Báo lỗi require version 4.70 comctl32.dll năm 2024

This report has 19 indicators that were mapped to 13 attack techniques and 7 tactics.


Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

  • Installation/Persistance
    • details "setup.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData" source API Call relevance 7/10 ATT&CK ID T1055 []
    • details "setup.exe" wrote 1500 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" [Handle: 504]
      "setup.exe" wrote 4 bytes to a remote process "%WINDIR%\\SysWOW64\\msiexec.exe" [Handle: 504]  
      "setup.exe" wrote 8 bytes to a remote process "%WINDIR%\\SysWOW64\\msiexec.exe" [Handle: 504]  
      "setup.exe" wrote 32 bytes to a remote process "%WINDIR%\\SysWOW64\\msiexec.exe" [Handle: 504]  
      "setup.exe" wrote 52 bytes to a remote process "%WINDIR%\\SysWOW64\\msiexec.exe" [Handle: 504] source API Call relevance 6/10 ATT&CK ID T1055 []
  • Unusual Characteristics
    • details ExitWindowsEx@USER32.DLL from [PID: 2232] [] source Hybrid Analysis Technology relevance 5/10
    • details "msiexec.exe" touched "K:"
      "msiexec.exe" touched "L:"  
      "msiexec.exe" touched "M:"  
      "msiexec.exe" touched "N:"  
      "msiexec.exe" touched "O:"  
      "msiexec.exe" touched "P:"  
      "msiexec.exe" touched "Q:"  
      "msiexec.exe" touched "R:"  
      "msiexec.exe" touched "S:"  
      "msiexec.exe" touched "T:"  
      "msiexec.exe" touched "U:"  
      "msiexec.exe" touched "V:" source API Call relevance 9/10 ATT&CK ID T1083 []
  • Anti-Detection/Stealthyness
    • details "setup.exe" at 00009282-00002232-00000033-13902243213
      "msiexec.exe" at 00009820-00002808-00000033-23774296336 source API Call relevance 6/10
  • Cryptographic Related
    • details "DES" [Indicator: "des"; File: "7d6118fa77fd9e50552122f2d9836a62c199d4e3fede9f5fb9272bf7ff603042.bin"] source File/Memory relevance 10/10
  • Environment Awareness
      "msiexec.exe" [Path: "HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INSTALLER\\USERDATA\\S-1-5-18\\PRODUCTS\\FFEBC2A5CCE00EF4099004403746DF7B\\INSTALLPROPERTIES"] source Registry Access relevance 10/10  
    • details "setup.exe" [Path: "HKLM\\SOFTWARE\\MICROSOFT\\CRYPTOGRAPHY"; Key: "MACHINEGUID"] "msiexec.exe" [Path: "HKLM\\SOFTWARE\\MICROSOFT\\CRYPTOGRAPHY"; Key: "MACHINEGUID"] source Registry Access relevance 10/10 ATT&CK ID T1012 []
  • General
    • details "setup.exe" read file "%TEMP%\{006E0943-9169-4626-96C5-70863307CF22}\Setup.INI"
      "setup.exe" read file "%TEMP%\\{006E0943-9169-4626-96C5-70863307CF22}\\\_ISMSIDEL.INI"  
      "setup.exe" read file "%TEMP%\\{006E0943-9169-4626-96C5-70863307CF22}\\0x0409.ini" source API Call relevance 4/10
  • Installation/Persistance
    • details "MSI3AD7.tmp" has type "PE32 executable [DLL] [GUI] Intel 80386 for MS Windows" source Binary File relevance 10/10
  • Network Related
    • details ""
      Heuristic match: "ScriptVer=" source File/Memory relevance 3/10
  • System Destruction
    • details "C:\setup.exe" marked "%TEMP%\_is4193.tmp" for deletion
      "C:\\setup.exe" marked "%TEMP%\\\_is428E.tmp" for deletion  
      "C:\\setup.exe" marked "%TEMP%\\\_is431D.tmp" for deletion  
      "C:\\setup.exe" marked "%TEMP%\\\~431C.tmp" for deletion  
      "C:\\setup.exe" marked "%TEMP%\\\_MSI5166.\_IS" for deletion  
      "C:\\setup.exe" marked "%TEMP%\\\_is43C9.tmp" for deletion  
      "C:\\setup.exe" marked "%TEMP%\\\_is5000.tmp" for deletion  
      "C:\\setup.exe" marked "%TEMP%\\\~4FFF.tmp" for deletion  
      "%WINDIR%\\SysWOW64\\msiexec.exe" marked "C:\\MSI263ff.tmp" for deletion  
      "%WINDIR%\\SysWOW64\\msiexec.exe" marked "%TEMP%\\MSI3AD7.tmp" for deletion source API Call relevance 10/10 ATT&CK ID T1107 []  
    • details "setup.exe" opened "%TEMP%\\\_is4193.tmp" with delete access "setup.exe" opened "%TEMP%\\\_is428E.tmp" with delete access "setup.exe" opened "%TEMP%\\\_is431D.tmp" with delete access "setup.exe" opened "%TEMP%\\\~431C.tmp" with delete access "setup.exe" opened "%TEMP%\\\_MSI5166.\_IS" with delete access "setup.exe" opened "%TEMP%\\\_is43C9.tmp" with delete access "setup.exe" opened "%TEMP%\\\_is5000.tmp" with delete access "setup.exe" opened "%TEMP%\\\~4FFF.tmp" with delete access "msiexec.exe" opened "C:\\MSI263ff.tmp" with delete access "msiexec.exe" opened "%SAMPLEDIR%\\MSI26400.tmp" with delete access "msiexec.exe" opened "%TEMP%\\MSI3AD7.tmp" with delete access source API Call relevance 7/10
  • System Security
    • details SetSecurityDescriptorDacl@ADVAPI32.DLL from [PID: 2232] [] source Hybrid Analysis Technology relevance 10/10
  • Unusual Characteristics
    • details "MSI3AD7.tmp" claimed CRC 106589 while the actual is CRC 8350356 source Static Parser relevance 10/10
    • details RegDeleteKeyA
      ShellExecuteExW source Static Parser relevance 1/10  
    • details "setup.exe" wrote bytes "711109027a3b0802ab8b02007f950200fc8c0200729602006cc805001ecd05027d260502" to virtual address "0x75A507E4" [part of module "USER32.DLL"] "setup.exe" wrote bytes "b8c015ef73ffe0" to virtual address "0x753236B4" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "b83012ef73ffe0" to virtual address "0x75EE1368" [part of module "WS2\_32.DLL"] "setup.exe" wrote bytes "d83a3275" to virtual address "0x75330274" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "b84013ef73ffe0" to virtual address "0x75323AD8" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "d83a0200" to virtual address "0x75324E38" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "d83a0200" to virtual address "0x75324D78" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "d83a3275" to virtual address "0x75330258" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "b4363275" to virtual address "0x75330278" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "68130000" to virtual address "0x75EE1680" [part of module "WS2\_32.DLL"] "setup.exe" wrote bytes "b4363275" to virtual address "0x7533025C" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "d83a3275" to virtual address "0x753301FC" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "d83a3275" to virtual address "0x753301E0" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "b4363275" to virtual address "0x75330200" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "b4360200" to virtual address "0x75324EA4" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "b4363275" to virtual address "0x753301E4" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "c0dfa8771cf9a777ccf8a7770d64a97700000000c011de7500000000fc3ede7500000000e013de75000000009457c27625e0a877c6e0a87700000000bc6ac17600000000cf31de75000000009319c276000000002c32de7500000000" to virtual address "0x75B91000" [part of module "NSI.DLL"] "setup.exe" wrote bytes "b4360200" to virtual address "0x75324D68" [part of module "SSPICLI.DLL"] "setup.exe" wrote bytes "6012ef73" to virtual address "0x755EE324" [part of module "WININET.DLL"] source Hook Detection relevance 10/10 ATT&CK ID T1179 []
    • details "setup.exe" [Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE"; Key: "00000409"] "msiexec.exe" [Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE"; Key: "00000409"] "msiexec.exe" [Path: "HKCU\\CONTROL PANEL\\INTERNATIONAL"; Key: "LOCALENAME"] source Registry Access relevance 3/10 ATT&CK ID T1012 []
  • Hiding 6 Suspicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • Anti-Reverse Engineering
    • details Found reference to API GetDiskFreeSpaceExA@KERNEL32.DLL from [PID: 2232] []
      Found reference to API GetNativeSystemInfo@KERNEL32.DLL from [PID: 2232] []  
      Found reference to API GetSystemDefaultUILanguage@KERNEL32.DLL from [PID: 2232] []  
      Found reference to API GetSystemWindowsDirectoryA@KERNEL32.DLL from [PID: 2232] []  
      Found reference to API IsWow64Process@KERNEL32.DLL from [PID: 2232] []  
      Found reference to API GetProcessId@KERNEL32.DLL from [PID: 2232] []  
      Found reference to API GetProcessId@KERNEL32.DLL from [PID: 2232] []  
      Found reference to API GetProcessId@KERNEL32.DLL from [PID: 2232] []  
      Found reference to API IsProcessorFeaturePresent@KERNEL32.DLL from [PID: 2232] [] source Hybrid Analysis Technology relevance 10/10
  • Environment Awareness
    • details Found API call GetVersion@KERNEL32.dll directly followed by "cmp eax, 80000000h" and "jbe 00445005h" []
      Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 004756BFh" []  
      Found API call GetVersion@KERNEL32.dll directly followed by "cmp eax, 80000000h" and "jbe 00449F45h" []  
      Found API call GetVersionExA@KERNEL32.dll directly followed by "cmp dword ptr \[ebp-00000084h\], 01h" and "jne 0043B033h" []  
      Found API call GetVersion@KERNEL32.dll directly followed by "cmp eax, 80000000h" and "jbe 00449F29h" []  
      Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jbe 00449F0Dh" from [PID: 2232] []  
      Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp word ptr \[ebp-000000FCh\], 0001h" and "jnc 0041DDAEh" from [PID: 2232] []  
      Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp dword ptr \[ebp-00000188h\], 05h" and "jne 00418CD2h" from [PID: 2232] []  
      Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from [PID: 2232] []  
      Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp dword ptr \[ebp-00000084h\], 01h" and "jne 0043B033h" from [PID: 2232] []  
      Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jbe 00445005h" from [PID: 2232] []  
      Found API call GetTimeZoneInformation@KERNEL32.DLL directly followed by "cmp eax, FFFFFFFFh" and "je 004756BFh" from [PID: 2232] []  
      Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jbe 00449F45h" from [PID: 2232] []  
      Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jbe 00449F29h" from [PID: 2232] [] source Hybrid Analysis Technology relevance 10/10  
    • details "msiexec.exe" queries volume information of "C:\\" at 00009820-00002808-00000046-19510491934 "msiexec.exe" queries volume information of "C:\\share" at 00009820-00002808-00000046-23629886327 source API Call relevance 2/10 ATT&CK ID T1120 []
  • External Systems
    • details 0/61 Antivirus vendors marked sample as malicious [0% detection rate] source External System relevance 10/10
  • General
    • details "C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdb" source File/Memory relevance 1/10
    • details "setup.exe" created file "%TEMP%\{006E0943-9169-4626-96C5-70863307CF22}\Setup.INI"
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\{006E0943-9169-4626-96C5-70863307CF22}\\\_ISMSIDEL.INI"  
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\\_is428E.tmp"  
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\{006E0943-9169-4626-96C5-70863307CF22}\\0x0409.ini"  
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\\_is431D.tmp"  
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\\~431C.tmp"  
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\\_is43C9.tmp"  
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\\_MSI5166.\_IS"  
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\\_is4193.tmp"  
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\{006E0943-9169-4626-96C5-70863307CF22}\\TeraLink PRO.msi"  
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\\_is5000.tmp"  
      "setup.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\\~4FFF.tmp"  
      "msiexec.exe" created file "C:\\Users\\%USERNAME%\\AppData\\Local\\Temp\\MSI3AD7.tmp" source API Call relevance 1/10  
    • details "\\Sessions\\1\\BaseNamedObjects\\Global\\\_MSIExecute" "Global\\\_MSIExecute" source Created Mutant relevance 3/10
    • details Antivirus vendors marked dropped file "MSI3AD7.tmp" as clean [type is "PE32 executable [DLL] [GUI] Intel 80386 for MS Windows"] source Binary File relevance 10/10
    • details "msiexec.exe" touched "Msi install server" [Path: "HKCU\\WOW6432NODE\\CLSID\\{000C101C-0000-0000-C000-000000000046}\\TREATAS"] "msiexec.exe" touched "PSFactoryBuffer" [Path: "HKCU\\WOW6432NODE\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\TREATAS"] "msiexec.exe" touched "Microsoft Windows Installer Message RPC" [Path: "HKCU\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DLLVERSION"] source Registry Access relevance 3/10
    • details Process "msiexec.exe" [] was launched with new environment variables: "\_\_PROCESS\_HISTORY="C:\\setup.exe"" source Monitored Target relevance 10/10
    • details Spawned process "msiexec.exe" with commandline "/i "%WINDIR%\\Downloaded Installations\\{745362CF-6BF4-4907-802A-9 ..." [] source Monitored Target relevance 3/10
    • details Spawned process "msiexec.exe" with commandline "/i "%WINDIR%\\Downloaded Installations\\{745362CF-6BF4-4907-802A-9 ..." [] source Monitored Target relevance 3/10
  • Installation/Persistance
    • details "setup.exe" connecting to "\ThemeApiPort"
      "msiexec.exe" connecting to "\\ThemeApiPort" source API Call relevance 1/10  
    • details "TeraLink PRO.msi" has type "Composite Document File V2 Document Can't read SAT" "\~4FFF.tmp" has type "ASCII text with CRLF line terminators" "\_ISMSIDEL.INI" has type "ASCII text with CRLF line terminators" "\~431C.tmp" has type "ASCII text with CRLF line terminators" "\_is428E.tmp" has type "zlib compressed data" "\_is4193.tmp" has type "zlib compressed data" "\_is431D.tmp" has type "zlib compressed data" "0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators" "Setup.INI" has type "ASCII text with CRLF line terminators" "\_is43C9.tmp" has type "zlib compressed data" "\_is5000.tmp" has type "zlib compressed data" "MSI3AD7.tmp" has type "PE32 executable [DLL] [GUI] Intel 80386 for MS Windows" source Binary File relevance 3/10
    • details "setup.exe" touched file "%WINDIR%\\Globalization\\Sorting\\SortDefault.nls" "setup.exe" touched file "C:\\Windows\\SysWOW64\\en-US\\msctf.dll.mui" "setup.exe" touched file "C:\\Windows\\AppPatch\\sysmain.sdb" "setup.exe" touched file "C:\\Windows\\AppPatch\\AcGenral.dll" "setup.exe" touched file "C:\\Windows\\Fonts\\StaticCache.dat" "setup.exe" touched file "C:\\Windows\\SysWOW64\\rsaenh.dll" "setup.exe" touched file "C:\\Windows\\Downloaded Installations" "setup.exe" touched file "C:\\Windows\\Downloaded Installations\\{745362CF-6BF4-4907-802A-916E9871DE08}" "setup.exe" touched file "C:\\Windows\\Downloaded Installations\\{745362CF-6BF4-4907-802A-916E9871DE08}\\TeraLink PRO.msi" "setup.exe" touched file "C:\\Windows\\SysWOW64\\msiexec.exe" "msiexec.exe" touched file "C:\\Windows\\AppPatch\\AcLayers.dll" "msiexec.exe" touched file "C:\\Windows\\AppPatch\\AcGenral.dll" "msiexec.exe" touched file "C:\\Windows\\SysWOW64\\en-US\\msiexec.exe.mui" "msiexec.exe" touched file "C:\\Windows\\Downloaded Installations\\{745362CF-6BF4-4907-802A-916E9871DE08}\\TeraLink PRO.msi" source API Call relevance 7/10
  • Network Related
    • details Pattern match: "//www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
      Heuristic match: ";r\[eR=.Mr"  
      Heuristic match: "V74D  
      Pattern match: "www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"  
      Pattern match: "//crl.verisign.com/tss-ca.crl0U%0"  
      Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"  
      Pattern match: "//www.verisign.com/rpa"  
      Pattern match: "//www.verisign.com/rpa01U\*0"  
      Pattern match: "//CSC3-2004-crl.verisign.com/CSC3-2004.crl0DU"  
      Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0U
      # 0Q==d6|h[x70`HB0"
      Pattern match: "www.acresso.com0"  
      Pattern match: "GetEnvironmentStringsAGetEnvironmentStringsWBGetEnvironmentVariableAHeapDestroyHeapCreateXVirtualFreeUVirtualAllocIsBadWritePtrIsBadCodePtrSetStdHandleFlushFileBuffersADVAPI32.dll//J////pYp@V000+0SetAllUsers.dllISDetectVMPrintScrollableTextSetAllUsersSetTA"  
      Pattern match: "xyxxxJlstrcatWlstrcpyWSetCurrentDirectoryW.GetCurrentDirectoryWKERNEL32.dll/CharPrevW,CharNextWwsprintfWUSER32.dllShellExecuteExWShellExecuteWSHELL32.dllmsi.dlliWideCharToMultiByteRtlUnwindGetCommandLineAGetVersion2GetCurrentThreadId9TlsSetValue6TlsAlloc7T"  
      Heuristic match: "p,t\[.MP"  
      Pattern match: "e.jS/X=\\Hh\~'x4?hpqXns\]6"  
      Heuristic match: "j'?wax+id\_0HdnZn.L+knA!9:Jqsj6A'4]sB|-f|+A21^w\*>b7\`>9-\]A'$2WIWV9\]\_\_6la.ro"  
      Pattern match: "qh.vrd/i9wE=m?sL:6Zwq3+eDQBuw-[ntyt1zc\\kSQ]\~=qk:;3'3^fN"  
      Heuristic match: "!#$%&'[]\*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]^\_\`abcdefghijklmnopqrstuvwxyz{|}\~d>/d.GR"  
      Pattern match: "F.OpL/wNJ"  
      Heuristic match: "4^IhGo!T.Dm"  
      Heuristic match: ",vDAjbR\`:{I+D6.vA"  
      Pattern match: "9SDiw.Lo/mEA1B7\_8{Ade{@4:FOIPvIR\[%\*\\^mJ1OESgie\`uq'?!ZuU$y8}tz7"  
      Pattern match: "cX.ROCe/1G\*m\*7E7" source File/Memory relevance 10/10
  • System Security
  • Unusual Characteristics
    • details "7d6118fa77fd9e50552122f2d9836a62c199d4e3fede9f5fb9272bf7ff603042.bin" was detected as "Microsoft visual C++ 5.0"
      "MSI3AD7.tmp" was detected as "Armadillo v1.xx - v2.xx" source Static Parser relevance 10/10 ATT&CK ID T1002 []

File Details

All Details:


Filenamesetup.exe Size7.9MiB [8296239 bytes] Typepeexe executable DescriptionPE32 executable [GUI] Intel 80386, for MS Windows ArchitectureWINDOWS SHA2567d6118fa77fd9e50552122f2d9836a62c199d4e3fede9f5fb9272bf7ff603042 Compiler/PackerMicrosoft visual C++ 5.0 PDB Timestamp06/10/2009 19:02:35 [UTC]


LanguageNEUTRAL Icon


Input File [PortEx]

Version Info

LegalCopyright Copyright [C] 2009 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved. InternalName Setup FileVersion 3.2 CompanyName Metrel d.d. Internal Build Number 90563 ProductName TeraLink PRO ProductVersion 3.2 FileDescription Setup Launcher OriginalFilename Setup.exe Translation 0x0409 0x04b0

Classification [TrID]

  • 53.8% [.EXE] Win64 Executable [generic]
  • 25.5% [.SCR] Windows screen saver
  • 8.7% [.EXE] Win32 Executable [generic]
  • 3.9% [.EXE] OS/2 Executable [generic]
  • 3.9% [.EXE] Generic Win/DOS Executable

File Sections

Details Name Entropy Virtual Address Virtual Size Raw Size MD5 Characteristics Name.text Entropy6.65214992227 Virtual Address0x1000 Virtual Size0x88ca9 Raw Size0x88e00 MD52c2a8f3d0993ecc7f8afd65717b2f327.text 6.65214992227 0x1000 0x88ca9 0x88e00 2c2a8f3d0993ecc7f8afd65717b2f327 - Name.rdata Entropy5.04475687042 Virtual Address0x8a000 Virtual Size0x14c3c Raw Size0x14e00 MD502ee3856e649cf68ee925f051145ed34.rdata 5.04475687042 0x8a000 0x14c3c 0x14e00 02ee3856e649cf68ee925f051145ed34 - Name.data Entropy3.88066637318 Virtual Address0x9f000 Virtual Size0xd624 Raw Size0x9c00 MD5d6014e0c8a50b604c9cb70386a5a6922.data 3.88066637318 0x9f000 0xd624 0x9c00 d6014e0c8a50b604c9cb70386a5a6922 - Name.rsrc Entropy6.63124321107 Virtual Address0xad000 Virtual Size0x50098 Raw Size0x50200 MD56fcabacebf133c0120ae568537fda41c.rsrc 6.63124321107 0xad000 0x50098 0x50200 6fcabacebf133c0120ae568537fda41c -

File Resources


Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 2 processes in total [].

Network Analysis

DNS Requests

No relevant DNS requests were made.

HTTP Traffic

No relevant HTTP requests were made.

Memory Forensics

Extracted Files


  • Not all Falcon MalQuery lookups completed in time
  • Not all IP/URL string resources were checked online
  • Not all sources for indicator ID "api-31" are available in the report
  • Not all sources for indicator ID "api-55" are available in the report
  • Not all sources for indicator ID "api-6" are available in the report
  • Not all sources for indicator ID "stream-3" are available in the report
  • Not all sources for indicator ID "string-64" are available in the report
  • Not all strings are visible in the report, because the maximum number of strings was reached [5000]
  • Some low-level data is hidden, as this is only a slim report


Hybrid Analysis requires that users undergo the Hybrid Analysis Vetting Process prior to obtaining an API key or downloading malware samples. Please note that you must abide by the Hybrid Analysis Terms and Conditions and only use these samples for research purposes. You are not permitted to share your user credentials or API key with anyone else. Please notify Hybrid Analysis immediately if you believe that your API key or user credentials have been compromised.


Chủ Đề