ+EuwDScxGzTGcwiO3vDL/2B/zp70cU3:8PusWgwDvGXK3vDLu83 |
| MD5: | 5509847FFAD6A604DCEE3BDBA5607C73 |
| SHA1: | 14EF85682E5123F94333D10002631DF22EA02051 |
| SHA-256: | 0D88E25046E05ED8E98E65545C0143D7B942FE251A55E249D25E0A14B8BDFB5B |
| SHA-512: | 911659359456CCF6FE9B17722E9C4D849D7E225B8EEBAF711ECE5C3DBF45AC345A52E0EFF03B3FB35EDD32297F74F119296B0DEA97E67B94B8FDD0E7F2819844 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 34850 |
| Entropy (8bit): | 2.045569064677871 |
| Encrypted: | false |
| SSDEEP: | 192:oFHM+tYEjEOPxMrUwz23RiuqCkI6lKWesjR+6:9yPOIwz2B/rp60Wes |
| MD5: | DBE2F603F81E822005E12B636CC8F37A |
| SHA1: | 52BF00112ECD0672AA3EAE48C6BBCAB030F8870C |
| SHA-256: | F1F7B4F8CDCAC7FB076326CCB3F3BBAD1ECF976F0BAB451728053A494BFD036D |
| SHA-512: | F0D01F7FBCD8C147AFC11A675B64A6CB3C85EE7E116FCD03A5AB4F8587DE635D131B378537CBAFA17A8E829BBDBB38CC665D540E4126264C6A4EBB8DD83B92F6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8346 |
| Entropy (8bit): | 3.6893675787544065 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNieA6I06YWySUOuKgmfHSvCpNj89b4p1fTibIm:RrlsNip6I06YjSUOuKgmfHSF4LfTiB |
| MD5: | 4987BD8F38F3176EA061DE3C70FFB3AE |
| SHA1: | B8E8C8BE9218A26830068FEF0E4D2E9ACAB109C4 |
| SHA-256: | C71E98FB80478A643390D78BDCE471BF2A841F44F5D9DBAD9D7B8325E572E37F |
| SHA-512: | 50675E5D76C5A334E9F37BE06ADF82377517766DF3011162042ED016ED8E55CACC89E54385181FC09D279937186B17FB886D097B13706150465CA03C8D7AB0A7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4659 |
| Entropy (8bit): | 4.418360328033601 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zsaJgtWI9kiWgc8sqYj08fm8M4J2+AKkFag+q8vQ+AKB2KcQIcQw0h8d:uITfoPjgrsqYVJPNgKxEKkw0h8d |
| MD5: | F24A79F2EBB558B3CF4BA99D079908A2 |
| SHA1: | 680AE2D2E24E3288847EA0EF881E04912FB10BCA |
| SHA-256: | 226C608C343E7570FA0F48FAAE525A49D5D113FE8D07AF42D78108C8CC7D9215 |
| SHA-512: | C4E38045B7DC09B6210A203FE2899EC5AFA4DCE8C43D9DEA22AB348711F82540175FBEEA6EE487A14C68AF65A2B977B8AB5F821473E6E12ABC1B52CD358C5C05 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 34650 |
| Entropy (8bit): | 1.9851963209158827 |
| Encrypted: | false |
| SSDEEP: | 192:+ws3+xSbOPnFgq6r23RiuiCkIFlKnP+meCxy/YepTB:pSiPnFgq6r2B/jpF0nP++M |
| MD5: | 0277A1753C5E96067D53F043D6A85F77 |
| SHA1: | EB9C9E8B4B62E292C908336CB2107C02465F1B57 |
| SHA-256: | AB2DF3ABD65E75703AD26565148A893AE2A15CE0FD41071BF5151B2969022F51 |
| SHA-512: | 1853C2EB35870652AB6F6B561EB85F61B7C53C186FC01B1FD88ED636F03B730C5033C93C8B65323AA24A91E3D3D745EBC87B2014CF3C1D8781AF19A26A6BA6F8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8334 |
| Entropy (8bit): | 3.6989805425570728 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNiejZ6cx6YWuSUMZgmffSvCprj89blBsfPXm:RrlsNiwZ6cx6YfSUMZgmffSzl6fe |
| MD5: | 4FE019ACEA2068A2CD647811D69D21E8 |
| SHA1: | B21371DC73D60C8D53024F300146D13897B5BAE4 |
| SHA-256: | 980C155A61157C06A302625AF339D1E5BB2F246C7CBCCB5A29E4F489A1346D05 |
| SHA-512: | 183C013E53A9F4D8EA635A5A83804E5D28FB80BD2104993238226D11E349760DBD82DB8BB2B21372665BF4BADB17317008F71B2E679F77A16177C05A287A7B10 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4598 |
| Entropy (8bit): | 4.471011953494763 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zshJgtWI9kiWgc8sqYj68fm8M4J2+cZFi+q849BG2KcQIcQw0hdd:uITfzPjgrsqYrJ+W3ZKkw0hdd |
| MD5: | 43BF7F96677B46482AE400E7B338E641 |
| SHA1: | D3EE1BCAE6406790456723BBAEDE3B42E9A39142 |
| SHA-256: | D08290638FE248B9BC31E7D9304B44AD74E160EB2ABE1CC23F60671E97AF332A |
| SHA-512: | 98C761780969B78AF7642786EDCD32C35C0DC47183489EE0C645A3B270D9C33F394CDE8CFB8D39CB56B450FD8BCF3DE93DC64AA02B4E323140121420900027B8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8288 |
| Entropy (8bit): | 3.6923793035917205 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNie+b645Y6YWJSUvAgmf0ScCpDv89b/Bsfl1m:RrlsNir6UY6Y4SUvAgmf0SM/6f2 |
| MD5: | 480F9648CE7C0B9612874C9BDA749C5E |
| SHA1: | ACFBE120FDE9FE114F2D7ACEB29184BAD4200903 |
| SHA-256: | 06BBC7172866F02D5460C18C3C13BBC32C5103AE31977EF4172596911AA7695A |
| SHA-512: | E4DB58FD5D018108D4438B4F62E602EB1D3E665E652FF71CB467221E6053107B05BDFFECD920A6E6A6F3A1FD39E110834C3DC5F351D2B6C9AE9DE00D1064D503 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.254248896562745 |
| TrID: |
|
| File name: | BJp3aUvrt9.dll |
| File size: | 442368 |
| MD5: | 9046f78804227bd742d558325fa8f4c0 |
| SHA1: | 37ddabb88b909290e1da368f275448a880887482 |
| SHA256: | e34af6effb596517e32ddf82fb283e8b844ec34d373f4e04e93e9916d26c287d |
| SHA512: | 29051fe2ba6908eee8d68af4331bb830d21ce78830f057783b0b0f9d595d6d6f62b402b31495205c13e14a4f74cedb68f20c693ed2717aa8eaf5704975cae475 |
| SSDEEP: | 6144:oW1iktBgcV9yjYJrTOkRLookGIw8OaDSOKdPmo6iJTk/DmpFkbakc+abuFGGGGGD:oW44BgcV9yjY1OkEGx/V72/DmSH6/ |
| TLSH: | 5294E00965216A6ED9DC273DC9E1D31B1D62B75CD23E70BE3CF43C9F7AE6125820428A |
| File Content Preview: | MZ......................@...........................................................(.......0...w+!.W....]v...............4.....Y^........7.......x.........<.............A.............., ......,%.......{.......7.o.......O.....4.......5.......@.....Rich... |
 | |
| Icon Hash: | 9068eccc64f6e2ad |
| Entrypoint: | 0x4014d0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x3EC34607 [Thu May 15 07:47:19 2003 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | a2b7486f7219709bc441af397fbc35ab |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add ecx, FFFFFFFFh |
| call 00007F28450A90AAh |
| pop eax |
| pop eax |
| mov dword ptr [0041461Ch], eax |
| mov edx, dword ptr [00414738h] |
| sub edx, 00005289h |
| call edx |
| mov eax, ebx |
| mov dword ptr [00414618h], eax |
| mov eax, esi |
| mov dword ptr [00414610h], eax |
| mov dword ptr [00414620h], ebp |
| mov dword ptr [00414614h], edi |
| add dword ptr [00414620h], 00000004h |
| loop 00007F28450A9057h |
| mov dword ptr [ebp+00h], eax |
| nop |
| nop |
| nop |
| push esp |
| pop edi |
| xor dl, dh |
| cli |
| inc ebp |
| lds eax, fword ptr [ecx+34h] |
| cmpsb |
| std |
| xchg dword ptr [ebp-1ED6E020h], edi |
| stosd |
| ror al, cl |
| dec eax |
| salc |
| imul edx, dword ptr [edi+61h], 3Fh |
| or byte ptr [eax], ch |
| mov al, 87h |
| dec ch |
| cli |
| xchg eax, edi |
| inc ebp |
| fdivr qword ptr [edi-20h] |
| aas |
| int 45h |
| fild word ptr [ebx-1BDC28CCh] |
| add byte ptr [0237275Fh], dl |
| inc ebx |
| js 00007F28450A910Eh |
| enter 53A9h, 5Ch |
| rol byte ptr [esi], cl |
| loop 00007F28450A90CCh |
| mov byte ptr [edi], bl |
| stc |
| xchg byte ptr [ebp+423D73FAh], ah |
| push 00000074h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xdd7c | 0x8c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x62000 | 0x9f28 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6c000 | 0xf40 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xd000 | 0xb8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xb8a0 | 0xc000 | False | 0.081298828125 | data | 1.12180017202 | IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ |
| .rdata | 0xd000 | 0x121f | 0x2000 | False | 0.18701171875 | data | 4.11729761685 | IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_MEM_READ |
| .data | 0xf000 | 0x7ac0 | 0x6000 | False | 0.376546223958 | data | 6.0108388439 | IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_GPREL, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ |
| .crt | 0x17000 | 0x1dcbd | 0x1e000 | False | 0.988419596354 | data | 7.98105173778 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .erloc | 0x35000 | 0x2ca3b | 0x2d000 | False | 0.988259548611 | data | 7.98162384749 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x62000 | 0x9f28 | 0xa000 | False | 0.602783203125 | data | 6.51663069246 | IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ |
| .reloc | 0x6c000 | 0x1360 | 0x2000 | False | 0.223266601562 | data | 3.77920644751 | IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_BITMAP | 0x62360 | 0x666 | data | English | United States |
| RT_ICON | 0x629c8 | 0x485d | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
| RT_ICON | 0x67228 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544 | English | United States |
| RT_ICON | 0x697d0 | 0xea8 | data | English | United States |
| RT_ICON | 0x6a678 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0 | English | United States |
| RT_ICON | 0x6af20 | 0x568 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_DIALOG | 0x6b488 | 0xb4 | data | English | United States |
| RT_DIALOG | 0x6b540 | 0x120 | data | English | United States |
| RT_DIALOG | 0x6b660 | 0x158 | data | English | United States |
| RT_DIALOG | 0x6b7b8 | 0x202 | data | English | United States |
| RT_DIALOG | 0x6b9c0 | 0xf8 | data | English | United States |
| RT_DIALOG | 0x6bab8 | 0xa0 | data | English | United States |
| RT_DIALOG | 0x6bb58 | 0xee | data | English | United States |
| RT_GROUP_ICON | 0x6bc48 | 0x4c | data | English | United States |
| RT_VERSION | 0x6bc98 | 0x290 | MS Windows COFF PA-RISC object file | English | United States |
| DLL | Import |
|---|---|
| USER32.dll | IsWindow, LockWorkStation, ExitWindowsEx, LoadCursorFromFileA, IsWindowEnabled, GetMessagePos, GetClassNameA, GetClientRect, GetUpdateRgn, GetWindowWord |
| KERNEL32.dll | GlobalFree, GetCommState, LockFile, EnumResourceTypesA, GetProcAddress, GetVolumePathNamesForVolumeNameW, GetShortPathNameW, GlobalMemoryStatus, WriteProcessMemory, GlobalFlags, GetFileTime, GetThreadLocale, LocalHandle, GetBinaryTypeA, GetModuleFileNameA |
| OLEAUT32.dll | LoadTypeLibEx |
| msvcrt.dll | strcoll, strftime, strtod, strncmp, fgetwc |
| GDI32.dll | GetCharWidthFloatA, GetTextMetricsW, GdiFlush, ExtEscape |
| ADVAPI32.dll | RegGetValueA, EnumServicesStatusExW, FreeEncryptionCertificateHashList, GetUserNameW, GetSidSubAuthorityCount |
| Description | Data |
|---|---|
| LegalCopyright | A Company. All rights reserved. |
| InternalName | |
| FileVersion | 1.0.0.0 |
| CompanyName | A Company |
| ProductName | |
| ProductVersion | 1.0.0.0 |
| FileDescription | |
| OriginalFilename | myfile.exe |
| Translation | 0x0409 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.313.107.42.1649754802033203 05/17/22-11:01:06.002753 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49754 | 80 | 192.168.2.3 | 13.107.42.16 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 17, 2022 11:01:26.059310913 CEST | 49755 | 80 | 192.168.2.3 | 185.189.151.28 |
| May 17, 2022 11:01:29.072530031 CEST | 49755 | 80 | 192.168.2.3 | 185.189.151.28 |
| May 17, 2022 11:01:35.088505030 CEST | 49755 | 80 | 192.168.2.3 | 185.189.151.28 |
| May 17, 2022 11:03:07.316875935 CEST | 49825 | 80 | 192.168.2.3 | 185.189.151.70 |
| May 17, 2022 11:03:10.331608057 CEST | 49825 | 80 | 192.168.2.3 | 185.189.151.70 |
| May 17, 2022 11:03:16.332169056 CEST | 49825 | 80 | 192.168.2.3 | 185.189.151.70 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:00:15 |
| Start date: | 17/05/2022 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x220000 |
| File size: | 116736 bytes |
| MD5 hash: | 7DEB5DB86C0AC789123DEC286286B938 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 1 |
| Start time: | 11:00:16 |
| Start date: | 17/05/2022 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc20000 |
| File size: | 232960 bytes |
| MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 2 |
| Start time: | 11:00:16 |
| Start date: | 17/05/2022 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x11d0000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Target ID: | 4 |
| Start time: | 11:00:18 |
| Start date: | 17/05/2022 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 434592 bytes |
| MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 6 |
| Start time: | 11:00:23 |
| Start date: | 17/05/2022 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 434592 bytes |
| MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 9 |
| Start time: | 11:00:34 |
| Start date: | 17/05/2022 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 434592 bytes |
| MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
Execution Graph
| Execution Coverage: | 5.9% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 10 |
| Total number of Limit Nodes: | 1 |
Graph
Callgraph
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 50% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F1308 Relevance: 13.6, APIs: 9, Instructions: 120sleepnativesynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 83% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 69% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 96% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F4321 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 38% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 70% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
Download Yara Rule
| C-Code - Quality: 72% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F2067 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 70% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 92% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F7F35 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 51% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 83% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 74% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 93% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F6C41 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F1D33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 64% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F1846 Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
Download Yara Rule
| C-Code - Quality: 86% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F6954 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F3D2C Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
Download Yara Rule
| C-Code - Quality: 57% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F19E2 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
Download Yara Rule
| C-Code - Quality: 22% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008D1A0A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 218memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F74FE Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 65% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F1B7F Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
Download Yara Rule
| C-Code - Quality: 87% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 50% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F197C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95memoryCOMMON
Download Yara Rule
| C-Code - Quality: 86% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F216C Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F1A9D Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
Download Yara Rule
| C-Code - Quality: 87% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F6E6D Relevance: 4.6, APIs: 3, Instructions: 58COMMON
Download Yara Rule
| C-Code - Quality: 47% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F46CB Relevance: 3.1, APIs: 2, Instructions: 112COMMON
Download Yara Rule
| C-Code - Quality: 75% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F22D7 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F1CD6 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F1B6F Relevance: 1.5, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| C-Code - Quality: 34% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F1FB2 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F6D63 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F6C2C Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008D10FF Relevance: 1.3, APIs: 1, Instructions: 85memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F153F Relevance: 1.3, APIs: 1, Instructions: 70COMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F155C Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F24B3 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
Download Yara Rule
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 93% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F68BD Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F10C4 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F4BF1 Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
Download Yara Rule
| C-Code - Quality: 49% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F2495 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F84C1 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008F2274 Relevance: .1, Instructions: 77COMMONCrypto
Download Yara Rule
| C-Code - Quality: 71% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F829C Relevance: .1, Instructions: 77COMMONCrypto
Download Yara Rule
| C-Code - Quality: 71% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 75% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 43% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F402A Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
Download Yara Rule
| C-Code - Quality: 73% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F4A85 Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F3F07 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F3472 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
Download Yara Rule
| C-Code - Quality: 88% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F2A11 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F6D78 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 46% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F5B9D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F1DE3 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 87% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F70D8 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
Download Yara Rule
| C-Code - Quality: 39% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 78% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 68% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F227F Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F7607 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 37% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F45C4 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
Download Yara Rule
| C-Code - Quality: 58% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F28C4 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010F393C Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |