Edit tour
Windows
Analysis Report
grass.exe
Overview
General Information
| Sample name: | grass.exe |
| Analysis ID: | 1559571 |
| MD5: | bde4b588168e995961f49b6cb7576594 |
| SHA1: | 1a28c66e77e4a7cea5b2e49d116dd20d3d046120 |
| SHA256: | bedf5dc3e40558fcffb4eee7d9efc20db06a1f77433e0c46d247dd4f2640e6f0 |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found pyInstaller with non standard icon
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Classification
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_000000013F1287E0 | |
| Source: | Code function: | 0_2_000000013F127820 | |
| Source: | Code function: | 0_2_000000013F142A84 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_000000013F146E10 | |
| Source: | Code function: | 0_2_000000013F127E40 | |
| Source: | Code function: | 0_2_000000013F147B74 | |
| Source: | Code function: | 0_2_000000013F1336F0 | |
| Source: | Code function: | 0_2_000000013F133F2C | |
| Source: | Code function: | 0_2_000000013F13EF58 | |
| Source: | Code function: | 0_2_000000013F132758 | |
| Source: | Code function: | 0_2_000000013F138FC0 | |
| Source: | Code function: | 0_2_000000013F144E20 | |
| Source: | Code function: | 0_2_000000013F147628 | |
| Source: | Code function: | 0_2_000000013F141AD8 | |
| Source: | Code function: | 0_2_000000013F139670 | |
| Source: | Code function: | 0_2_000000013F130EBC | |
| Source: | Code function: | 0_2_000000013F1316DC | |
| Source: | Code function: | 0_2_000000013F128D60 | |
| Source: | Code function: | 0_2_000000013F13ADC0 | |
| Source: | Code function: | 0_2_000000013F13F5D8 | |
| Source: | Code function: | 0_2_000000013F1343F0 | |
| Source: | Code function: | 0_2_000000013F136C90 | |
| Source: | Code function: | 0_2_000000013F130CB8 | |
| Source: | Code function: | 0_2_000000013F1314D8 | |
| Source: | Code function: | 0_2_000000013F133B28 | |
| Source: | Code function: | 0_2_000000013F1323C0 | |
| Source: | Code function: | 0_2_000000013F12A20D | |
| Source: | Code function: | 0_2_000000013F142A84 | |
| Source: | Code function: | 0_2_000000013F1452BC | |
| Source: | Code function: | 0_2_000000013F141AD8 | |
| Source: | Code function: | 0_2_000000013F13EAC4 | |
| Source: | Code function: | 0_2_000000013F1312CC | |
| Source: | Code function: | 0_2_000000013F14A938 | |
| Source: | Code function: | 0_2_000000013F1299D4 | |
| Source: | Code function: | 0_2_000000013F12983B | |
| Source: | Code function: | 0_2_000000013F14708C | |
| Source: | Code function: | 0_2_000000013F1310C8 | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | Process created: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 0_2_000000013F124C60 | |
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Check user administrative privileges: | graph_0-19049 | ||
| Source: | Code function: | 0_2_000000013F1287E0 | |
| Source: | Code function: | 0_2_000000013F127820 | |
| Source: | Code function: | 0_2_000000013F142A84 | |
| Source: | Code function: | 0_2_000000013F12C69C | |
| Source: | Code function: | 0_2_000000013F144690 | |
| Source: | Code function: | 0_2_000000013F12C180 | |
| Source: | Code function: | 0_2_000000013F12BE00 | |
| Source: | Code function: | 0_2_000000013F12C69C | |
| Source: | Code function: | 0_2_000000013F13B4F8 | |
| Source: | Code function: | 0_2_000000013F12C840 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_000000013F14A780 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_000000013F12C580 | |
| Source: | Code function: | 0_2_000000013F146E10 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 11 Process Injection | 11 Process Injection | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 2 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 22 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 12% | ReversingLabs | Win64.Malware.Generic | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1559571 |
| Start date and time: | 2024-11-20 17:19:22 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 13s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | grass.exe |
| Detection: | MAL |
| Classification: | mal48.winEXE@3/36@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: grass.exe
| Time | Type | Description |
|---|---|---|
| 11:20:17 | API Interceptor |
⊘No context
⊘No context
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\_MEI33562\VCRUNTIME140.dll | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Braodo | Browse | |||
| Get hash | malicious | HackBrowser | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 98224 |
| Entropy (8bit): | 6.452201564717313 |
| Encrypted: | false |
| SSDEEP: | 1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U |
| MD5: | F34EB034AA4A9735218686590CBA2E8B |
| SHA1: | 2BC20ACDCB201676B77A66FA7EC6B53FA2644713 |
| SHA-256: | 9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1 |
| SHA-512: | D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65304 |
| Entropy (8bit): | 6.192082137044192 |
| Encrypted: | false |
| SSDEEP: | 1536:owmuopcJpmVwR40axzEfRILOnMv7SySmPxe:owmu4/mR40axzEfRILOnw3xe |
| MD5: | 33D0B6DE555DDBBBD5CA229BFA91C329 |
| SHA1: | 03034826675AC93267CE0BF0EAEC9C8499E3FE17 |
| SHA-256: | A9A99A2B847E46C0EFCE7FCFEFD27F4BCE58BAF9207277C17BFFD09EF4D274E5 |
| SHA-512: | DBBD1DDFA445E22A0170A628387FCF3CB95E6F8B09465D76595555C4A67DA4274974BA7B348C4C81FE71C68D735C13AACB8063D3A964A8A0556FB000D68686B7 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 820736 |
| Entropy (8bit): | 6.056282443190043 |
| Encrypted: | false |
| SSDEEP: | 12288:tY0Uu7wLsglBv4i5DGAqXMAHhlyL82XTw05nmZfRFo:tp0NA1tAmZfR |
| MD5: | EE3D454883556A68920CAAEDEFBC1F83 |
| SHA1: | 45B4D62A6E7DB022E52C6159EEF17E9D58BEC858 |
| SHA-256: | 791E7195D7DF47A21466868F3D7386CFF13F16C51FCD0350BF4028E96278DFF1 |
| SHA-512: | E404ADF831076D27680CC38D3879AF660A96AFC8B8E22FFD01647248C601F3C6C4585D7D7DC6BBD187660595F6A48F504792106869D329AA1A0F3707D7F777C6 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 83736 |
| Entropy (8bit): | 6.595094797707322 |
| Encrypted: | false |
| SSDEEP: | 1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe |
| MD5: | 86D1B2A9070CD7D52124126A357FF067 |
| SHA1: | 18E30446FE51CED706F62C3544A8C8FDC08DE503 |
| SHA-256: | 62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E |
| SHA-512: | 7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 123672 |
| Entropy (8bit): | 6.047035801914277 |
| Encrypted: | false |
| SSDEEP: | 3072:0OEESRiaiH6lU1vxqfrId0sx3gVILLPykxA:hj+I1vAfrIRx3gN |
| MD5: | 1635A0C5A72DF5AE64072CBB0065AEBE |
| SHA1: | C975865208B3369E71E3464BBCC87B65718B2B1F |
| SHA-256: | 1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177 |
| SHA-512: | 6E34346EA8A0AACC29CCD480035DA66E280830A7F3D220FD2F12D4CFA3E1C03955D58C0B95C2674AEA698A36A1B674325D3588483505874C2CE018135320FF99 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 254744 |
| Entropy (8bit): | 6.564308911485739 |
| Encrypted: | false |
| SSDEEP: | 6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu |
| MD5: | 20C77203DDF9FF2FF96D6D11DEA2EDCF |
| SHA1: | 0D660B8D1161E72C993C6E2AB0292A409F6379A5 |
| SHA-256: | 9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133 |
| SHA-512: | 2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 64792 |
| Entropy (8bit): | 6.223467179037751 |
| Encrypted: | false |
| SSDEEP: | 1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB |
| MD5: | D4674750C732F0DB4C4DD6A83A9124FE |
| SHA1: | FD8D76817ABC847BB8359A7C268ACADA9D26BFD5 |
| SHA-256: | CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9 |
| SHA-512: | 97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 158488 |
| Entropy (8bit): | 6.8491143497239655 |
| Encrypted: | false |
| SSDEEP: | 3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn |
| MD5: | 7447EFD8D71E8A1929BE0FAC722B42DC |
| SHA1: | 6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6 |
| SHA-256: | 60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE |
| SHA-512: | C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 34584 |
| Entropy (8bit): | 6.41423936733334 |
| Encrypted: | false |
| SSDEEP: | 768:eZt56pxGyC572edLMILWt3u5YiSyvCVPxWElj:eL5PyC572edLMILWt3E7SyqPx3 |
| MD5: | A9A0588711147E01EED59BE23C7944A9 |
| SHA1: | 122494F75E8BB083DDB6545740C4FAE1F83970C9 |
| SHA-256: | 7581EDEA33C1DB0A49B8361E51E6291688601640E57D75909FB2007B2104FA4C |
| SHA-512: | 6B580F5C53000DB5954DEB5B2400C14CB07F5F8BBCFC069B58C2481719A0F22F0D40854CA640EF8425C498FBAE98C9DE156B5CC04B168577F0DA0C6B13846A88 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 49944 |
| Entropy (8bit): | 6.381980613434177 |
| Encrypted: | false |
| SSDEEP: | 768:8AM30ie6tyw0lTnj1TulWXaSV2cFVNILXtP5YiSyvWPxWElh7:8AM3hacSV2UNILXth7SyuPxd7 |
| MD5: | FDF8663B99959031780583CCE98E10F5 |
| SHA1: | 6C0BAFC48646841A91625D74D6B7D1D53656944D |
| SHA-256: | 2EBBB0583259528A5178DD37439A64AFFCB1AB28CF323C6DC36A8C30362AA992 |
| SHA-512: | A5371D6F6055B92AC119A3E3B52B21E2D17604E5A5AC241C008EC60D1DB70B3CE4507D82A3C7CE580ED2EB7D83BB718F4EDC2943D10CB1D377FA006F4D0026B6 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 31512 |
| Entropy (8bit): | 6.563116725717513 |
| Encrypted: | false |
| SSDEEP: | 768:bxrUGCpa6rIxdK/rAwVILQU85YiSyvz5PxWEaAc:trUZIzYrAwVILQUG7SydPxDc |
| MD5: | D8C1B81BBC125B6AD1F48A172181336E |
| SHA1: | 3FF1D8DCEC04CE16E97E12263B9233FBF982340C |
| SHA-256: | 925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14 |
| SHA-512: | CCC9F0D3ACA66729832F26BE12F8E7021834BBEE1F4A45DA9451B1AA5C2E63126C0031D223AF57CF71FAD2C85860782A56D78D8339B35720194DF139076E0772 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 79128 |
| Entropy (8bit): | 6.284790077237953 |
| Encrypted: | false |
| SSDEEP: | 1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f |
| MD5: | 819166054FEC07EFCD1062F13C2147EE |
| SHA1: | 93868EBCD6E013FDA9CD96D8065A1D70A66A2A26 |
| SHA-256: | E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F |
| SHA-512: | DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 160536 |
| Entropy (8bit): | 6.027748879187965 |
| Encrypted: | false |
| SSDEEP: | 3072:OwYiZ+PtocHnVXhLlasuvMETxoEBA+nbUtGnBSonJCNI5ILC7Gax1:FYk+PtocHVxx/uvPCEwhGJ |
| MD5: | 7910FB2AF40E81BEE211182CFFEC0A06 |
| SHA1: | 251482ED44840B3C75426DD8E3280059D2CA06C6 |
| SHA-256: | D2A7999E234E33828888AD455BAA6AB101D90323579ABC1095B8C42F0F723B6F |
| SHA-512: | BFE6506FEB27A592FE9CF1DB7D567D0D07F148EF1A2C969F1E4F7F29740C6BB8CCF946131E65FE5AA8EDE371686C272B0860BD4C0C223195AAA1A44F59301B27 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 25368 |
| Entropy (8bit): | 6.613762885337037 |
| Encrypted: | false |
| SSDEEP: | 384:KYnvEaNKFDyuiBXK55ILZw59HQIYiSy1pCQNuPxh8E9VF0Ny8cIh:FTNK4uyXK55ILZwD5YiSyvEPxWEalh |
| MD5: | B68C98113C8E7E83AF56BA98FF3AC84A |
| SHA1: | 448938564559570B269E05E745D9C52ECDA37154 |
| SHA-256: | 990586F2A2BA00D48B59BDD03D3C223B8E9FB7D7FAB6D414BAC2833EB1241CA2 |
| SHA-512: | 33C69199CBA8E58E235B96684346E748A17CC7F03FC068CFA8A7EC7B5F9F6FA90D90B5CDB43285ABF8B4108E71098D4E87FB0D06B28E2132357964B3EEA3A4F8 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 51712 |
| Entropy (8bit): | 5.7041125634129175 |
| Encrypted: | false |
| SSDEEP: | 1536:oeUTOpetu1BFfHNJ+LWdK3E8qVymmc8pMvW5:oRTdUv+LhmEMvW |
| MD5: | 84EFA086513D1DE8B24F453A2DD91B4E |
| SHA1: | C95E43FAEEAF82222C40A5D47358FCAD8EB0E4C7 |
| SHA-256: | 0AC3C91C6DBABD361EBEA7C61469BE7D18F5283AAE2C9A60227E15BB93E83246 |
| SHA-512: | B10023B756341959574556506000CBF33E04305686BE196F0D43408B01532E17664528422A4F08BA5318988A32D003A5746D57C3C7C0C5CAC53C8117E0FF3E41 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 264192 |
| Entropy (8bit): | 6.178431284084252 |
| Encrypted: | false |
| SSDEEP: | 6144:7V3pdfjogjEArAZYrbfQvfC4MfNba5bje:7V3HfDEZUbKvMfNbV |
| MD5: | B1B2574FCF395C0F81100181148F2FC5 |
| SHA1: | 5BFC0F84F0AD0E11DCB2227C49C20F404295C5D4 |
| SHA-256: | 07C81EA73DD53EFB7BFCE96B3BE5C30A66B5F2481AD4084709EEC651344B46E5 |
| SHA-512: | 0EF9B736E5418274A6450101DF53B19F5F3C0919BC3AFAE92414C5CAEEFB4DC3CAF21637552D6DE8973A69E9512A05B10862400FADDF253AC798FB4F2318A86D |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 49152 |
| Entropy (8bit): | 5.738032375859604 |
| Encrypted: | false |
| SSDEEP: | 768:Vt3vkODNZlemsoR1PBY+m5B1osfQkC++lhnvN7nBlme43w8lWlU2N:VNMOx6FSPBvm7esfdvsvZn6ekRlWDN |
| MD5: | A3D2A55CAEA54786E254E57D8D4177E0 |
| SHA1: | F75D9067E6CC4E5C21E2AD6322D73492F8E32857 |
| SHA-256: | 92E2DBE7E3375156C6A727B34E8B8093966CF4EACAC7F360BE87367665066624 |
| SHA-512: | 6221A971D0542381A30E857C76A0DFD45776DFC094CE08D88D7E85EAEC3F59DE41FA972325336600CF427F916059EBE26CCC9189417F599C1DC140876EFC165C |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 36864 |
| Entropy (8bit): | 5.597373809979222 |
| Encrypted: | false |
| SSDEEP: | 768:YrQD04NPV+wT4787qUpfuk4HI6cXOcl8BHCWWwGeq:IVEPV9U78T54HrDH5WwGe |
| MD5: | 4EC888267E4CE9402B3F7D33105D7D13 |
| SHA1: | 3C151A358704F0E34DE3EDE88041062A62820A18 |
| SHA-256: | 411E28F9A3EE60BD4AA8DB7A7EAE3DD19AEB063F3E3C7A8935DF6D0A28624F46 |
| SHA-512: | 400F0C26DF99B58E6595D2F3FFBA0BD4BCFCAFCDDFF9D0E9D86C2926C98257A6CB09F147409BF431CB7DB02B6B19A5004AFFDCBDE1D13A1F2F4781965AB0EFA1 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4 |
| Entropy (8bit): | 1.5 |
| Encrypted: | false |
| SSDEEP: | 3:Mn:M |
| MD5: | 365C9BFEB7D89244F2CE01C1DE44CB85 |
| SHA1: | D7A03141D5D6B1E88B6B59EF08B6681DF212C599 |
| SHA-256: | CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508 |
| SHA-512: | D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11524 |
| Entropy (8bit): | 5.211520136058075 |
| Encrypted: | false |
| SSDEEP: | 192:ERsUfi6bkQk+k/kKkegToJWicnJsPVA1oz2dv7COmoKTACoEJdQ/0G6lWg+JdQV5:ERsXpLs3VoJWRnJsPvz2dDCHoKsLgA6z |
| MD5: | 49CABCB5F8DA14C72C8C3D00ADB3C115 |
| SHA1: | F575BECF993ECDF9C6E43190C1CB74D3556CF912 |
| SHA-256: | DC9824E25AFD635480A8073038B3CDFE6A56D3073A54E1A6FB21EDD4BB0F207C |
| SHA-512: | 923DAEEE0861611D230DF263577B3C382AE26400CA5F1830EE309BD6737EED2AD934010D61CDD4796618BEDB3436CD772D9429A5BED0A106EF7DE60E114E505C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3556 |
| Entropy (8bit): | 5.814247636010401 |
| Encrypted: | false |
| SSDEEP: | 96:Q9ewplxJT/oPynEddwBbCobXm9qGmR5VXzskcGD+qLtxO:2ewXdJCKXGeR/XzKiO |
| MD5: | 48C3E62C23B44C5C1B03F2634154C391 |
| SHA1: | 7E674C4D1EC604BB62103DBEEB008350FF159EE7 |
| SHA-256: | 0B638F04D30B4FF714170AC499F89142868A36760532ED20017263E9CC85136C |
| SHA-512: | 99B720AF1775F6A264C28817E44112CD6422E8716E62221946629D08FA1EC06FFB4E9076E55429CB19A9F07C7E95B2BDC01C6523178E7DFB824841C954ED0C16 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 87 |
| Entropy (8bit): | 4.730668933656452 |
| Encrypted: | false |
| SSDEEP: | 3:RtEeXAaCTQnP+tPCCfA5I:Rt2PcnWBB3 |
| MD5: | 52ADFA0C417902EE8F0C3D1CA2372AC3 |
| SHA1: | B67635615EEF7E869D74F4813B5DC576104825DD |
| SHA-256: | D7215D7625CC9AF60AED0613AAD44DB57EBA589D0CCFC3D8122114A0E514C516 |
| SHA-512: | BFA87E7B0E76E544C2108EF40B9FAC8C5FF4327AB8EDE9FEB2891BD5D38FEA117BD9EEBAF62F6C357B4DEADDAD5A5220E0B4A54078C8C2DE34CB1DD5E00F2D62 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1109 |
| Entropy (8bit): | 5.104415762129373 |
| Encrypted: | false |
| SSDEEP: | 24:bGf8rUrmJHHH0yN3gtsHw1hC09QHOsUv4eOk4/+/m3oqLFh:bW8rUaJHlxE3dQHOs5exm3ogFh |
| MD5: | 5E55731824CF9205CFABEAB9A0600887 |
| SHA1: | 243E9DD038D3D68C67D42C0C4BA80622C2A56246 |
| SHA-256: | 882115C95DFC2AF1EEB6714F8EC6D5CBCABF667CAFF8729F42420DA63F714E9F |
| SHA-512: | 21B242BF6DCBAFA16336D77A40E69685D7E64A43CC30E13E484C72A93CD4496A7276E18137DC601B6A8C3C193CB775DB89853ECC6D6EB2956DEEE36826D5EBFE |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 880569 |
| Entropy (8bit): | 5.68298547144186 |
| Encrypted: | false |
| SSDEEP: | 12288:cgYJu4KXWyBC6S4IEa8A4a2Ya2xdOVwx/fpEh+rtSLMN6:cgYJiVBFLa2xTVwx/fpEh++MN6 |
| MD5: | 4C60BCC38288ED81C09957FC6B4CD7CD |
| SHA1: | E7F08D71E567EA73BB30656953837314C8D715A7 |
| SHA-256: | 9D6F7B75918990EC9CD5820624130AF309A2045119209BD90B4F70BC3ABD3733 |
| SHA-512: | 856D97B81A2CB53DCBA0136AFA0782E0F3F81BEA46F98E0247582B2E28870B837BE3C03E87562B918EC6BC76469EECC2C22599238D191D3FBA467F7031A2ACAA |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 86016 |
| Entropy (8bit): | 5.9308989665858585 |
| Encrypted: | false |
| SSDEEP: | 1536:ZmwCw3vZ1w4vI1FxF6S2s0suvV81dvUflo6vp9862WhFo1emYU+:Z/CwxqC+bsNlflo6h93FiemYL |
| MD5: | 911470750962640CEB3FD11E2AEECD14 |
| SHA1: | AF797451D4028841D92F771885CB9D81AFBA3F96 |
| SHA-256: | 5C204F6966526AF4DC0C0D6D29909B6F088C4FA781464F2948414D833B03094D |
| SHA-512: | 637043C20DC17FBC472613C0E4F576F0A2211B7916B3488806AEC30271CF1BD84BD790518335B88910662FD4844F8ED39FA75AA278577271A966756B8CD793F7 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3450648 |
| Entropy (8bit): | 6.098075450035195 |
| Encrypted: | false |
| SSDEEP: | 98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA |
| MD5: | 9D7A0C99256C50AFD5B0560BA2548930 |
| SHA1: | 76BD9F13597A46F5283AA35C30B53C21976D0824 |
| SHA-256: | 9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939 |
| SHA-512: | CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32792 |
| Entropy (8bit): | 6.3566777719925565 |
| Encrypted: | false |
| SSDEEP: | 384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF |
| MD5: | EEF7981412BE8EA459064D3090F4B3AA |
| SHA1: | C60DA4830CE27AFC234B3C3014C583F7F0A5A925 |
| SHA-256: | F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081 |
| SHA-512: | DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 704792 |
| Entropy (8bit): | 5.5573527806738126 |
| Encrypted: | false |
| SSDEEP: | 12288:WhO7/rNKmrouK/POt6h+7ToRLgo479dQwwLOpWW/dQ0TGqwfU2lvz2:2is/POtrzbLp5dQ0TGqcU2lvz2 |
| MD5: | BEC0F86F9DA765E2A02C9237259A7898 |
| SHA1: | 3CAA604C3FFF88E71F489977E4293A488FB5671C |
| SHA-256: | D74CE01319AE6F54483A19375524AA39D9F5FD91F06CF7DF238CA25E043130FD |
| SHA-512: | FFBC4E5FFDB49704E7AA6D74533E5AF76BBE5DB297713D8E59BD296143FE5F145FBB616B343EED3C48ECEACCCCC2431630470D8975A4A17C37EAFCC12EDD19F4 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 47616 |
| Entropy (8bit): | 5.316469446718147 |
| Encrypted: | false |
| SSDEEP: | 768:3Y2vE6F6hmSrnDe651sYEYMXMBkYcE6n0/d3g:oAoVDeWlEEBkYcDni |
| MD5: | 95463F615865A472F75DDB365644A571 |
| SHA1: | 91F22EF3F2FFD3E9D6CE6E58BEEA9A96287B090B |
| SHA-256: | 9EE77474D244A17337D4CCC5113FE4AF7B4D86F9969293A884927718D06E63C8 |
| SHA-512: | E3CCCCE9EBF5E7CF33E68046D3E7B59E454CCB791635EB5F405977FD270126EF8B58E6288DBE58C96B681361D81EF28720EBA8D0BD389BFB0F4C3114D098A117 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 74752 |
| Entropy (8bit): | 5.867031753273455 |
| Encrypted: | false |
| SSDEEP: | 1536:AW91laAiAWZ0VEhefLGCUjV3LzATqzPgC9Z:b93MAWiPKCUBXbzPgC |
| MD5: | 41E139669CACB62EE4E06EF7EB1A647E |
| SHA1: | 1FA1274A9F7A0E53458F641C115F7407910E6CB1 |
| SHA-256: | B6FBAC3A2BAA833F34C327BE227A816DF47B11F45AC8A42E7B75C42E90C65353 |
| SHA-512: | 98E9810A91C74B2241826D96CAE0B124CD8EACED629B502654C537C8EF7F1D3462ACCFB5BF3FB91069616C9501EB68B6A66F42E51927C3A167E1AD81CC27C8C5 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 634368 |
| Entropy (8bit): | 6.200200567944878 |
| Encrypted: | false |
| SSDEEP: | 6144:UUAzxvOPjVmnc39ZldctO7fUoP/epy57mBTIK24KdJPvtBN1BQgnEIPuVZQckeSm:UUAzJEJmnctjdcg7fUoP28N55nEf8g1 |
| MD5: | 55557510BCCE2421BD71ECF0F7ECC9AA |
| SHA1: | CF3EDB8F51FAC62EC374073AD0A3223691DDC99B |
| SHA-256: | D227F2184A7EA3AD2765610936CF853F36887508B212D5479EED4F49508246C3 |
| SHA-512: | 3F5486F73026E32296F3B52CE7115F97C8C6BC55E78716B85BA7E8C6023105704591F240EF4B00667139570D3AD3206E13E87A197BEC3E2F5975B5771EAAEE3A |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 198936 |
| Entropy (8bit): | 6.372446720663998 |
| Encrypted: | false |
| SSDEEP: | 3072:13BAJzkk5dT6F62eqf2A3zVnjIHdAPKReewMP12yGUfT0+SYyWgOmrpjAxvwnVIq:FQg4dT6N5OA3zVnjNed4yGKTKR/ |
| MD5: | 1118C1329F82CE9072D908CBD87E197C |
| SHA1: | C59382178FE695C2C5576DCA47C96B6DE4BBCFFD |
| SHA-256: | 4A2D59993BCE76790C6D923AF81BF404F8E2CB73552E320113663B14CF78748C |
| SHA-512: | 29F1B74E96A95B0B777EF00448DA8BD0844E2F1D8248788A284EC868AE098C774A694D234A00BD991B2D22C2372C34F762CDBD9EC523234861E39C0CA752DCAA |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4458776 |
| Entropy (8bit): | 6.460390021076921 |
| Encrypted: | false |
| SSDEEP: | 49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe |
| MD5: | 63A1FA9259A35EAEAC04174CECB90048 |
| SHA1: | 0DC0C91BCD6F69B80DCDD7E4020365DD7853885A |
| SHA-256: | 14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED |
| SHA-512: | 896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 29976 |
| Entropy (8bit): | 6.627859470728624 |
| Encrypted: | false |
| SSDEEP: | 768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe |
| MD5: | A653F35D05D2F6DEBC5D34DADDD3DFA1 |
| SHA1: | 1A2CEEC28EA44388F412420425665C3781AF2435 |
| SHA-256: | DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9 |
| SHA-512: | 5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1123608 |
| Entropy (8bit): | 5.3853088605790385 |
| Encrypted: | false |
| SSDEEP: | 12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk |
| MD5: | 81D62AD36CBDDB4E57A91018F3C0816E |
| SHA1: | FE4A4FC35DF240B50DB22B35824E4826059A807B |
| SHA-256: | 1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E |
| SHA-512: | 7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\grass.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 95744 |
| Entropy (8bit): | 5.987843155161849 |
| Encrypted: | false |
| SSDEEP: | 1536:0xvdW+D03Yh2/DL5jsvblQEgPVw8x7Arz+YAK/2RP:0xvw203Yh2/h8OVJArz+YAK/2RP |
| MD5: | 2CE8C33EF12C8556A50F0BBCCDACB1F7 |
| SHA1: | 1C25DDC5CDCAA06735610BAB39C011834BAB1E16 |
| SHA-256: | C77F026E36348610BE60C4BC1FC356CD9EFF381E8B033CCB0E366F0BFE691E54 |
| SHA-512: | 98BDD35B4262D8A836DB351919C8BE857B5CB1BD08E9CD1987586DE305FF782E6DE0770000475E9D416C5D28E951EC0634B90E6239A4DD31915D11E4D7A6764B |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| File type: | |
| Entropy (8bit): | 7.938875728519838 |
| TrID: |
|
| File name: | grass.exe |
| File size: | 8'394'086 bytes |
| MD5: | bde4b588168e995961f49b6cb7576594 |
| SHA1: | 1a28c66e77e4a7cea5b2e49d116dd20d3d046120 |
| SHA256: | bedf5dc3e40558fcffb4eee7d9efc20db06a1f77433e0c46d247dd4f2640e6f0 |
| SHA512: | e2fb48085f459e303eadfd6b743aec5dd020f4cd1599b6e4692af10f8247506de7cae233765a3cb77a8dd89ff75beeca3d9777f167cd7b4ad121fceeefb89c05 |
| SSDEEP: | 196608:6q2FfGXmGPyDfyGgIPawBdnpkYRM6ipe8u2h:d22yDfDgsac66Cjh |
| TLSH: | EF8633A1225009D2E4F69638C991C579F6B2BC234392DA8757F87FA33E33B905E36741 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......rh.X6...6...6...}q..1...}q......}q..<...&.W.4...&...?...&...'...&.......}q..1...6.......~.../...~...7...Rich6...........PE..d.. |
 | |
| Icon Hash: | f0362d2f2b2b8c4a |
| Entrypoint: | 0x14000c320 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67248094 [Fri Nov 1 07:17:40 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | a06f302f71edd380da3d5bf4a6d94ebd |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F1AECDE095Ch |
| dec eax |
| add esp, 28h |
| jmp 00007F1AECDE056Fh |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| call 00007F1AECDE0CE8h |
| test eax, eax |
| je 00007F1AECDE0723h |
| dec eax |
| mov eax, dword ptr [00000030h] |
| dec eax |
| mov ecx, dword ptr [eax+08h] |
| jmp 00007F1AECDE0707h |
| dec eax |
| cmp ecx, eax |
| je 00007F1AECDE0716h |
| xor eax, eax |
| dec eax |
| cmpxchg dword ptr [0003820Ch], ecx |
| jne 00007F1AECDE06F0h |
| xor al, al |
| dec eax |
| add esp, 28h |
| ret |
| mov al, 01h |
| jmp 00007F1AECDE06F9h |
| int3 |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| test ecx, ecx |
| jne 00007F1AECDE0709h |
| mov byte ptr [000381F5h], 00000001h |
| call 00007F1AECDDFE45h |
| call 00007F1AECDE1100h |
| test al, al |
| jne 00007F1AECDE0706h |
| xor al, al |
| jmp 00007F1AECDE0716h |
| call 00007F1AECDEF60Fh |
| test al, al |
| jne 00007F1AECDE070Bh |
| xor ecx, ecx |
| call 00007F1AECDE1110h |
| jmp 00007F1AECDE06ECh |
| mov al, 01h |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| cmp byte ptr [000381BCh], 00000000h |
| mov ebx, ecx |
| jne 00007F1AECDE0769h |
| cmp ecx, 01h |
| jnbe 00007F1AECDE076Ch |
| call 00007F1AECDE0C5Eh |
| test eax, eax |
| je 00007F1AECDE072Ah |
| test ebx, ebx |
| jne 00007F1AECDE0726h |
| dec eax |
| lea ecx, dword ptr [000381A6h] |
| call 00007F1AECDEF402h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3ea14 | 0x50 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x49000 | 0x3e634 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x46000 | 0x22d4 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x88000 | 0x768 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x3bfb0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x3be70 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2d000 | 0x400 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2b110 | 0x2b200 | e9069e99481418d9e681710a5e65ed17 | False | 0.5452728713768116 | data | 6.496015168861512 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2d000 | 0x1282a | 0x12a00 | 5fa58115f98129f7f385b187f0077746 | False | 0.5233719588926175 | data | 5.766657473020416 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x40000 | 0x5408 | 0xe00 | aff56347f897785154c53727472c548d | False | 0.13504464285714285 | data | 1.8315705466577277 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x46000 | 0x22d4 | 0x2400 | a913f5d0501c0c45f31faa2f4229aef1 | False | 0.4764539930555556 | data | 5.355998213989185 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x49000 | 0x3e634 | 0x3e800 | 76a626aa6b0fa6c9984fd79e3adcc0f2 | False | 0.03837109375 | data | 1.4508693364120127 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x88000 | 0x768 | 0x800 | 42d6242177dbae8e11ed5d64b87d0d48 | False | 0.5576171875 | data | 5.268722219019965 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x490e8 | 0x3e028 | Device independent bitmap graphic, 240 x 512 x 32, image size 245760, resolution 11339 x 11339 px/m | 0.03509559356200195 | ||
| RT_GROUP_ICON | 0x87110 | 0x14 | data | 1.2 | ||
| RT_MANIFEST | 0x87124 | 0x50d | XML 1.0 document, ASCII text | 0.4694508894044857 |
| DLL | Import |
|---|---|
| USER32.dll | TranslateMessage, ShutdownBlockReasonCreate, GetWindowThreadProcessId, SetWindowLongPtrW, GetWindowLongPtrW, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, CreateWindowExW, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, GetMessageW |
| KERNEL32.dll | GetTimeZoneInformation, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, GetStringTypeW, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, CreateDirectoryW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, HeapSize, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, GetCurrentProcessId, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, GetConsoleWindow, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, GetFileAttributesExW, HeapReAlloc, WriteConsoleW, SetEndOfFile, GetDriveTypeW, IsDebuggerPresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetModuleHandleW, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, GetCommandLineA, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, SetEnvironmentVariableW |
| ADVAPI32.dll | ConvertSidToStringSidW, GetTokenInformation, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:20:16 |
| Start date: | 20/11/2024 |
| Path: | C:\Users\user\Desktop\grass.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x13f120000 |
| File size: | 8'394'086 bytes |
| MD5 hash: | BDE4B588168E995961F49B6CB7576594 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 11:20:18 |
| Start date: | 20/11/2024 |
| Path: | C:\Users\user\Desktop\grass.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x13f120000 |
| File size: | 8'394'086 bytes |
| MD5 hash: | BDE4B588168E995961F49B6CB7576594 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 10.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 10.2% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 38 |
Graph
Function 000000013F127E40 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F146E10 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F127820 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F14708C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F121000 Relevance: 61.8, APIs: 3, Strings: 32, Instructions: 529COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F121930 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1215E0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F127AC0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1211F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13FF1C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F122A70 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13C8FC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F12D1F8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1285D0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F127280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1432EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1402F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F12F634 Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13CFD4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13B404 Relevance: 2.5, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13CD4C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13C7DC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F12F8B4 Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13FDA4 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13E664 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F124C60 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1452BC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13B4F8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F12C580 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F141AD8 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 461COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F14A938 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F133F2C Relevance: .4, Instructions: 374COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1336F0 Relevance: .4, Instructions: 351COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F133B28 Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F128D60 Relevance: .3, Instructions: 287COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1323C0 Relevance: .2, Instructions: 250COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F132758 Relevance: .2, Instructions: 241COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13F5D8 Relevance: .2, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F147628 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F130EBC Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1316DC Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1312CC Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F130CB8 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1314D8 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1310C8 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F136C90 Relevance: .1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13ADC0 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F138FC0 Relevance: .1, Instructions: 98COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F14A780 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F12C840 Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F126B20 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F127630 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F127520 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1371F0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F130540 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F121030 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F121450 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F12DF38 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F122310 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1257C0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13BFF0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F148F7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13C168 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13A960 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F14A578 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13C230 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F128330 Relevance: 7.5, APIs: 5, Instructions: 34sleepthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F136F00 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F140DD8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F12CB78 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F12E7B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F12E408 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F139EF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F122220 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F146D2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F13DAD8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F122020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F1407C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F121E50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F122140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F12F278 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000000013F14194C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|