Edit tour
Windows
Analysis Report
clearbrowser.exe
Overview
General Information
| Sample Name: | clearbrowser.exe |
| Analysis ID: | 791478 |
| MD5: | eb2613474de36296e716ceacc646b17c |
| SHA1: | 94525e9da51964c07fcc25e907e400a8589bac5c |
| SHA256: | fc3c5130d9311ce90835906d842fd7e5e4da00de249a55d1c1832734c2c84dea |
| Infos: | |
 | |
Errors
| |
Detection
| Score: | 36 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 80% |
Signatures
Multi AV Scanner detection for submitted file
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
PE file contains more sections than normal
Program does not show much activity (idle)
Classification
- System is w10x64
clearbrowser.exe (PID: 712 cmdline: "C:\Users\ user\Deskt op\clearbr owser.exe" -install MD5: EB2613474DE36296E716CEACC646B17C)
- clearbrowser.exe (PID: 6108 cmdline:
"C:\Users\ user\Deskt op\clearbr owser.exe" /install MD5: EB2613474DE36296E716CEACC646B17C)
- clearbrowser.exe (PID: 3484 cmdline:
"C:\Users\ user\Deskt op\clearbr owser.exe" /load MD5: EB2613474DE36296E716CEACC646B17C)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00007FF6147D3EF0 | |
| Source: | Code function: | 0_2_00007FF6147D3B00 | |
| Source: | Code function: | 0_2_00007FF6147D6120 | |
| Source: | Code function: | 0_2_00007FF6147D275E | |
| Source: | Code function: | 0_2_00007FF6147D1760 | |
| Source: | Code function: | 0_2_00007FF6147D3260 | |
| Source: | Code function: | 0_2_00007FF6147D3C60 | |
| Source: | Code function: | 0_2_00007FF6147D4090 | |
| Source: | Static PE information: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Binary string: | ||
| Source: | Classification label: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF6147D7F1C | |
| Source: | Code function: | 0_2_00007FF6147D4B53 | |
| Source: | Code function: | 0_2_00007FF6147D4B53 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00007FF61493CC34 | |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 2 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 13% | ReversingLabs | Win64.PUA.Presenoker | ||
| 7% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high |
⊘No contacted IP infos
| Joe Sandbox Version: | 36.0.0 Rainbow Opal |
| Analysis ID: | 791478 |
| Start date and time: | 2023-01-25 14:56:40 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 3m 24s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | clearbrowser.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Run name: | Cmdline fuzzy |
| Number of analysed new started processes analysed: | 3 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | SUS |
| Classification: | sus36.winEXE@3/0@0/0 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Corrupt sample or wrongly sele
cted analyzer. Details: C01500 02 - Corrupt sample or wrongly sele
cted analyzer. Details: C01500 02 - Corrupt sample or wrongly sele
cted analyzer. Details: C01500 02
- Execution Graph export aborted
for target clearbrowser.exe, PID 712 because there are no e xecuted function
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.466691093534333 |
| TrID: |
|
| File name: | clearbrowser.exe |
| File size: | 2360648 |
| MD5: | eb2613474de36296e716ceacc646b17c |
| SHA1: | 94525e9da51964c07fcc25e907e400a8589bac5c |
| SHA256: | fc3c5130d9311ce90835906d842fd7e5e4da00de249a55d1c1832734c2c84dea |
| SHA512: | c929db651fb502fe228dba530e4b2a8370884b8baf1db0cc1ebf632e435c2ea444839ef42ceadb29a71226d79bb9cff78f683748db9d5402d65d63cce1513437 |
| SSDEEP: | 49152:4nUJZ9HvdKrM5CGWd6YyIpPknrJZkR2qBAUrOBW8mKrKy:/TttAyWxu |
| TLSH: | 26B54803E15544E9D299C078CE06D532EB617C5D4BF2A5FB3290BAD62E73AE03B39B11 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....N2_.........."..........H...... ..........@.............................0%.......$...`........................................ |
 | |
| Icon Hash: | 31e0d0c0d0c0e030 |
| Entrypoint: | 0x14016cc20 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5F324EA9 [Tue Aug 11 07:54:17 2020 UTC] |
| TLS Callbacks: | 0x400c3c10, 0x1, 0x400d46c0, 0x1, 0x4016b630, 0x1, 0x400f5e90, 0x1 |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 2 |
| File Version Major: | 5 |
| File Version Minor: | 2 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 2 |
| Import Hash: | 28cc3e1fc363a0f47a1459515ce2d6f1 |
| Signature Valid: | true |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | C7AEA2AB5B6946FA378994299917AA53 |
| Thumbprint SHA-1: | 4C6C207DCFA5A3FBC336F8356F951765EB058F05 |
| Thumbprint SHA-256: | 5C8949BF3342C342CF080CF2D4D52C08565754B107E3D254E241AFF02A122BF4 |
| Serial: | 030601E126B12C53A43E36369308C459 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007FB5B09B0850h |
| dec eax |
| add esp, 28h |
| jmp 00007FB5B09B06BFh |
| int3 |
| int3 |
| dec eax |
| mov dword ptr [esp+20h], ebx |
| push ebp |
| dec eax |
| mov ebp, esp |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov eax, dword ptr [0008E3E0h] |
| dec eax |
| mov ebx, 2DDFA232h |
| cdq |
| sub eax, dword ptr [eax] |
| add byte ptr [eax+3Bh], cl |
| ret |
| jne 00007FB5B09B08B6h |
| dec eax |
| and dword ptr [ebp+18h], 00000000h |
| dec eax |
| lea ecx, dword ptr [ebp+18h] |
| call dword ptr [00082E52h] |
| dec eax |
| mov eax, dword ptr [ebp+18h] |
| dec eax |
| mov dword ptr [ebp+10h], eax |
| call dword ptr [00082D1Ch] |
| mov eax, eax |
| dec eax |
| xor dword ptr [ebp+10h], eax |
| call dword ptr [00082CF8h] |
| mov eax, eax |
| dec eax |
| lea ecx, dword ptr [ebp+20h] |
| dec eax |
| xor dword ptr [ebp+10h], eax |
| call dword ptr [00082F98h] |
| mov eax, dword ptr [ebp+20h] |
| dec eax |
| lea ecx, dword ptr [ebp+10h] |
| dec eax |
| shl eax, 20h |
| dec eax |
| xor eax, dword ptr [ebp+20h] |
| dec eax |
| xor eax, dword ptr [ebp+10h] |
| dec eax |
| xor eax, ecx |
| dec eax |
| mov ecx, FFFFFFFFh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x1eef9d | 0x8b | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1ef028 | 0x50 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x22d000 | 0x220c8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x217000 | 0xbc04 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x23dc00 | 0x2948 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x250000 | 0x21e0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1ecac4 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x1ec9a8 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1aa160 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1ef7a0 | 0x728 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x1ee190 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1a82fd | 0x1a8400 | False | 0.4738428568797879 | data | 6.577416663862463 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x1aa000 | 0x50da4 | 0x50e00 | False | 0.2868286321483771 | data | 5.503064427622722 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x1fb000 | 0x1bea0 | 0x10000 | False | 0.0388946533203125 | data | 1.5645905584563753 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x217000 | 0xbc04 | 0xbe00 | False | 0.500328947368421 | data | 6.030806608566388 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .00cfg | 0x223000 | 0x28 | 0x200 | False | 0.0625 | data | 0.4285997588138649 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .gxfg | 0x224000 | 0x2eb0 | 0x3000 | False | 0.407470703125 | data | 5.145141999115951 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .retplne | 0x227000 | 0x84 | 0x200 | False | 0.09375 | data | 1.2434927268429983 | |
| .tls | 0x228000 | 0x1c1 | 0x200 | False | 0.04296875 | data | 0.1364637916558982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .voltbl | 0x229000 | 0x44 | 0x200 | False | 0.154296875 | data | 1.1423295645151728 | |
| CPADinfo | 0x22a000 | 0x38 | 0x200 | False | 0.04296875 | data | 0.12227588125913882 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| _RDATA | 0x22b000 | 0xf4 | 0x200 | False | 0.314453125 | data | 2.4605873927629287 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| malloc_h | 0x22c000 | 0x637 | 0x800 | False | 0.5087890625 | data | 5.51355894160577 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x22d000 | 0x220c8 | 0x22200 | False | 0.25440705128205127 | data | 4.11254241033308 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x250000 | 0x21e0 | 0x2200 | False | 0.28504136029411764 | data | 5.447567079474142 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| GOOGLEUPDATEAPPLICATIONCOMMANDS | 0x240890 | 0x4 | data | English | United States |
| RT_CURSOR | 0x240d20 | 0x134 | data | ||
| RT_CURSOR | 0x240e70 | 0x134 | data | ||
| RT_CURSOR | 0x240fc0 | 0x134 | Targa image data - RLE 64 x 65536 x 1 +32 "\001" | ||
| RT_CURSOR | 0x241110 | 0x134 | data | ||
| RT_CURSOR | 0x241260 | 0x134 | data | ||
| RT_CURSOR | 0x241398 | 0xcac | data | ||
| RT_CURSOR | 0x242070 | 0x134 | data | ||
| RT_CURSOR | 0x2421a8 | 0xcac | data | ||
| RT_CURSOR | 0x242e80 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x243f48 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x245010 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x2460d8 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x2471a0 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x248268 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x249330 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x24a3f8 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x24b4c0 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x24c588 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x24d650 | 0x10ac | Targa image data 64 x 65536 x 1 +32 " " | ||
| RT_CURSOR | 0x24e718 | 0x134 | Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001" | ||
| RT_CURSOR | 0x24e868 | 0x134 | Targa image data - Mono 64 x 65536 x 1 +32 "\001" | ||
| RT_CURSOR | 0x24e9b8 | 0x134 | data | ||
| RT_CURSOR | 0x24eb08 | 0x134 | data | ||
| RT_ICON | 0x22ddc0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | English | United States |
| RT_ICON | 0x22e228 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | English | United States |
| RT_ICON | 0x22ebb0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | English | United States |
| RT_ICON | 0x22fc58 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | English | United States |
| RT_ICON | 0x232200 | 0x30c8 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
| RT_ICON | 0x235318 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | United States |
| RT_ICON | 0x2361c0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | United States |
| RT_ICON | 0x236a68 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | United States |
| RT_ICON | 0x236fd0 | 0x7c8 | PNG image data, 256 x 256, 8-bit colormap, non-interlaced | English | United States |
| RT_ICON | 0x237798 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States |
| RT_ICON | 0x239d40 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States |
| RT_ICON | 0x23ade8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States |
| RT_ICON | 0x23b2b8 | 0x4a8 | Device independent bitmap graphic, 17 x 32 x 32, image size 1088, resolution 2835 x 2835 px/m | English | United States |
| RT_ICON | 0x23b760 | 0x1234 | Device independent bitmap graphic, 33 x 66 x 32, image size 4356, resolution 2835 x 2835 px/m | English | United States |
| RT_ICON | 0x23c998 | 0x2668 | Device independent bitmap graphic, 49 x 96 x 32, image size 9408, resolution 2835 x 2835 px/m | English | United States |
| RT_ICON | 0x23f000 | 0x184b | PNG image data, 257 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
| RT_GROUP_CURSOR | 0x240e58 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x240fa8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x2410f8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x241248 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x242048 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | ||
| RT_GROUP_CURSOR | 0x242e58 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | ||
| RT_GROUP_CURSOR | 0x243f30 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x244ff8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x2460c0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x247188 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x248250 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x249318 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x24a3e0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x24b4a8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x24c570 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x24d638 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x24e700 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x24e850 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x24e9a0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x24eaf0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x24ec40 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_ICON | 0x2352c8 | 0x4c | data | English | United States |
| RT_GROUP_ICON | 0x23b250 | 0x68 | data | English | United States |
| RT_GROUP_ICON | 0x240850 | 0x3e | data | English | United States |
| RT_VERSION | 0x240898 | 0x488 | data | English | United States |
| RT_MANIFEST | 0x24ec58 | 0x46a | XML 1.0 document, ASCII text, with very long lines (1016) | English | United States |
| DLL | Import |
|---|---|
| chrome_elf.dll | GetInstallDetailsPayload, IsBrowserProcess, IsExtensionPointDisableSet, SignalChromeElf, SignalInitializeCrashReporting |
| KERNEL32.dll | AcquireSRWLockExclusive, AssignProcessToJobObject, CloseHandle, CompareStringW, ConnectNamedPipe, CreateDirectoryW, CreateEventW, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateJobObjectW, CreateMutexW, CreateNamedPipeW, CreateProcessW, CreateRemoteThread, CreateSemaphoreW, CreateThread, DebugBreak, DeleteCriticalSection, DeleteFileW, DeleteProcThreadAttributeList, DisconnectNamedPipe, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumSystemLocalesEx, EnumSystemLocalesW, ExitProcess, ExitThread, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExW, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumber, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetDriveTypeW, GetEnvironmentStringsW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileSizeEx, GetFileTime, GetFileType, GetFullPathNameW, GetLastError, GetLocalTime, GetLocaleInfoW, GetLogicalProcessorInformation, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHandleCount, GetProcessHeap, GetProcessHeaps, GetProcessId, GetProcessTimes, GetProductInfo, GetQueuedCompletionStatus, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDefaultLCID, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadId, GetThreadLocale, GetThreadPriority, GetTickCount, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultLangID, GetUserDefaultLocaleName, GetVersionExW, GetWindowsDirectoryW, HeapDestroy, HeapSetInformation, InitOnceExecuteOnce, InitializeConditionVariable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeProcThreadAttributeList, InitializeSListHead, InitializeSRWLock, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, IsWow64Process, K32GetPerformanceInfo, K32GetProcessMemoryInfo, LCMapStringW, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LocalFree, LockFileEx, MapViewOfFile, MoveFileW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PeekNamedPipe, PostQueuedCompletionStatus, QueryDosDeviceW, QueryInformationJobObject, QueryPerformanceCounter, QueryPerformanceFrequency, QueryThreadCycleTime, RaiseException, ReadConsoleW, ReadFile, ReadProcessMemory, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, RemoveDirectoryW, ReplaceFileW, ResetEvent, ResumeThread, RtlCaptureContext, RtlCaptureStackBackTrace, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwind, RtlUnwindEx, RtlVirtualUnwind, SetConsoleCtrlHandler, SetCurrentDirectoryW, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFileAttributesW, SetFilePointerEx, SetHandleInformation, SetInformationJobObject, SetLastError, SetNamedPipeHandleState, SetProcessShutdownParameters, SetStdHandle, SetThreadAffinityMask, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableSRW, SleepEx, SuspendThread, SwitchToThread, SystemTimeToTzSpecificLocalTime, TerminateJobObject, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TransactNamedPipe, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, UnlockFileEx, UnmapViewOfFile, UnregisterWait, UnregisterWaitEx, UpdateProcThreadAttribute, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualAllocEx, VirtualFree, VirtualFreeEx, VirtualProtect, VirtualProtectEx, VirtualQuery, VirtualQueryEx, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WaitNamedPipeW, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, Wow64GetThreadContext, WriteConsoleW, WriteFile, WriteProcessMemory, lstrlenW |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Name | Ordinal | Address |
|---|---|---|
| GetHandleVerifier | 1 | 0x1400c58f0 |
| GetPakFileHashes | 2 | 0x14003bce0 |
| IsSandboxedProcess | 3 | 0x1400a2cb0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:57:34 |
| Start date: | 25/01/2023 |
| Path: | C:\Users\user\Desktop\clearbrowser.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6147d0000 |
| File size: | 2360648 bytes |
| MD5 hash: | EB2613474DE36296E716CEACC646B17C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Target ID: | 1 |
| Start time: | 14:57:37 |
| Start date: | 25/01/2023 |
| Path: | C:\Users\user\Desktop\clearbrowser.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6147d0000 |
| File size: | 2360648 bytes |
| MD5 hash: | EB2613474DE36296E716CEACC646B17C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Target ID: | 2 |
| Start time: | 14:57:40 |
| Start date: | 25/01/2023 |
| Path: | C:\Users\user\Desktop\clearbrowser.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6147d0000 |
| File size: | 2360648 bytes |
| MD5 hash: | EB2613474DE36296E716CEACC646B17C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| C-Code - Quality: 79% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
