Edit tour
Windows
Analysis Report
PSAbout.dll
Overview
General Information
| Sample name: | PSAbout.dll |
| Analysis ID: | 1530831 |
| MD5: | 63bc611e8759bdf6d8d5f8be08942fe9 |
| SHA1: | 5ebc4ccd7c7014e4bcba59a45f73362d30c97f69 |
| SHA256: | 229a826e1a0f3cadcc0410465038d53f62499998f13db4c1f55d07cd563a8388 |
| Infos: | |
 | |
Detection
| Score: | 5 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 60% |
Signatures
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Creates a process in suspended mode (likely to inject code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
loaddll32.exe (PID: 7120 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\PSA bout.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 6376 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5824 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\PSA bout.dll", #1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 6536 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\PSAb out.dll",# 1 MD5: 889B99C52A60DD49227C5E485A016679) 
WerFault.exe (PID: 5728 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 536 -s 648 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 3164 cmdline:
rundll32.e xe C:\User s\user\Des ktop\PSAbo ut.dll,_Ge tAppVersio n@8 MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 6892 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 164 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 2160 cmdline:
rundll32.e xe C:\User s\user\Des ktop\PSAbo ut.dll,_Sh owAbout@4 MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 4612 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 160 -s 632 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 6744 cmdline:
rundll32.e xe C:\User s\user\Des ktop\PSAbo ut.dll,_Sh owAboutExt @8 MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 6740 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 744 -s 632 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 1888 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\PSAb out.dll",_ GetAppVers ion@8 MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 4320 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 888 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 352 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\PSAb out.dll",_ ShowAbout@ 4 MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 2756 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 52 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 6704 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\PSAb out.dll",_ ShowAboutE xt@8 MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 6968 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 704 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 6220 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\PSAb out.dll",_ ShowSplash @4 MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Code function: | 4_2_10004B22 | |
| Source: | Code function: | 12_2_10004B22 | |
| Source: | Code function: | 15_2_10004B22 | |
| Source: | Code function: | 19_2_10004B22 | |
| Source: | Code function: | 20_2_10004B22 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | API coverage: | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 12_2_10001830 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 21 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1530831 |
| Start date and time: | 2024-10-10 15:36:08 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 49s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 34 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | PSAbout.dll |
| Detection: | CLEAN |
| Classification: | clean5.winDLL@27/28@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.21
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target rundll32.exe, PID 6220 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- VT rate limit hit for: PSAbout.dll
| Time | Type | Description |
|---|---|---|
| 09:37:23 | API Interceptor | |
| 09:37:25 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ac7a4fc5b84473d26fc49234f984b16b262e2c8_7522e4b5_3d48e3d7-7135-41ac-a87c-8d7dc7ca6b79\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8561609264385781 |
| Encrypted: | false |
| SSDEEP: | 192:6QiSbOvW0BU/wjeTyzuiFrZ24IO8dci9:5iSiv9BU/wjeGzuiFrY4IO8dci |
| MD5: | AA998DD0D56DB0EB07EF6106E196513B |
| SHA1: | 09A5D626E83E9B7D2F9FAA536B2582BFF04D04B4 |
| SHA-256: | 0A4EF9FFD5467CC0CAD3C2C46F0835FA2839A287D5C0CB4D5B882EDB7EDA9340 |
| SHA-512: | FA95C0F17A8EE35DDAFDAC3297079FF201A75B27A701CBABD5AF9C1F8BAD62CE74C506E0B22FAC8FF096571A52AEC735DF611DBCD6284464858C0132AD4DA9BC |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ac7a4fc5b84473d26fc49234f984b16b262e2c8_7522e4b5_56d3a75f-5829-405b-ad15-41ebb152a4ec\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8559880310968484 |
| Encrypted: | false |
| SSDEEP: | 96:NOFo616iOhVyBZsj94sFmLbfTQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyN4:AaiOOBZW0BU/wjeTyzuiFrZ24IO8dci |
| MD5: | E99CFD10253373EB10C25C3F2C463C2F |
| SHA1: | DD2499CEBDF088735D2FD24EA7B8FD6F8C63380E |
| SHA-256: | 270011CD50D48A31A00B9C4720C3ACD87E2072F56988639A9556F8A5A002FA2E |
| SHA-512: | 2F5E80C3EC70FB0778F4C23848500B005C9485B613BD9D33006C5EFDA28CD5D146DAD15B190975A46CBFAA019A0ECAD97B463E852A41A0ECA166438DE7CF396C |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ac7a4fc5b84473d26fc49234f984b16b262e2c8_7522e4b5_808f954a-53f1-4397-b5c1-6356f3c5f3fc\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8560658260762943 |
| Encrypted: | false |
| SSDEEP: | 96:qFFCQ36iKhVyQsj94sFmLbfTQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNle:G4riKOQW0BU/wjeTyzuiFrZ24IO8dci |
| MD5: | 80BA0DC72A8A6A59E8BA664776683ECD |
| SHA1: | 95A4991C1B6118AA3D5F580716A0F7E6EF6D427A |
| SHA-256: | 6553E3C797F282B4A5257EB57008E15AE9D3D46774056500520AB41FA9DC6369 |
| SHA-512: | C2E93EDF51633A952B1F02406BEE073B59A97D222BF0982620F12077DE90E8FDDB37A5DEF7F4BABDEAAE7456E56B4B4E25FA9B79F330FA66A34A2884B9FE9DF0 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d6e6e8b58b7a0a9a6bb978481c3782f98cadcf_7522e4b5_38ca8843-afa9-4f41-a8ef-8e9775b40cf2\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8759022251941168 |
| Encrypted: | false |
| SSDEEP: | 192:Q9/i9O720BU/wjeTV/zuiFrZ24IO8dci:w/i07dBU/wjeZzuiFrY4IO8dci |
| MD5: | 8B50912A12CD264DE261CDF437541584 |
| SHA1: | E49767A75A52313E12D36824FC9DAE794FFBC0A8 |
| SHA-256: | 11A13AE271BE313E499524CE9E8A567393B71E34FE3008E60565985DE5F9C144 |
| SHA-512: | A981547E0230291638C73B223221DFA30602216F8E6490E99D342A257433213E284429AC39C28DADEB4D1498882BA4E68E573EAB23F951125A42F2A3C80E85E2 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d6e6e8b58b7a0a9a6bb978481c3782f98cadcf_7522e4b5_6122d459-8098-4c10-8204-ad092330c3b0\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8759263453046413 |
| Encrypted: | false |
| SSDEEP: | 192:Y21kPizOJ20BU/wjeTV/zuiFrZ24IO8dci:0i6JdBU/wjeZzuiFrY4IO8dci |
| MD5: | 7869A0B8A57EE5447BC4852E651B7DAC |
| SHA1: | 05E1009F610802AB07EEB69C30B5369E4D95A88D |
| SHA-256: | 740ECD64017316DA1ADDAEE2CC70967557678377E6596E305828FFFEFC77E660 |
| SHA-512: | C6735F0B6D9AC24C610DD0D7B1AA62001032107DBBC40F71CE1557D0D7F85FB6237AF671F20440507EF53EF05BE80A6EC942A8A7E1A07976728B183177BDDA18 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d6e6e8b58b7a0a9a6bb978481c3782f98cadcf_7522e4b5_79daa82b-bcfe-4dc5-a6f2-0092226be9e7\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8756490178827419 |
| Encrypted: | false |
| SSDEEP: | 192:bqhiQO420BU/wjeTV/zuiFrZ24IO8dci:miB4dBU/wjeZzuiFrY4IO8dci |
| MD5: | ACDE10C3D71BA89B3097C8EE400E4E71 |
| SHA1: | A930CF38566A858FE444D4930B4E6532513C2143 |
| SHA-256: | 67E2A1C6B6DBA99512FB5E64CEDD4EE922C124D2DD07276CABA16008ED926019 |
| SHA-512: | 9C24F2E81D6C1A4CC11297C945E8E61E978E30E6063D1E757DCBA1484C5DBDB4E99013BBEC70419436EE1A491C66E1A3B208B97A8FDD0A8449E002F7FB9D4116 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d6e6e8b58b7a0a9a6bb978481c3782f98cadcf_7522e4b5_dfd94030-e641-470d-9dff-0a9fb81ecb98\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8758638086453132 |
| Encrypted: | false |
| SSDEEP: | 192:YZZziAO+20BU/wjeTV/zuiFrZ24IO8dci:ozix+dBU/wjeZzuiFrY4IO8dci |
| MD5: | 38BA0D16FE7914AFF2AF6C14D5F77AD8 |
| SHA1: | 3009AEF52F5799A3F598E817242E1B6ED81ED6A0 |
| SHA-256: | 956F3419EA077A14E9FB387BE84AC326D727C37443BAA285323D171CCE4E6410 |
| SHA-512: | 772D104BB5F383DFBEEB27DCE2E678CB88B86979316C0F37488E9394094D2F7DBC6DED9B590D87389425CC46520D8513AE789CE5FEC319BAB9905CC1F4D43A47 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 45638 |
| Entropy (8bit): | 1.871200998695336 |
| Encrypted: | false |
| SSDEEP: | 96:5U8hRBWeDLVgJTJs6YqOduawKMDlthioi75I4v4NuO5rxZz5oleO1gq2E6AL2V0c:tTBBAuBIfPO5H4DzEtxwN33dUtu |
| MD5: | AEEEDF467098312F902A0A0CD53E5FEE |
| SHA1: | 979AA8F6F802B142C1A4E84A3464AF5141475EB3 |
| SHA-256: | 3496595C390B10226B06C9A690CB100F8E4C81FACBA976817825FEA4CD4B3718 |
| SHA-512: | B8249A5846607A678978A32186C7E7E9D77FD26654F59D756FE866218D8FDB7973920D4207FF7E71195B4D2F28F302409CF80E31EF81540A8CC018AB9109079D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 43298 |
| Entropy (8bit): | 1.9642106665953796 |
| Encrypted: | false |
| SSDEEP: | 192:tTAuBof6qPO5H4XpEb0WXbNBUNGNs6O7xt:JAaJL5Huy06BUNG2bxt |
| MD5: | D960BCA8A8176B783757B2F027967EA5 |
| SHA1: | FFA0AFA76E75FAA01111BEAC722E9587184C24F8 |
| SHA-256: | 49552BD4561BFDC97B5E05FA615BA85593A1F3A8205D78135C8DFF5621A71922 |
| SHA-512: | 178D6240ADA2329FDDDBE7047D92865EA9C3D0994862640EC2BA19C894CA1D5FE4E9D3A80C1549FFD8EB755A77E4B23191D8E23168BABAF752818FBADED1B291 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8262 |
| Entropy (8bit): | 3.68940672433702 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJlE6Ime6Y2s6SgmfTDKTvprr89bWqsfjSm:R6lXJG6Ime6Yt6SgmfTDKaWJfn |
| MD5: | 0F1520E382C0D7EA644CF11E90E82D7D |
| SHA1: | B7F50C5C47455583E298AC71A3CD4D680754A23C |
| SHA-256: | A891FB11F523F85B89217A91178BF23251E7FBBD3297AFD8AA66F6F5C1233A0C |
| SHA-512: | 23CF3F92233929760E7E5DB730F5E08E7200AB419BC479EB05929B0FDB7DB6BF46F641526D1A505729F3C6FBA69348F60688F94DECBAFBDC0AAD18384A35306F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4644 |
| Entropy (8bit): | 4.460032681230618 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsaJg77aI9HkXWpW8VYGJYm8M4JCdPZFd+q8/cmC/GScSLd:uIjfoI7im7VhYJ0fJ3Ld |
| MD5: | F3E7EED00D2BF74300EE478D9DF03800 |
| SHA1: | BC6615A18ED7AB3CD430BAD6EC589D3E04944D5F |
| SHA-256: | 90A5A7B6B60C9411635F0E56934ABD68C621FE5703EB6B2A3E1AF148D1A55215 |
| SHA-512: | 709C9A1A4C46852515434091F9F93222164598E44A969DB2C925A1E6654A3FEEC2A6FC8DD33C1FD696F61366B7C15551BE17B7FCFEDA2F55A7EA9546465E5DD8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8256 |
| Entropy (8bit): | 3.691393481881838 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJzQ6Im766YYp6sgmfTDKTvprG89bBXsf6Lm:R6lXJk6Im766YG6sgmfTDKZBcff |
| MD5: | 3B9A46EEEEC2882F019BE80EE43138B7 |
| SHA1: | 33AD85E93680D831DED42A617A16C4648666F4EC |
| SHA-256: | 282C9E6DBE22B967D4D8B81A3824B22167367DEE939B71CA28C2B212E97EAA56 |
| SHA-512: | 07082AF7D0B6FC4F29474B434C7C2E3848486455E9A0256BDB0A182FF246203B3B084020FC3497E255CDA24BF3E2C52A6335D159E2FC9A8B67846F00EF5DFC83 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4644 |
| Entropy (8bit): | 4.46134449168974 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsaJg77aI9HkXWpW8VYG0Ym8M4JCdPZFQ+q8/cbGScSOd:uIjfoI7im7VhBJFFJ3Od |
| MD5: | 4D5B106C04287B20A4C9DADC1D02C494 |
| SHA1: | 9DC5A7A29D5ABFD2876014121D265B42967EBF7F |
| SHA-256: | 9B941F36A21811D68C39369DB2BFD2417F4ABC077499AC7BF9A0C56E1A54782B |
| SHA-512: | 8A7FC19F6B2DF007BDC56C9AE8E92F74822612695B1C130E4A4EC7FEEA1D475583096C43998A77885FD016DB563039BBB850089B694969D57488C8DD8FC3ED45 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 45958 |
| Entropy (8bit): | 2.1484280379853034 |
| Encrypted: | false |
| SSDEEP: | 192:iPTc9BoO5H4HVs/6eESxvUUEslre5S/0FCPHWUBMlRf3:YQDv5Hf/dESCzcC4/0FCPHW8Mz |
| MD5: | 80B9862914FFA1668F6C64352FF296C0 |
| SHA1: | C5653652C8A4FBB3965E3144CCDA24C070CCF111 |
| SHA-256: | 40A573A7BBC02FE1AC5BE0A73EE4A0D766AAC6E18590880EFFDBC8493027FB23 |
| SHA-512: | D8AAF76519580A50FEBD087849C0B5FB71E03F4943DBC0384F30DC538C31D978BE9E8E2B920DC6654C451472A9BE1B70368669B014A258B6696AD627F837C443 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8260 |
| Entropy (8bit): | 3.6883314118336394 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJQn6I7q6Y2m6kgmfTD8NTvpr989b6dsfb7+m:R6lXJY6I7q6Yn6kgmfTDKM6Wfv |
| MD5: | 2930ED431B4F0CCDD88557D2DEB10E5D |
| SHA1: | AA07645E6B5618E0089E8431047CE35BB5BD958F |
| SHA-256: | D0622DC50D1A708E7BBAF51CE1533749A032AEA0B0AB690A22B6EE946ED5100F |
| SHA-512: | DB659373D61BB07D2C3FA9F3D9A975BB6502AC9C2A94922E390B60FA72F1F4F8BE6399C3217C6640659ACB6366F525F7B9B6748D0671278C504652A793D0039A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4644 |
| Entropy (8bit): | 4.458141725878348 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsVJg77aI9HkXWpW8VYGFYm8M4JCdPnFOty+q8/c1VGScSnd:uIjfvI7im7Vh0JNy3VJ3nd |
| MD5: | 3488B0BF1B5A05FAE3FB145343FDC93E |
| SHA1: | 9BC5DE6397AA7FB6DBFB715E09448D4A4BF2AFFD |
| SHA-256: | C5050A6540613FAFF55122842D4F3DFE95703D8E06C5CDBB676B11CE07D69B46 |
| SHA-512: | 6E9C0B8B6C0165656C9D9C4FD5FC066ED7B33C3D7BC13607563CD18087EFE2F237ED075F973EDDF1C6AB4542326FE2C65EA0FF1D853591DCE4CFB0A2B9A48A59 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 46280 |
| Entropy (8bit): | 2.146436662618237 |
| Encrypted: | false |
| SSDEEP: | 192:ri3ccK8FUO5H4QF9dKotxxFIjAeeZYax4PHa7A++YFBdz:ojp5HdhTxCjAp777lVz |
| MD5: | 1C2C9BFAECA42D3AAE56A4EBAE16C197 |
| SHA1: | 899DD273DDDAB7E0CC99F3C2E365404F0F97BFC6 |
| SHA-256: | C43C34A951F5A4E4BC312C005F8D0BCBDF3A598082C7EE8D54DDBF5B1AEB57C2 |
| SHA-512: | 388C1392858E841B932CEA017C6BA88405F2A3F9197708D7541B2237FD25FDE82088E03729E31D38B2C92C0FADDA2D5951D230AE64557F3FCEC62746968FD46D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8256 |
| Entropy (8bit): | 3.6899294655381394 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJkx6IP56Y2Y6rgmfTD8NTvprG89bINsfvYm:R6lXJa6IP56YJ6rgmfTDK5IGf1 |
| MD5: | 91C31396375C65C91314E075506AE487 |
| SHA1: | F3EC5196AD138DE14D7624FCE088E2C3A88F8C7A |
| SHA-256: | F8DBFAA29256EEBA6F81D306584A7EF3C5188363F81F222647B9330F2F0B1DE3 |
| SHA-512: | 872079EF9228513D88BF02B4B840530DF82EA781151DBB2B70017DED7B72A7DACBBDB5DA6D8D6220758DFC8DEC6C8FF2D28E9D4A58CE59C29FA096CB4015178B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4644 |
| Entropy (8bit): | 4.456504835444898 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsVJg77aI9HkXWpW8VYGdYm8M4JCdPnFe+q8/csTGScSrd:uIjfvI7im7Vh8JdKTJ3rd |
| MD5: | 641E355BC5A1893D830055C86975B4AF |
| SHA1: | 0A6DF2D7EF3DF2971C50FD5F6C8A92CDF7421CB2 |
| SHA-256: | B11DCCD7F3C57EBB58CFD67D660A078EDCD851775CADE92900ECFB013498246C |
| SHA-512: | 58D8D122FFBB6ACB6C25C714C7DC5C045C1C5C174BFC2CFE71FAE4FF9BD07AC9B62052039B2CEBC74FFAFB79BCFEC1B52F38A5E09F022329B819D405ED1EBDA1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 44952 |
| Entropy (8bit): | 2.1816250024290538 |
| Encrypted: | false |
| SSDEEP: | 96:5e89ijjQ1qJjo0fBmIpOts08zrBpTtVKRNzoi75I4v4CamSt3gzyw+8cMRGI/KxP:X9mcbIWNkO5H4AyilKxnzIeFx7NRzYY |
| MD5: | B9A191DDC153244502E06F1A3541F8C1 |
| SHA1: | 685CDFE67DD24B7264EAD8D465449FD65535CDCA |
| SHA-256: | 429549527938B1E5E17BDAD8C480E4E09945EF26BA8381F0273103A4CCEA3010 |
| SHA-512: | BA6488E682730187F458ADAEC50D10FF31E1E1D5A73B1874DDFA4B34DCA428787CDC09DE01F8FE0F434D6D41944F7AFA99A84ED508BBC1FBE1120C7C906F752D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 45516 |
| Entropy (8bit): | 2.1593747074882073 |
| Encrypted: | false |
| SSDEEP: | 192:XjFjcPPnbkO5H4Ts8FBpxhbozmmv75PaLoG9nx:zFAH35HurpXozmmv752Px |
| MD5: | EA1651D3AF5968CFEAEDB7953886A187 |
| SHA1: | 5951A477DD58FF275A25635265A01525AB51DD46 |
| SHA-256: | 39D45B95E5374EC2917DE8995502C674391D08F8C75C5C9B93BAF10764867E8C |
| SHA-512: | 0B029AEB969CDDBF143502DD5A1DE13664DC674708CCE3D3A081D8164EFDC988FF3E0C65C903CC12F2759E88054BD16FA23AC0613A055E9994DF96BC1171C906 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 42914 |
| Entropy (8bit): | 1.9446121909171394 |
| Encrypted: | false |
| SSDEEP: | 192:6TAuB3fNO5H4YbVx5yqEoPLNell3IRO/N:gAaI5Hnxx9Nell6OF |
| MD5: | FCAB0CD7E07EC7FEDD01388F449A44C9 |
| SHA1: | 513F088566A253F5C7342102E4BFC3B2A137C98A |
| SHA-256: | 85FB63EBFA833B4214177BA6E757572321FD9518C0E9558C65617EEE877ABD10 |
| SHA-512: | CAB9D786F6E5EBACEF126A5A3461038463A0F637D73CC98B5B8AD340043C7996DFE4DC2D3563473E372E6B6346107EE9C1EBCB3148221651F805C4F6B5F4E431 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8252 |
| Entropy (8bit): | 3.690911298573603 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJ0y6Im96Ym36tgmfTDKTvprL89bs8sfZAkm:R6lXJx6Im96YO6tgmfTDKasPfZy |
| MD5: | 74A882F90545F83F2A9A32D873CBEFBF |
| SHA1: | 4759620B202C6A8719449ECDFEE2BA3641918B7C |
| SHA-256: | C752123298E92513A078D584E8424C92344E880D4C1900FA977F51A73DA26525 |
| SHA-512: | 68EA80F2D35720F4BBBEF8739256DC119BBBB6908625E14CA81177A186B216F1C45362C8170C41C736D4643576DCDF7B941E4D672C2A56967A7E6CACF3FB0E0F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4644 |
| Entropy (8bit): | 4.455885326153716 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsVJg77aI9HkXWpW8VYGJYm8M4JCdPZFr+iI+q8/cmOGScSud:uIjfvI7im7VhYJI+iILJ3ud |
| MD5: | 2F183ACED25BC488A30286796D9A945A |
| SHA1: | E8A3E74FEFFBC0F9967FBD8BE09D32EB44299C4F |
| SHA-256: | F87D61C20229EB49225B4B58C13AC69855700DF72668817394C5402793A0ADB3 |
| SHA-512: | 1616D72554BDB0BE3A534DC5FCB8282BE335020EDDFF8783CFEC00798D997C6A42DCF5BD6D2337D15A8B8963A24091DBDCD18AC32F033C7E3C38D04CD6D1AF53 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8252 |
| Entropy (8bit): | 3.6899617184956033 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJLMo6IP+6Ym86tgmfTD8NTvprp89bs+sf0Ekm:R6lXJP6IP+6Yl6tgmfTDKws9fr |
| MD5: | 0467BC76823A45AFA11E6037E2AB1A24 |
| SHA1: | 0D5B6B8024162E1867DC62D9B0C7A177D3C96CAD |
| SHA-256: | 13AAC73EBF51930B15C721826F126785BD36F6B9F473C6938BEFC30099D28E96 |
| SHA-512: | 8AA1709B3477A52C729710B442133F1BFE2CAB4A6B140D66EBFD92537277C5FBC4C3A3F1AF2FA24B818996D39AD037B87DB9D98CC10DB4FF2A9ECFF7ECE07623 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8248 |
| Entropy (8bit): | 3.6891503419086398 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJ5M6ILNL6Ymg6tgmfTD8NTvpr+89bsWsfAOkm:R6lXJS6IpL6Y56tgmfTDKhs1fAk |
| MD5: | C56FBF82D106DD799AF70D2A4EE519A1 |
| SHA1: | 725777676F431C79EEC61D40B73DAF7194CFB7D7 |
| SHA-256: | C5ADD88D23F77ECB8DCD81079DDD79363FFE35C3671EE98B86D974C9E1B589AE |
| SHA-512: | 13B864B3F52DC208E85B803BEAA0713782994529B101C8A7324C173CEA0EC5BC9E5D442853C788C31AF9987D1AEF37509B04E1140C4AAA8498551A9617E7A171 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4644 |
| Entropy (8bit): | 4.457308961053544 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsVJg77aI9HkXWpW8VYGBoYm8M4JCdPnFY+q8/cXGScSvd:uIjfvI7im7VhBFJb5J3vd |
| MD5: | F6C77D448E14769D06CAB2667D839923 |
| SHA1: | 4C98093B66E2D285A3B9755026A276D896346092 |
| SHA-256: | DD5B6EA9B14373AE70C820F0D60864605762E6D82430C1CA1EBAAF2ACB60C6A4 |
| SHA-512: | 0643C31E80A7ADBEAD2C12EA890F8460F4F43B2119C3DEB7ADDE7AFC1E4A8111A61184838A44377008539975B801D0397B663B99E600F7406999CB4DB42999D8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.372862563163917 |
| Encrypted: | false |
| SSDEEP: | 6144:JFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNEiL:fV1QyWWI/glMM6kF7Kq |
| MD5: | 7ABEA600C2DE5E0117ECB978FDEEE30B |
| SHA1: | 4A8849BFCF96FDA66086B8EBF9FE2F670AE2A740 |
| SHA-256: | 8A475FE9184813BA4B48C3CB49E866C8F7E9283E7B8F7818511CB3477F1B9B56 |
| SHA-512: | D7E4B12E7B032318ED9E86999AECF8C4680499A8B7C8BC47F6E70A79F4C5504543121D0195B80E60A135E5D33DDC5470DEC3746F251064E7197FED53307320ED |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 4.828041315153659 |
| TrID: |
|
| File name: | PSAbout.dll |
| File size: | 286'720 bytes |
| MD5: | 63bc611e8759bdf6d8d5f8be08942fe9 |
| SHA1: | 5ebc4ccd7c7014e4bcba59a45f73362d30c97f69 |
| SHA256: | 229a826e1a0f3cadcc0410465038d53f62499998f13db4c1f55d07cd563a8388 |
| SHA512: | 76ab897dbe0daa0a7a70cbeea7c224d301b1cc91c74e6f9f2f8795b0cecf5feeff5829b04bdb9d3cf98c61bf0437ba10534c0d36d73ede53f7a7ceed19ba9944 |
| SSDEEP: | 3072:L/QeuZn04JZNIo7ejvfB7bUjX6ri3umoye5JLDOoxwlaZ:7QFZ0MNIee7yj6ri3umorJLDPxwsZ |
| TLSH: | F954C4CCE9304929D3A8963E503677AF09E21C47CDAFA791D39DA83D1E71594A323683 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...............r...............r.......r.......+.......................+.......................Rich....................PE..L.. |
 | |
| Icon Hash: | 0c0f334d4d320e0c |
| Entrypoint: | 0x10004a65 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL |
| DLL Characteristics: | |
| Time Stamp: | 0x4A2FDFE0 [Wed Jun 10 16:31:28 2009 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 27fa98ea6094fe31fb118345761ed249 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| push ebx |
| mov ebx, dword ptr [ebp+08h] |
| push esi |
| mov esi, dword ptr [ebp+0Ch] |
| push edi |
| mov edi, dword ptr [ebp+10h] |
| test esi, esi |
| jne 00007F12B14DCC7Bh |
| cmp dword ptr [10009914h], 00000000h |
| jmp 00007F12B14DCC98h |
| cmp esi, 01h |
| je 00007F12B14DCC77h |
| cmp esi, 02h |
| jne 00007F12B14DCC94h |
| mov eax, dword ptr [10008714h] |
| test eax, eax |
| je 00007F12B14DCC7Bh |
| push edi |
| push esi |
| push ebx |
| call eax |
| test eax, eax |
| je 00007F12B14DCC7Eh |
| push edi |
| push esi |
| push ebx |
| call 00007F12B14DCB8Ah |
| test eax, eax |
| jne 00007F12B14DCC76h |
| xor eax, eax |
| jmp 00007F12B14DCCC0h |
| push edi |
| push esi |
| push ebx |
| call 00007F12B14DC999h |
| cmp esi, 01h |
| mov dword ptr [ebp+0Ch], eax |
| jne 00007F12B14DCC7Eh |
| test eax, eax |
| jne 00007F12B14DCCA9h |
| push edi |
| push eax |
| push ebx |
| call 00007F12B14DCB66h |
| test esi, esi |
| je 00007F12B14DCC77h |
| cmp esi, 03h |
| jne 00007F12B14DCC98h |
| push edi |
| push esi |
| push ebx |
| call 00007F12B14DCB55h |
| test eax, eax |
| jne 00007F12B14DCC75h |
| and dword ptr [ebp+0Ch], eax |
| cmp dword ptr [ebp+0Ch], 00000000h |
| je 00007F12B14DCC83h |
| mov eax, dword ptr [10008714h] |
| test eax, eax |
| je 00007F12B14DCC7Ah |
| push edi |
| push esi |
| push ebx |
| call eax |
| mov dword ptr [ebp+0Ch], eax |
| mov eax, dword ptr [ebp+0Ch] |
| pop edi |
| pop esi |
| pop ebx |
| pop ebp |
| retn 000Ch |
| int3 |
| int3 |
| push FFFFFFFFh |
| push eax |
| mov eax, dword ptr fs:[00000000h] |
| push eax |
| mov eax, dword ptr [esp+0Ch] |
| mov dword ptr fs:[00000000h], esp |
| mov dword ptr [esp+0Ch], ebp |
| lea ebp, dword ptr [esp+0Ch] |
| push eax |
| ret |
| int3 |
| jmp dword ptr [1000631Ch] |
| jmp dword ptr [00000024h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x7e20 | 0x98 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7598 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xa000 | 0x3b610 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x46000 | 0x8d0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x6000 | 0x3c0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x4456 | 0x5000 | 8d7cc5acd47dc4f72aa1ef468f839e8f | False | 0.432080078125 | data | 5.5845450672353 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x6000 | 0x1eb8 | 0x2000 | 215c51966c4e99342e53c25ce2d402e2 | False | 0.3514404296875 | data | 4.539670646787237 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x8000 | 0x1924 | 0x1000 | cd24417590847b685d91423a553837a4 | False | 0.25048828125 | data | 3.1422804480790765 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xa000 | 0x3b610 | 0x3c000 | ffbdff51b716aa218bbc13ca505c14a0 | False | 0.19811604817708334 | data | 4.681788491300255 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x46000 | 0xc78 | 0x1000 | 90b4e4f9d00a1c4ac9d824126a073fe6 | False | 0.4677734375 | data | 4.398536625722724 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0xcdb8 | 0x13028 | Device independent bitmap graphic, 320 x 240 x 8, image size 76800 | English | United States | 0.11169474982019932 |
| RT_BITMAP | 0x1fde0 | 0x2582a | Device independent bitmap graphic, 480 x 80 x 32, image size 153602, resolution 2834 x 2834 px/m | English | United States | 0.23585347756472838 |
| RT_ICON | 0xa270 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States | 0.24187725631768953 |
| RT_ICON | 0xab18 | 0xca8 | Device independent bitmap graphic, 32 x 64 x 24, image size 3200 | English | United States | 0.25030864197530867 |
| RT_ICON | 0xb7c0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.4222972972972973 |
| RT_ICON | 0xb8e8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | English | United States | 0.22041577825159914 |
| RT_DIALOG | 0xcb20 | 0x208 | data | English | United States | 0.5365384615384615 |
| RT_DIALOG | 0xcd28 | 0x8e | data | English | United States | 0.6971830985915493 |
| RT_GROUP_ICON | 0xc790 | 0x3e | data | English | United States | 0.8548387096774194 |
| RT_VERSION | 0xc7d0 | 0x350 | data | English | United States | 0.45872641509433965 |
| DLL | Import |
|---|---|
| VERSION.dll | GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA |
| MFC42.DLL | |
| MSVCRT.dll | __CxxFrameHandler, __dllonexit, _onexit, ??1type_info@@UAE@XZ, free, _initterm, malloc, _adjust_fdiv, _mbsstr |
| KERNEL32.dll | LocalFree, GetModuleFileNameA, GetLastError, lstrcatA, lstrlenA, WinExec, lstrcpyA, GetWindowsDirectoryA, LoadLibraryA, FreeLibrary, MulDiv, GetModuleHandleA, LocalAlloc |
| USER32.dll | PtInRect, InvalidateRect, MessageBeep, SetWindowLongA, KillTimer, ScreenToClient, LoadCursorA, SetRect, OffsetRect, LoadBitmapA, SetTimer, EnableWindow, DrawTextA, SendMessageA, GetWindowRect, CopyIcon, GetParent, GetDC, ReleaseDC, InflateRect, IsWindow, GetSysColor, SetCursor, GetClientRect, GetMessagePos |
| GDI32.dll | CreateCompatibleDC, GetTextExtentPoint32A, StretchBlt, GetObjectA, GetStockObject, Rectangle, CreateSolidBrush, CreateFontIndirectA |
| ADVAPI32.dll | RegQueryValueA, RegCloseKey, RegOpenKeyExA |
| SHELL32.dll | ShellExecuteA |
| Name | Ordinal | Address |
|---|---|---|
| _GetAppVersion@8 | 1 | 0x10004090 |
| _ShowAbout@4 | 2 | 0x10003970 |
| _ShowAboutExt@8 | 3 | 0x10003c10 |
| _ShowSplash@4 | 4 | 0x10003eb0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:37:15 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf0000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 09:37:15 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 09:37:16 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa40000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 09:37:16 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 09:37:16 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 09:37:17 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc30000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 09:37:17 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc30000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 09:37:19 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 09:37:19 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc30000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 09:37:22 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 09:37:22 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc30000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 09:37:25 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 09:37:25 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 09:37:25 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 09:37:25 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 26 |
| Start time: | 09:37:25 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc30000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 27 |
| Start time: | 09:37:25 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc30000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 28 |
| Start time: | 09:37:25 |
| Start date: | 10/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc30000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 374 |
| Total number of Limit Nodes: | 11 |
Graph
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100047D9 Relevance: 31.6, APIs: 21, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004900 Relevance: 9.0, APIs: 6, Instructions: 25memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001420 Relevance: 89.6, APIs: 47, Strings: 4, Instructions: 301windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002620 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 313windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002250 Relevance: 52.6, APIs: 25, Strings: 5, Instructions: 148windowtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003260 Relevance: 28.7, APIs: 19, Instructions: 186COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003EB0 Relevance: 25.6, APIs: 17, Instructions: 104COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001000 Relevance: 22.6, APIs: 15, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100011D0 Relevance: 22.6, APIs: 15, Instructions: 73COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100037B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 87stringprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003480 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 52librarywindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001330 Relevance: 16.6, APIs: 11, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002150 Relevance: 10.5, APIs: 7, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002070 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002C30 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002A00 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002B50 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100030F0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000431C Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 20% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 1.1% |
| Total number of Nodes: | 374 |
| Total number of Limit Nodes: | 11 |
Graph
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001420 Relevance: 89.6, APIs: 47, Strings: 4, Instructions: 301windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100047D9 Relevance: 31.6, APIs: 21, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003260 Relevance: 28.7, APIs: 19, Instructions: 186COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100011D0 Relevance: 22.6, APIs: 15, Instructions: 73COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003480 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 52librarywindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001330 Relevance: 16.6, APIs: 11, Instructions: 62COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002C30 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004900 Relevance: 9.0, APIs: 6, Instructions: 25memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000478E Relevance: 4.5, APIs: 3, Instructions: 20COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002620 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 313windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002250 Relevance: 52.6, APIs: 25, Strings: 5, Instructions: 148windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003EB0 Relevance: 25.6, APIs: 17, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001000 Relevance: 22.6, APIs: 15, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100037B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 87stringprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002150 Relevance: 10.5, APIs: 7, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002070 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002A00 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002B50 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100030F0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000431C Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 20.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 374 |
| Total number of Limit Nodes: | 11 |
Graph
Function 10001420 Relevance: 89.6, APIs: 47, Strings: 4, Instructions: 301windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100047D9 Relevance: 31.6, APIs: 21, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003260 Relevance: 28.7, APIs: 19, Instructions: 186COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100011D0 Relevance: 22.6, APIs: 15, Instructions: 73COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003480 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 52librarywindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001330 Relevance: 16.6, APIs: 11, Instructions: 62COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002C30 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004900 Relevance: 9.0, APIs: 6, Instructions: 25memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000478E Relevance: 4.5, APIs: 3, Instructions: 20COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002620 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 313windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002250 Relevance: 52.6, APIs: 25, Strings: 5, Instructions: 148windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003EB0 Relevance: 25.6, APIs: 17, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001000 Relevance: 22.6, APIs: 15, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100037B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 87stringprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002150 Relevance: 10.5, APIs: 7, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002070 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002A00 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002B50 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100030F0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000431C Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 20% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 374 |
| Total number of Limit Nodes: | 11 |
Graph
Function 10001420 Relevance: 89.6, APIs: 47, Strings: 4, Instructions: 301windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100047D9 Relevance: 31.6, APIs: 21, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003260 Relevance: 28.7, APIs: 19, Instructions: 186COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100011D0 Relevance: 22.6, APIs: 15, Instructions: 73COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003480 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 52librarywindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001330 Relevance: 16.6, APIs: 11, Instructions: 62COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002C30 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004900 Relevance: 9.0, APIs: 6, Instructions: 25memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000478E Relevance: 4.5, APIs: 3, Instructions: 20COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002620 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 313windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002250 Relevance: 52.6, APIs: 25, Strings: 5, Instructions: 148windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003EB0 Relevance: 25.6, APIs: 17, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001000 Relevance: 22.6, APIs: 15, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100037B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 87stringprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002150 Relevance: 10.5, APIs: 7, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002070 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002A00 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002B50 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100030F0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000431C Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 20.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 374 |
| Total number of Limit Nodes: | 11 |
Graph
Function 10001420 Relevance: 89.6, APIs: 47, Strings: 4, Instructions: 301windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100047D9 Relevance: 31.6, APIs: 21, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003260 Relevance: 28.7, APIs: 19, Instructions: 186COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100011D0 Relevance: 22.6, APIs: 15, Instructions: 73COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003480 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 52librarywindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001330 Relevance: 16.6, APIs: 11, Instructions: 62COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002C30 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10004900 Relevance: 9.0, APIs: 6, Instructions: 25memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000478E Relevance: 4.5, APIs: 3, Instructions: 20COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002620 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 313windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002250 Relevance: 52.6, APIs: 25, Strings: 5, Instructions: 148windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10003EB0 Relevance: 25.6, APIs: 17, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001000 Relevance: 22.6, APIs: 15, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100037B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 87stringprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002150 Relevance: 10.5, APIs: 7, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002070 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002A00 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002B50 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100030F0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000431C Relevance: 6.0, APIs: 4, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|