Windows
Analysis Report
5Dw2hTQmiB.exe
Overview
General Information
Sample name: | 5Dw2hTQmiB.exerenamed because original name is a hash value |
Original sample name: | 017adc7dfb6b77dd2c14f7f7a4933f1c.exe |
Analysis ID: | 1427868 |
MD5: | 017adc7dfb6b77dd2c14f7f7a4933f1c |
SHA1: | 1038aa153bfc7e29ffea56b13f24e6f98d7413d2 |
SHA256: | b2f99dd2c6fa0d0321832ac217f6a9842b4b27f3dbfff993547ba2c593573fba |
Tags: | 32exetrojan |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 5Dw2hTQmiB.exe (PID: 6988 cmdline:
"C:\Users\ user\Deskt op\5Dw2hTQ miB.exe" MD5: 017ADC7DFB6B77DD2C14F7F7A4933F1C) - WerFault.exe (PID: 4928 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 988 -s 162 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "exceptionwillapews.shop"], "Build id": "P6Mk0M--key"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Timestamp: | 04/18/24-09:32:11.120979 |
SID: | 2052049 |
Source Port: | 49733 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/18/24-09:32:12.067364 |
SID: | 2052049 |
Source Port: | 49734 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/18/24-09:32:15.106009 |
SID: | 2052049 |
Source Port: | 49737 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/18/24-09:32:09.305940 |
SID: | 2052049 |
Source Port: | 49731 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/18/24-09:32:08.210974 |
SID: | 2052048 |
Source Port: | 60512 |
Destination Port: | 53 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/18/24-09:32:12.955304 |
SID: | 2052049 |
Source Port: | 49735 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/18/24-09:32:13.747309 |
SID: | 2052049 |
Source Port: | 49736 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/18/24-09:32:10.239652 |
SID: | 2052049 |
Source Port: | 49732 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/18/24-09:32:08.516255 |
SID: | 2052049 |
Source Port: | 49730 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Code function: | 0_2_00415B57 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 0_2_00417239 | |
Source: | Code function: | 0_2_004212B0 | |
Source: | Code function: | 0_2_00415390 | |
Source: | Code function: | 0_2_00421670 | |
Source: | Code function: | 0_2_0043B800 | |
Source: | Code function: | 0_2_00435ACB | |
Source: | Code function: | 0_2_00409D20 | |
Source: | Code function: | 0_2_0043AE30 | |
Source: | Code function: | 0_2_00414F10 | |
Source: | Code function: | 0_2_00421F80 | |
Source: | Code function: | 0_2_0041403B | |
Source: | Code function: | 0_2_0043A0D9 | |
Source: | Code function: | 0_2_00432140 | |
Source: | Code function: | 0_2_0041D128 | |
Source: | Code function: | 0_2_00424240 | |
Source: | Code function: | 0_2_00415216 | |
Source: | Code function: | 0_2_0043822F | |
Source: | Code function: | 0_2_0040D2C0 | |
Source: | Code function: | 0_2_0041B2A0 | |
Source: | Code function: | 0_2_00439461 | |
Source: | Code function: | 0_2_0043B470 | |
Source: | Code function: | 0_2_0041347E | |
Source: | Code function: | 0_2_004384D6 | |
Source: | Code function: | 0_2_004025E0 | |
Source: | Code function: | 0_2_00416582 | |
Source: | Code function: | 0_2_004216CE | |
Source: | Code function: | 0_2_004176E1 | |
Source: | Code function: | 0_2_00413722 | |
Source: | Code function: | 0_2_00411739 | |
Source: | Code function: | 0_2_0040F7CD | |
Source: | Code function: | 0_2_0041B930 | |
Source: | Code function: | 0_2_0043799B | |
Source: | Code function: | 0_2_00416A62 | |
Source: | Code function: | 0_2_00417A78 | |
Source: | Code function: | 0_2_00422B54 | |
Source: | Code function: | 0_2_00422B70 | |
Source: | Code function: | 0_2_00417BF5 | |
Source: | Code function: | 0_2_0041FBB5 | |
Source: | Code function: | 0_2_00410C5B | |
Source: | Code function: | 0_2_00416E69 | |
Source: | Code function: | 0_2_0040FED9 | |
Source: | Code function: | 0_2_00410F4D | |
Source: | Code function: | 0_2_0041EF19 | |
Source: | Code function: | 0_2_02EF42A2 | |
Source: | Code function: | 0_2_02F123A7 | |
Source: | Code function: | 0_2_02F1A340 | |
Source: | Code function: | 0_2_02EF70D0 | |
Source: | Code function: | 0_2_02F1B097 | |
Source: | Code function: | 0_2_02F021E7 | |
Source: | Code function: | 0_2_02EF11B4 | |
Source: | Code function: | 0_2_02EFF180 | |
Source: | Code function: | 0_2_02EF5177 | |
Source: | Code function: | 0_2_02EF0140 | |
Source: | Code function: | 0_2_02EF36E5 | |
Source: | Code function: | 0_2_02F1B6D7 | |
Source: | Code function: | 0_2_02F196C8 | |
Source: | Code function: | 0_2_02EF67E9 | |
Source: | Code function: | 0_2_02F1873D | |
Source: | Code function: | 0_2_02EF74A0 | |
Source: | Code function: | 0_2_02F044A7 | |
Source: | Code function: | 0_2_02EF547D | |
Source: | Code function: | 0_2_02EF55F7 | |
Source: | Code function: | 0_2_02EED527 | |
Source: | Code function: | 0_2_02F01517 | |
Source: | Code function: | 0_2_02EFB507 | |
Source: | Code function: | 0_2_02F1BA67 | |
Source: | Code function: | 0_2_02EEFA34 | |
Source: | Code function: | 0_2_02EFBB97 | |
Source: | Code function: | 0_2_02EE2847 | |
Source: | Code function: | 0_2_02EF19A0 | |
Source: | Code function: | 0_2_02EF3989 | |
Source: | Code function: | 0_2_02EF7948 | |
Source: | Code function: | 0_2_02EFD947 | |
Source: | Code function: | 0_2_02EF0EC2 | |
Source: | Code function: | 0_2_02F01E52 | |
Source: | Code function: | 0_2_02EF7E5C | |
Source: | Code function: | 0_2_02EE9F87 | |
Source: | Code function: | 0_2_02EF6CC9 | |
Source: | Code function: | 0_2_02EF7CDF | |
Source: | Code function: | 0_2_02F02DD7 | |
Source: | Code function: | 0_2_02F02DBB | |
Source: | Code function: | 0_2_02F15D32 |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 0_2_0042DDE0 |
Source: | Code function: | 0_2_0042DDE0 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00425183 | |
Source: | Code function: | 0_2_00421670 | |
Source: | Code function: | 0_2_00415B57 | |
Source: | Code function: | 0_2_00404C40 | |
Source: | Code function: | 0_2_00421F80 | |
Source: | Code function: | 0_2_00410060 | |
Source: | Code function: | 0_2_0041D128 | |
Source: | Code function: | 0_2_0043B130 | |
Source: | Code function: | 0_2_00408250 | |
Source: | Code function: | 0_2_00404260 | |
Source: | Code function: | 0_2_00403370 | |
Source: | Code function: | 0_2_0043B470 | |
Source: | Code function: | 0_2_00436480 | |
Source: | Code function: | 0_2_00406610 | |
Source: | Code function: | 0_2_004216CE | |
Source: | Code function: | 0_2_00403770 | |
Source: | Code function: | 0_2_00405890 | |
Source: | Code function: | 0_2_00406C20 | |
Source: | Code function: | 0_2_0041DD72 | |
Source: | Code function: | 0_2_00426E67 | |
Source: | Code function: | 0_2_00426F29 | |
Source: | Code function: | 0_2_00426FA0 | |
Source: | Code function: | 0_2_02EF02C7 | |
Source: | Code function: | 0_2_02EE1267 | |
Source: | Code function: | 0_2_02F07207 | |
Source: | Code function: | 0_2_02F053EA | |
Source: | Code function: | 0_2_02F1B397 | |
Source: | Code function: | 0_2_02F070CE | |
Source: | Code function: | 0_2_02F021E7 | |
Source: | Code function: | 0_2_02F07190 | |
Source: | Code function: | 0_2_02F166E7 | |
Source: | Code function: | 0_2_02F1B6D7 | |
Source: | Code function: | 0_2_02EE44C7 | |
Source: | Code function: | 0_2_02EE84B7 | |
Source: | Code function: | 0_2_02EE35D7 | |
Source: | Code function: | 0_2_02EE5AF7 | |
Source: | Code function: | 0_2_02EE6877 | |
Source: | Code function: | 0_2_02EE39D7 | |
Source: | Code function: | 0_2_02EE4EA7 | |
Source: | Code function: | 0_2_02EF5DBE |
Source: | Process created: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_02FA3E16 |
Source: | Code function: | 0_2_0042A936 |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_0043F5AD | |
Source: | Code function: | 0_2_0043FC65 | |
Source: | Code function: | 0_2_00440C17 | |
Source: | Code function: | 0_2_0043FC9D | |
Source: | Code function: | 0_2_0043FD87 | |
Source: | Code function: | 0_2_02EFEBA1 | |
Source: | Code function: | 0_2_02F0085B | |
Source: | Code function: | 0_2_02EFFE8C | |
Source: | Code function: | 0_2_02FA74BF | |
Source: | Code function: | 0_2_02FA74BF | |
Source: | Code function: | 0_2_02FA8DBA |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00435B70 |
Source: | Code function: | 0_2_02EE092B | |
Source: | Code function: | 0_2_02EE0D90 | |
Source: | Code function: | 0_2_02FA36F3 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
44% | Virustotal | Browse | ||
34% | ReversingLabs | |||
100% | Avira | HEUR/AGEN.1318266 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
2% | Virustotal | Browse | ||
13% | Virustotal | Browse | ||
11% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
17% | Virustotal | Browse | ||
12% | Virustotal | Browse | ||
13% | Virustotal | Browse | ||
18% | Virustotal | Browse | ||
2% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
exceptionwillapews.shop | 104.21.44.10 | true | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | unknown | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | unknown | |||
false | unknown | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false | unknown | |||
false |
| unknown | ||
false | high | |||
false | unknown | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.44.10 | exceptionwillapews.shop | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1427868 |
Start date and time: | 2024-04-18 09:31:19 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 5Dw2hTQmiB.exerenamed because original name is a hash value |
Original Sample Name: | 017adc7dfb6b77dd2c14f7f7a4933f1c.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@2/5@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.21
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
09:32:08 | API Interceptor | |
09:32:28 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.21.44.10 | Get hash | malicious | LummaC | Browse | ||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
exceptionwillapews.shop | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | AgentTesla | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Havoc | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Havoc | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Remcos, DBatLoader | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | AgentTesla, DBatLoader, PureLog Stealer, RedLine | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RisePro Stealer | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5Dw2hTQmiB.exe_f9589b50e1a4a5348722d7f4bf92a1dd5f324c_ae7bb326_5ec02e5e-f042-4993-94d7-6d268217831f\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.993340172674728 |
Encrypted: | false |
SSDEEP: | 192:bttoXFilavWvs01eOcjs6FPzuiFvZ24IO8v:cilauf1eOcjVzuiFvY4IO8v |
MD5: | 05D4F2BF51FE617FB8CA13B234EA122F |
SHA1: | E3D9C6B70D3A927463B423AC5CB0416C4CB5F111 |
SHA-256: | BAE07CD56E4F1091CE0F12BC20544B37DA01463DAD4AF895A560CABE50B35FD9 |
SHA-512: | 7B47D99D9EDF2FCFFD6FD64BEE1683939E2F637757C1854648A9833E09EE4C8121B45F0105412A1045A25A62CD4895C3581AF7921C102E6D5989AC13BDFF30D0 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 48282 |
Entropy (8bit): | 2.7185011171529068 |
Encrypted: | false |
SSDEEP: | 192:E8ZzsX4UxvyY8/+0ObB0c4+FMV4iAjChSeV0TZHUaeJV2mwDO3:Nlsvb8ebB0c48MRAgVYOaIYmwS |
MD5: | E52E0F10F6CC628ABF707DAEBE734BDC |
SHA1: | CEC773FDA2647C7C16B031431B67F418CFF3641C |
SHA-256: | 0FB75FE7FDF53A2AF0BD94CE993A650CEFD9F7C60338AA60EDB2579925F56305 |
SHA-512: | 2D53E21390B5272A61F189118F15B40076B114B32830CDDDBA949808DF5445FEBA592A99B4C41B26E1970E1C9136694751F36365A14C8194FBC46FAF34990891 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8330 |
Entropy (8bit): | 3.699037868263828 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJRjL6P6Y9ZSU9kB6ZgmfYq4pDT89b7LsfpsJm:R6lXJVL6P6YTSU9kagmfYqx7QfR |
MD5: | 113E7B138A8E70ADE0BE346CAC91DB33 |
SHA1: | EB57CF8579F30034CBEA90EE9665194325B409DA |
SHA-256: | 191EDEA69EDCF81C0733652CF8B622374C5E6D4B3FF890DA1CBCC0E3C827D6EB |
SHA-512: | 5A4AB9E53FB1E1146D96F30BEC4DC561515313D56432B5697565A9F6A434B3629754AF94842160C63C197C9F1A9B7C6FA90732DDD1E6B65FD526ADE981677B06 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4579 |
Entropy (8bit): | 4.466680029337036 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsCJg77aI9e+SWpW8VYf8Ym8M4J+UFf+q8gn7G0Eldkd:uIjfQI7og7VAJV1G0+dkd |
MD5: | 9FC7A32DB40DB728741F8D41945887E6 |
SHA1: | 8F319BD0F7AAED009F62C95F1002449783457A83 |
SHA-256: | 9ABA85E4CF62BF9CFAD2A7812CABAAB5724A64387471FE7D009B20CA46C5D1D3 |
SHA-512: | C1E94EF45B3D77EC610D1E6725A2FFB31882DBCBC680ACAF793C84AF0848B1A99EA5A199121FC21D1999DE849467251F6151B59ED94991A7D8B49A437868B2DC |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.465450101094752 |
Encrypted: | false |
SSDEEP: | 6144:3IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNWdwBCswSbzW:4XD94+WlLZMM6YFH8+zW |
MD5: | 628B8A0D5CFC5EA937EE4763253DAA39 |
SHA1: | CAA92D570FED0788C0ED65712506916157D83494 |
SHA-256: | C4ADC5AEE31273071E4722CD3AB5677A1DD47CFDF21E4774C59553BF53363E4A |
SHA-512: | 3EFCEAAC56BDAE5BFE9E3BD83944D779AEC604A4713CA5B53BFF187CF450DC8B5FDCA6C50E252B20937584DE45FF837C4F38FDEFDB06C383681CF00AEE9E1ED0 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.450237567520108 |
TrID: |
|
File name: | 5Dw2hTQmiB.exe |
File size: | 368'640 bytes |
MD5: | 017adc7dfb6b77dd2c14f7f7a4933f1c |
SHA1: | 1038aa153bfc7e29ffea56b13f24e6f98d7413d2 |
SHA256: | b2f99dd2c6fa0d0321832ac217f6a9842b4b27f3dbfff993547ba2c593573fba |
SHA512: | 591befa41de309c931e95c06ed1567cfe4dd4a2d4c340af20815f9255a2ccbb27401884cd72dd434c59c5b4a2b57d864f8298b871468adccf54b21771b3f187e |
SSDEEP: | 6144:mL755LpGJb1tny2qvdbgq/1aQQ826Tgtvbgi6GmKEaYTi:m5W1gwYg16U |
TLSH: | FB74E0E07EA0D435D15A8770BD29E6A81A2EBC71DAB5C1773764275E0E30290E63237F |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^......D...D...D..7D...D..!D~..D..&D3..D=w.D...D...Dk..D..(D...D..6D...D..3D...DRich...D................PE..L...I..d........... |
Icon Hash: | 67376767c3771667 |
Entrypoint: | 0x401869 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x64BCBF49 [Sun Jul 23 05:48:57 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | 96d5e40a6f183914c8bf0374fa1144d1 |
Instruction |
---|
call 00007F44948FC424h |
jmp 00007F44948F7CFEh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov ecx, dword ptr [esp+04h] |
test ecx, 00000003h |
je 00007F44948F7EA6h |
mov al, byte ptr [ecx] |
add ecx, 01h |
test al, al |
je 00007F44948F7ED0h |
test ecx, 00000003h |
jne 00007F44948F7E71h |
add eax, 00000000h |
lea esp, dword ptr [esp+00000000h] |
lea esp, dword ptr [esp+00000000h] |
mov eax, dword ptr [ecx] |
mov edx, 7EFEFEFFh |
add edx, eax |
xor eax, FFFFFFFFh |
xor eax, edx |
add ecx, 04h |
test eax, 81010100h |
je 00007F44948F7E6Ah |
mov eax, dword ptr [ecx-04h] |
test al, al |
je 00007F44948F7EB4h |
test ah, ah |
je 00007F44948F7EA6h |
test eax, 00FF0000h |
je 00007F44948F7E95h |
test eax, FF000000h |
je 00007F44948F7E84h |
jmp 00007F44948F7E4Fh |
lea eax, dword ptr [ecx-01h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-02h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-03h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
lea eax, dword ptr [ecx-04h] |
mov ecx, dword ptr [esp+04h] |
sub eax, ecx |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 20h |
mov eax, dword ptr [ebp+08h] |
push esi |
push edi |
push 00000008h |
pop ecx |
mov esi, 0040C204h |
lea edi, dword ptr [ebp-20h] |
rep movsd |
mov dword ptr [ebp-08h], eax |
mov eax, dword ptr [ebp+0Ch] |
pop edi |
mov dword ptr [ebp-04h], eax |
pop esi |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4a94c | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x282f000 | 0xda38 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x188 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa3bd | 0xa400 | 3f185b8c05939e71318b1e929175bce0 | False | 0.6194979039634146 | data | 6.577575934437442 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0x3f22c | 0x3f400 | 8d1c30862dcec887de678b323ff1ffca | False | 0.6987671380928854 | data | 6.511816528649135 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x4c000 | 0x27e23e0 | 0x2800 | ca2debe8a9f46f406344c0157ef539f8 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x282f000 | 0xda38 | 0xdc00 | 3c37d4933d2289bb16215f68ab580a9f | False | 0.5068892045454545 | data | 5.354618519082868 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
BUCEJEZAPOCOWUVOY | 0x283b538 | 0x476 | ASCII text, with very long lines (1142), with no line terminators | Turkish | Turkey | 0.6243432574430823 |
RT_ICON | 0x282f580 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Turkish | Turkey | 0.43789978678038377 |
RT_ICON | 0x2830428 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Turkish | Turkey | 0.5735559566787004 |
RT_ICON | 0x2830cd0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Turkish | Turkey | 0.6422811059907834 |
RT_ICON | 0x2831398 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Turkish | Turkey | 0.6842485549132948 |
RT_ICON | 0x2831900 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Turkish | Turkey | 0.5378630705394191 |
RT_ICON | 0x2833ea8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Turkish | Turkey | 0.6110655737704918 |
RT_ICON | 0x2834830 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Turkish | Turkey | 0.6453900709219859 |
RT_ICON | 0x2834d00 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Turkish | Turkey | 0.44163113006396587 |
RT_ICON | 0x2835ba8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Turkish | Turkey | 0.5699458483754513 |
RT_ICON | 0x2836450 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Turkish | Turkey | 0.6071428571428571 |
RT_ICON | 0x2836b18 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Turkish | Turkey | 0.6755780346820809 |
RT_ICON | 0x2837080 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Turkish | Turkey | 0.3938796680497925 |
RT_ICON | 0x2839628 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Turkish | Turkey | 0.4303470919324578 |
RT_ICON | 0x283a6d0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Turkish | Turkey | 0.45368852459016396 |
RT_ICON | 0x283b058 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Turkish | Turkey | 0.4521276595744681 |
RT_STRING | 0x283bbb8 | 0x182 | data | 0.4948186528497409 | ||
RT_STRING | 0x283bd40 | 0x5c2 | data | 0.4369063772048847 | ||
RT_STRING | 0x283c308 | 0x13e | data | 0.5062893081761006 | ||
RT_STRING | 0x283c448 | 0x576 | data | 0.44778254649499283 | ||
RT_STRING | 0x283c9c0 | 0x78 | data | 0.6833333333333333 | ||
RT_ACCELERATOR | 0x283b9b0 | 0x28 | data | 1.0 | ||
RT_GROUP_ICON | 0x2834c98 | 0x68 | data | Turkish | Turkey | 0.7115384615384616 |
RT_GROUP_ICON | 0x283b4c0 | 0x76 | data | Turkish | Turkey | 0.6779661016949152 |
RT_VERSION | 0x283b9d8 | 0x1e0 | data | 0.5729166666666666 |
DLL | Import |
---|---|
KERNEL32.dll | GetDateFormatW, GetConsoleAliasesLengthW, GetLocaleInfoA, GetConsoleAliasExesLengthA, EnumCalendarInfoW, SetDefaultCommConfigW, SetFirmwareEnvironmentVariableA, GetComputerNameW, LockFile, FreeEnvironmentStringsA, GetModuleHandleW, IsBadReadPtr, EnumTimeFormatsA, SetCommState, GlobalAlloc, LoadLibraryW, FindNextVolumeW, GetAtomNameW, SetConsoleTitleA, GetProcAddress, GetProcessHeaps, CreateNamedPipeA, GetConsoleDisplayMode, BuildCommDCBW, LoadLibraryA, SetCurrentDirectoryW, WaitForMultipleObjects, GetModuleFileNameA, BuildCommDCBA, VirtualProtect, GetCurrentDirectoryA, SetCalendarInfoA, FindAtomW, LocalFileTimeToFileTime, GetLastError, HeapReAlloc, HeapAlloc, GetStartupInfoW, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapCreate, VirtualFree, VirtualAlloc, WriteFile, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, WideCharToMultiByte, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Turkish | Turkey |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/18/24-09:32:11.120979 | TCP | 2052049 | ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) | 49733 | 443 | 192.168.2.4 | 104.21.44.10 |
04/18/24-09:32:12.067364 | TCP | 2052049 | ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
04/18/24-09:32:15.106009 | TCP | 2052049 | ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
04/18/24-09:32:09.305940 | TCP | 2052049 | ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
04/18/24-09:32:08.210974 | UDP | 2052048 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exceptionwillapews .shop) | 60512 | 53 | 192.168.2.4 | 1.1.1.1 |
04/18/24-09:32:12.955304 | TCP | 2052049 | ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) | 49735 | 443 | 192.168.2.4 | 104.21.44.10 |
04/18/24-09:32:13.747309 | TCP | 2052049 | ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) | 49736 | 443 | 192.168.2.4 | 104.21.44.10 |
04/18/24-09:32:10.239652 | TCP | 2052049 | ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
04/18/24-09:32:08.516255 | TCP | 2052049 | ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 18, 2024 09:32:08.368251085 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:08.368303061 CEST | 443 | 49730 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:08.368421078 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:08.516254902 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:08.516324043 CEST | 443 | 49730 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:08.773271084 CEST | 443 | 49730 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:08.773354053 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:08.777960062 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:08.777973890 CEST | 443 | 49730 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:08.778474092 CEST | 443 | 49730 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:08.825519085 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:08.856029034 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:08.856064081 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:08.856496096 CEST | 443 | 49730 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:09.298695087 CEST | 443 | 49730 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:09.298813105 CEST | 443 | 49730 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:09.299016953 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:09.301043987 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:09.301076889 CEST | 443 | 49730 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:09.301107883 CEST | 49730 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:09.301124096 CEST | 443 | 49730 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:09.305552959 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:09.305598974 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:09.305682898 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:09.305939913 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:09.305960894 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:09.552851915 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:09.552983999 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:09.554116964 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:09.554140091 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:09.554630995 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:09.555768013 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:09.555808067 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:09.555882931 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.099344015 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.099390984 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.099428892 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.099492073 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.099522114 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.099543095 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.099567890 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.099567890 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.099601030 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.099617004 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.099872112 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.099900961 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.099922895 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.099931002 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.100003004 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.100387096 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.100483894 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.100521088 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.100549936 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.100555897 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.100569963 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.100608110 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.101427078 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.101517916 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.101625919 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.101641893 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.101672888 CEST | 49731 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.101679087 CEST | 443 | 49731 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.238833904 CEST | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.238920927 CEST | 443 | 49732 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.238997936 CEST | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.239651918 CEST | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.239686012 CEST | 443 | 49732 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.483084917 CEST | 443 | 49732 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.483166933 CEST | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.484668016 CEST | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.484678984 CEST | 443 | 49732 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.484998941 CEST | 443 | 49732 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.486361027 CEST | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.486517906 CEST | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.486547947 CEST | 443 | 49732 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:10.486613035 CEST | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:10.486620903 CEST | 443 | 49732 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.008991003 CEST | 443 | 49732 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.009274006 CEST | 443 | 49732 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.009366035 CEST | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.010610104 CEST | 49732 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.010663986 CEST | 443 | 49732 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.120501041 CEST | 49733 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.120548010 CEST | 443 | 49733 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.120650053 CEST | 49733 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.120979071 CEST | 49733 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.120992899 CEST | 443 | 49733 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.359489918 CEST | 443 | 49733 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.359679937 CEST | 49733 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.361378908 CEST | 49733 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.361390114 CEST | 443 | 49733 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.361619949 CEST | 443 | 49733 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.362946987 CEST | 49733 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.363102913 CEST | 49733 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.363122940 CEST | 443 | 49733 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.871042967 CEST | 443 | 49733 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.871157885 CEST | 443 | 49733 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:11.871258020 CEST | 49733 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.871440887 CEST | 49733 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:11.871458054 CEST | 443 | 49733 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.066638947 CEST | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.066734076 CEST | 443 | 49734 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.066855907 CEST | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.067363977 CEST | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.067399979 CEST | 443 | 49734 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.309534073 CEST | 443 | 49734 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.309817076 CEST | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.311247110 CEST | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.311275959 CEST | 443 | 49734 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.311585903 CEST | 443 | 49734 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.312913895 CEST | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.313075066 CEST | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.313113928 CEST | 443 | 49734 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.313210964 CEST | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.313231945 CEST | 443 | 49734 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.840702057 CEST | 443 | 49734 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.840791941 CEST | 443 | 49734 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.840876102 CEST | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.841067076 CEST | 49734 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.841115952 CEST | 443 | 49734 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.954829931 CEST | 49735 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.954864979 CEST | 443 | 49735 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:12.954950094 CEST | 49735 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.955303907 CEST | 49735 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:12.955316067 CEST | 443 | 49735 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.192435980 CEST | 443 | 49735 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.192599058 CEST | 49735 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.194025040 CEST | 49735 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.194035053 CEST | 443 | 49735 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.194236040 CEST | 443 | 49735 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.195456028 CEST | 49735 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.195563078 CEST | 49735 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.195585012 CEST | 443 | 49735 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.690711975 CEST | 443 | 49735 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.691010952 CEST | 443 | 49735 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.691025019 CEST | 49735 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.691076994 CEST | 49735 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.746777058 CEST | 49736 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.746874094 CEST | 443 | 49736 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.746980906 CEST | 49736 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.747308969 CEST | 49736 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.747343063 CEST | 443 | 49736 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.993623018 CEST | 443 | 49736 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.993825912 CEST | 49736 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.995219946 CEST | 49736 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.995248079 CEST | 443 | 49736 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.995521069 CEST | 443 | 49736 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:13.996718884 CEST | 49736 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.996818066 CEST | 49736 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:13.996829987 CEST | 443 | 49736 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:14.494405985 CEST | 443 | 49736 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:14.494631052 CEST | 443 | 49736 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:14.494736910 CEST | 49736 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:14.496077061 CEST | 49736 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:14.496143103 CEST | 443 | 49736 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.105446100 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.105535030 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.105629921 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.106009007 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.106043100 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.343338966 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.343432903 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.350960970 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.351003885 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.351325035 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.352655888 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.353552103 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.353594065 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.353733063 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.353775024 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.353897095 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.353959084 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.354090929 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.354121923 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.354262114 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.354302883 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.354471922 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.354513884 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.396136999 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.396471024 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.396539927 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.440125942 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.440371037 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.440438032 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.440454006 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.488123894 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.488399029 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.488452911 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.536125898 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.536303043 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.584120989 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.585107088 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.585324049 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:15.585393906 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.585441113 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:15.700089931 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:16.918052912 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:16.918188095 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Apr 18, 2024 09:32:16.918284893 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:16.918380022 CEST | 49737 | 443 | 192.168.2.4 | 104.21.44.10 |
Apr 18, 2024 09:32:16.918418884 CEST | 443 | 49737 | 104.21.44.10 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 18, 2024 09:32:08.210973978 CEST | 60512 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 18, 2024 09:32:08.363225937 CEST | 53 | 60512 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 18, 2024 09:32:08.210973978 CEST | 192.168.2.4 | 1.1.1.1 | 0xe8a | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 18, 2024 09:32:08.363225937 CEST | 1.1.1.1 | 192.168.2.4 | 0xe8a | No error (0) | 104.21.44.10 | A (IP address) | IN (0x0001) | false | ||
Apr 18, 2024 09:32:08.363225937 CEST | 1.1.1.1 | 192.168.2.4 | 0xe8a | No error (0) | 172.67.192.201 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 104.21.44.10 | 443 | 6988 | C:\Users\user\Desktop\5Dw2hTQmiB.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-18 07:32:08 UTC | 270 | OUT | |
2024-04-18 07:32:08 UTC | 8 | OUT | |
2024-04-18 07:32:09 UTC | 814 | IN | |
2024-04-18 07:32:09 UTC | 7 | IN | |
2024-04-18 07:32:09 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49731 | 104.21.44.10 | 443 | 6988 | C:\Users\user\Desktop\5Dw2hTQmiB.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-18 07:32:09 UTC | 271 | OUT | |
2024-04-18 07:32:09 UTC | 52 | OUT | |
2024-04-18 07:32:10 UTC | 814 | IN | |
2024-04-18 07:32:10 UTC | 555 | IN | |
2024-04-18 07:32:10 UTC | 951 | IN | |
2024-04-18 07:32:10 UTC | 1369 | IN | |
2024-04-18 07:32:10 UTC | 1369 | IN | |
2024-04-18 07:32:10 UTC | 1369 | IN | |
2024-04-18 07:32:10 UTC | 1369 | IN | |
2024-04-18 07:32:10 UTC | 1369 | IN | |
2024-04-18 07:32:10 UTC | 1369 | IN | |
2024-04-18 07:32:10 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49732 | 104.21.44.10 | 443 | 6988 | C:\Users\user\Desktop\5Dw2hTQmiB.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-18 07:32:10 UTC | 289 | OUT | |
2024-04-18 07:32:10 UTC | 15331 | OUT | |
2024-04-18 07:32:10 UTC | 2830 | OUT | |
2024-04-18 07:32:11 UTC | 816 | IN | |
2024-04-18 07:32:11 UTC | 20 | IN | |
2024-04-18 07:32:11 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.4 | 49733 | 104.21.44.10 | 443 | 6988 | C:\Users\user\Desktop\5Dw2hTQmiB.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-18 07:32:11 UTC | 288 | OUT | |
2024-04-18 07:32:11 UTC | 8782 | OUT | |
2024-04-18 07:32:11 UTC | 808 | IN | |
2024-04-18 07:32:11 UTC | 20 | IN | |
2024-04-18 07:32:11 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.4 | 49734 | 104.21.44.10 | 443 | 6988 | C:\Users\user\Desktop\5Dw2hTQmiB.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-18 07:32:12 UTC | 289 | OUT | |
2024-04-18 07:32:12 UTC | 15331 | OUT | |
2024-04-18 07:32:12 UTC | 5104 | OUT | |
2024-04-18 07:32:12 UTC | 810 | IN | |
2024-04-18 07:32:12 UTC | 20 | IN | |
2024-04-18 07:32:12 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.4 | 49735 | 104.21.44.10 | 443 | 6988 | C:\Users\user\Desktop\5Dw2hTQmiB.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-18 07:32:13 UTC | 288 | OUT | |
2024-04-18 07:32:13 UTC | 5436 | OUT | |
2024-04-18 07:32:13 UTC | 808 | IN | |
2024-04-18 07:32:13 UTC | 20 | IN | |
2024-04-18 07:32:13 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.4 | 49736 | 104.21.44.10 | 443 | 6988 | C:\Users\user\Desktop\5Dw2hTQmiB.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-18 07:32:13 UTC | 288 | OUT | |
2024-04-18 07:32:13 UTC | 1391 | OUT | |
2024-04-18 07:32:14 UTC | 820 | IN | |
2024-04-18 07:32:14 UTC | 20 | IN | |
2024-04-18 07:32:14 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.4 | 49737 | 104.21.44.10 | 443 | 6988 | C:\Users\user\Desktop\5Dw2hTQmiB.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-18 07:32:15 UTC | 290 | OUT | |
2024-04-18 07:32:15 UTC | 15331 | OUT | |
2024-04-18 07:32:15 UTC | 15331 | OUT | |
2024-04-18 07:32:15 UTC | 15331 | OUT | |
2024-04-18 07:32:15 UTC | 15331 | OUT | |
2024-04-18 07:32:15 UTC | 15331 | OUT | |
2024-04-18 07:32:15 UTC | 15331 | OUT | |
2024-04-18 07:32:15 UTC | 15331 | OUT | |
2024-04-18 07:32:15 UTC | 15331 | OUT | |
2024-04-18 07:32:15 UTC | 15331 | OUT | |
2024-04-18 07:32:15 UTC | 15331 | OUT | |
2024-04-18 07:32:16 UTC | 820 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 09:32:06 |
Start date: | 18/04/2024 |
Path: | C:\Users\user\Desktop\5Dw2hTQmiB.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 368'640 bytes |
MD5 hash: | 017ADC7DFB6B77DD2C14F7F7A4933F1C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 09:32:16 |
Start date: | 18/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x770000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 7.7% |
Dynamic/Decrypted Code Coverage: | 9% |
Signature Coverage: | 21.1% |
Total number of Nodes: | 332 |
Total number of Limit Nodes: | 19 |
Graph
Function 00421670 Relevance: 10.5, Strings: 8, Instructions: 515COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004216CE Relevance: 10.5, Strings: 8, Instructions: 462COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00409D20 Relevance: 6.7, Strings: 5, Instructions: 468COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404C40 Relevance: 5.5, Strings: 4, Instructions: 498COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02FA3E16 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00421F80 Relevance: 2.9, Strings: 2, Instructions: 369COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004212B0 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00435ACB Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00435B70 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AE30 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B800 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00415390 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00417239 Relevance: .3, Instructions: 310COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00414F10 Relevance: .1, Instructions: 146COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042A936 Relevance: .0, Instructions: 22COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042A245 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 83memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004383AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004391C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004359F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042E6AB Relevance: 3.1, APIs: 2, Instructions: 63COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00438312 Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043914C Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02FA3AD5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042DDE0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 153clipboardCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EFF180 Relevance: 15.5, Strings: 12, Instructions: 473COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041EF19 Relevance: 15.5, Strings: 12, Instructions: 473COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041FBB5 Relevance: 15.5, Strings: 12, Instructions: 465COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EEFA34 Relevance: 13.8, Strings: 11, Instructions: 100COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040F7CD Relevance: 13.8, Strings: 11, Instructions: 100COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F044A7 Relevance: 9.0, Strings: 7, Instructions: 223COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00424240 Relevance: 9.0, Strings: 7, Instructions: 223COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D128 Relevance: 6.7, Strings: 5, Instructions: 493COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE9F87 Relevance: 6.7, Strings: 5, Instructions: 468COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE4EA7 Relevance: 5.5, Strings: 4, Instructions: 498COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F1B6D7 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B470 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F053EA Relevance: 3.6, Strings: 2, Instructions: 1113COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE5AF7 Relevance: 3.4, Strings: 2, Instructions: 859COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405890 Relevance: 3.4, Strings: 2, Instructions: 859COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F070CE Relevance: 3.3, Strings: 2, Instructions: 794COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00426E67 Relevance: 3.3, Strings: 2, Instructions: 794COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F021E7 Relevance: 2.9, Strings: 2, Instructions: 369COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF70D0 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00416E69 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F01517 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F1873D Relevance: 2.6, Strings: 2, Instructions: 138COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F166E7 Relevance: 1.9, Strings: 1, Instructions: 632COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00436480 Relevance: 1.9, Strings: 1, Instructions: 632COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF5DBE Relevance: 1.7, Strings: 1, Instructions: 431COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F07190 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00426F29 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F07207 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00426FA0 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EFBB97 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041B930 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EFB507 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041B2A0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F1B397 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B130 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406C20 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F1B097 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF0EC2 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410C5B Relevance: 1.5, Strings: 1, Instructions: 234COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F1BA67 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF7948 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004176E1 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF55F7 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF3989 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00413722 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF36E5 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041347E Relevance: 1.3, Strings: 1, Instructions: 69COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F02DD7 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00422B70 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F02DBB Relevance: 1.3, Strings: 1, Instructions: 27COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00422B54 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF42A2 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041403B Relevance: 1.3, Strings: 1, Instructions: 26COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE84B7 Relevance: .8, Instructions: 838COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00408250 Relevance: .8, Instructions: 838COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE39D7 Relevance: .7, Instructions: 740COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403770 Relevance: .7, Instructions: 740COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE44C7 Relevance: .6, Instructions: 607COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404260 Relevance: .6, Instructions: 607COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE1267 Relevance: .5, Instructions: 536COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF19A0 Relevance: .5, Instructions: 509COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00411739 Relevance: .5, Instructions: 509COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE6877 Relevance: .5, Instructions: 473COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406610 Relevance: .5, Instructions: 473COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF7E5C Relevance: .3, Instructions: 341COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00417BF5 Relevance: .3, Instructions: 341COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF74A0 Relevance: .3, Instructions: 310COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DD72 Relevance: .2, Instructions: 250COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF11B4 Relevance: .2, Instructions: 249COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410F4D Relevance: .2, Instructions: 249COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF6CC9 Relevance: .2, Instructions: 222COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00416A62 Relevance: .2, Instructions: 222COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF5177 Relevance: .1, Instructions: 146COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF02C7 Relevance: .1, Instructions: 129COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410060 Relevance: .1, Instructions: 129COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF547D Relevance: .1, Instructions: 128COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00415216 Relevance: .1, Instructions: 128COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043822F Relevance: .1, Instructions: 107COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE35D7 Relevance: .1, Instructions: 100COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403370 Relevance: .1, Instructions: 100COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE2847 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF7CDF Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00417A78 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004025E0 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F123A7 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00432140 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043799B Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02FA36F3 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EFD947 Relevance: .1, Instructions: 55COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EE0D90 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F15D32 Relevance: .0, Instructions: 41COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F1A340 Relevance: .0, Instructions: 35COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043A0D9 Relevance: .0, Instructions: 35COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EED527 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D2C0 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF0140 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040FED9 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02EF67E9 Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00416582 Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F196C8 Relevance: .0, Instructions: 9COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00439461 Relevance: .0, Instructions: 9COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F01E52 Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02F0E047 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 153clipboardCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |