Edit tour
Windows
Analysis Report
xQXHoWMKoa.exe
Overview
General Information
| Sample name: | xQXHoWMKoa.exerenamed because original name is a hash value |
| Original sample name: | b6e4dc4fd0cc50fbb1236fe1108b886d.exe |
| Analysis ID: | 1428892 |
| MD5: | b6e4dc4fd0cc50fbb1236fe1108b886d |
| SHA1: | ca17fc4111dbc08551aabe0e890c337448a19eda |
| SHA256: | 114aa6cb595ed49423707788c3a06a79e250d23d0615108cbb3fb5bdd20af5c8 |
| Tags: | 32exetrojan |
| Infos: |  |
 | |
Detection
GCleaner
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GCleaner
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match
Classification
- System is w10x64
xQXHoWMKoa.exe (PID: 1088 cmdline: "C:\Users\ user\Deskt op\xQXHoWM Koa.exe" MD5: B6E4DC4FD0CC50FBB1236FE1108B886D) 
WerFault.exe (PID: 1720 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 732 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 1084 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 752 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 2640 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 768 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 5888 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 780 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 3636 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 920 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 5504 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 102 0 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 6472 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 136 4 MD5: C31336C1EFC2CCB44B4326EA793040F2) 
cmd.exe (PID: 1680 cmdline: "C:\Window s\System32 \cmd.exe" /c taskkil l /im "xQX HoWMKoa.ex e" /f & er ase "C:\Us ers\user\D esktop\xQX HoWMKoa.ex e" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3648 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
taskkill.exe (PID: 3752 cmdline: taskkill / im "xQXHoW MKoa.exe" /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| GCleaner | No Attribution |
{"C2 addresses": ["185.172.128.90"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 04/19/24-19:24:58.164548 |
| SID: | 2856233 |
| Source Port: | 49705 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0041583F | |
| Source: | Code function: | 0_2_03655AA6 | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00404710 | |
| Source: | Code function: | 0_2_00409860 | |
| Source: | Code function: | 0_2_0041813E | |
| Source: | Code function: | 0_2_00413C49 | |
| Source: | Code function: | 0_2_00413464 | |
| Source: | Code function: | 0_2_00421D0A | |
| Source: | Code function: | 0_2_036583A5 | |
| Source: | Code function: | 0_2_03649AC7 | |
| Source: | Code function: | 0_2_03644977 | |
| Source: | Code function: | 0_2_036536CB | |
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_01C7F1BE | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Command line argument: | 0_2_00404710 | |
| Source: | Command line argument: | 0_2_03644977 | |
| Source: | Command line argument: | 0_2_03644977 | |
| Source: | Command line argument: | 0_2_03644977 | |
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Section loaded: | |||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_00424AC9 | |
| Source: | Code function: | 0_2_00408591 | |
| Source: | Code function: | 0_2_01C82198 | |
| Source: | Code function: | 0_2_01C82976 | |
| Source: | Code function: | 0_2_01C818CA | |
| Source: | Code function: | 0_2_01C830A0 | |
| Source: | Code function: | 0_2_01C813B7 | |
| Source: | Code function: | 0_2_01C822BC | |
| Source: | Code function: | 0_2_01C82260 | |
| Source: | Code function: | 0_2_01C84CA2 | |
| Source: | Code function: | 0_2_01C837F3 | |
| Source: | Code function: | 0_2_01C837F3 | |
| Source: | Code function: | 0_2_01C83FA2 | |
| Source: | Code function: | 0_2_01C837F3 | |
| Source: | Code function: | 0_2_01C837F3 | |
| Source: | Code function: | 0_2_01C83FA2 | |
| Source: | Code function: | 0_2_01C837F3 | |
| Source: | Code function: | 0_2_01C837F3 | |
| Source: | Code function: | 0_2_01C7FF75 | |
| Source: | Code function: | 0_2_01C83FA2 | |
| Source: | Code function: | 0_2_01C7FF51 | |
| Source: | Code function: | 0_2_03654217 | |
| Source: | Code function: | 0_2_0365480E | |
| Source: | Code function: | 0_2_0365C709 | |
| Source: | Code function: | 0_2_036487F8 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | API coverage: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_0041583F | |
| Source: | Code function: | 0_2_03655AA6 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040C17B | |
| Source: | Code function: | 0_2_00411192 | |
| Source: | Code function: | 0_2_0040C681 | |
| Source: | Code function: | 0_2_01C7EA9B | |
| Source: | Code function: | 0_2_0364092B | |
| Source: | Code function: | 0_2_036513F9 | |
| Source: | Code function: | 0_2_0364C8E8 | |
| Source: | Code function: | 0_2_03640D90 | |
| Source: | Code function: | 0_2_00416A7C | |
| Source: | Process token adjusted: | ||
| Source: | Code function: | 0_2_00408809 | |
| Source: | Code function: | 0_2_0040C17B | |
| Source: | Code function: | 0_2_00407C96 | |
| Source: | Code function: | 0_2_00408675 | |
| Source: | Code function: | 0_2_0364C3E2 | |
| Source: | Code function: | 0_2_03648A70 | |
| Source: | Code function: | 0_2_036488DC | |
| Source: | Code function: | 0_2_03647EFD | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00408873 | |
| Source: | Code function: | 0_2_0041897A | |
| Source: | Code function: | 0_2_0041892F | |
| Source: | Code function: | 0_2_00418A15 | |
| Source: | Code function: | 0_2_00418AA0 | |
| Source: | Code function: | 0_2_004112A2 | |
| Source: | Code function: | 0_2_00418CF3 | |
| Source: | Code function: | 0_2_00418E19 | |
| Source: | Code function: | 0_2_0041868D | |
| Source: | Code function: | 0_2_00418F1F | |
| Source: | Code function: | 0_2_004117C4 | |
| Source: | Code function: | 0_2_00418FEE | |
| Source: | Code function: | 0_2_03658BE1 | |
| Source: | Code function: | 0_2_03658B96 | |
| Source: | Code function: | 0_2_03659255 | |
| Source: | Code function: | 0_2_03651A2B | |
| Source: | Code function: | 0_2_03659186 | |
| Source: | Code function: | 0_2_036588F4 | |
| Source: | Code function: | 0_2_03659080 | |
| Source: | Code function: | 0_2_03658F5A | |
| Source: | Code function: | 0_2_03658D07 | |
| Source: | Code function: | 0_2_03651509 | |
| Source: | Code function: | 0_2_03658C7C | |
| Source: | Code function: | 0_2_0040CA21 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Virtualization/Sandbox Evasion | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 2 Software Packing | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | ReversingLabs | Win32.Trojan.Stealerc | ||
| 100% | Avira | HEUR/AGEN.1361904 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.214.172 | true | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.172.128.90 | unknown | Russian Federation | 50916 | NADYMSS-ASRU | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1428892 |
| Start date and time: | 2024-04-19 19:24:05 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 19s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 22 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | xQXHoWMKoa.exerenamed because original name is a hash value |
| Original Sample Name: | b6e4dc4fd0cc50fbb1236fe1108b886d.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@13/30@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.165.165.26, 20.3.187.198, 13.85.23.206
- Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: xQXHoWMKoa.exe
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 185.172.128.90 | Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| |
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | GCleaner | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | CobaltStrike | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | Phisher | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Python Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| NADYMSS-ASRU | Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| |
| Get hash | malicious | Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Glupteba, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
|
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_0bdc8d69-8e2d-4916-98f4-e240f78a9879\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.831836904485459 |
| Encrypted: | false |
| SSDEEP: | 96:oQg6sEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADKVh0:46wu056rQjpazuiFQZ24IO8LA |
| MD5: | 524A293EBD3FACBB576B8B0BA02F17A7 |
| SHA1: | 0D22E36BD5182FB70C0C0DAF6BAEF847578382DA |
| SHA-256: | FA98D85C95565670B904E103C52BDB3F499BC86368BA47ABAACB28B07E639FED |
| SHA-512: | B635E49B414357B2332936A4973550D7070668578982A8765C05E37A6B848553D26CCCFF8E11D3B7D10767F3DDF5794EB8B60CC1EEE16A88484A99257BCEF330 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_6e2e51db-5a06-4548-9b3d-af2c418b903c\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8316513282031528 |
| Encrypted: | false |
| SSDEEP: | 96:6egLtg3sEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADf:kL63wu056rQjpazuiFQZ24IO8LA |
| MD5: | 6286186ADA067A84B774CBA0E7BB72B4 |
| SHA1: | 12F0ED1222D9F2972D8C0DB85B743132692C229F |
| SHA-256: | 11598C8392606CA84A5EBB4797D79934AC6F310121B44230B29617148A955B26 |
| SHA-512: | E86285C01F4D004BD06675CA5521BB8DDCC57CD337E4D8734D7C6C5FAF5520FB555C9703D2D207E23C8BD72CF2B7FB3A42A465BE37B1DEF98234F14D36B1BC67 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_74f6d4fe-d78d-47bf-aecf-6d5b1c3ba39f\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9289089646006553 |
| Encrypted: | false |
| SSDEEP: | 96:A5cPg01sEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADv:V4Owu056rQjpU7zuiFQZ24IO8LA |
| MD5: | A2F6E1C630E5B72DEB1D906DC3A3C12B |
| SHA1: | 37C02923920BF51630064C618F1348A45A723BC6 |
| SHA-256: | 14C73A77DD822764981A1E20C1712A69F274893F18099ABCF64258BF1398A7F3 |
| SHA-512: | 2E7AD6500ED6E3CD3E742BEAC48C472C4FC663263F49CD0F07AE6EE27C52F0BD8C4395B7AB203E3267029E1D9B60B16FB2909ADEF96DBC61CE0B29655EA01730 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_7dcbb10b-df83-4e6f-9b63-5201c606b345\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8320609326653187 |
| Encrypted: | false |
| SSDEEP: | 96:H6gasEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADKVh0:tawu056rQjpazuiFQZ24IO8LA |
| MD5: | 6C61A9195D91FE1889E58B40F42029E0 |
| SHA1: | C93080A04673CB8E4EDAA25D35B3B684892E8C1B |
| SHA-256: | 1D2BD625FE53742AE4A5A46D6CD06A271C683C98176D1AC44EC04484E784D2BA |
| SHA-512: | 7D2AC64D2BA81212855C3EB6EB998886CFA58F34F6DB503FDB58F55793CA7665FFA3402816EB88406A3934854F119825EB7A238B9BF0F31C0F90B7E7B61A916C |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_90fd96f2-59eb-4ce6-9d1e-de15edba0462\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8471873062805857 |
| Encrypted: | false |
| SSDEEP: | 96:iILegnsEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADK2:vLpnwu056rQjpQzuiFQZ24IO8LA |
| MD5: | 0696ECBD932645279E648EF6FD145694 |
| SHA1: | FCE9CBAC32EC32C84805A2380CF610C718DDE860 |
| SHA-256: | 8C6D1BFE0DFD1DE7EADFFADE62BC0975F579270BFE8C309CCA6AF39DE2F28707 |
| SHA-512: | 697422B5A7310A683317F1E63E91B6D990093D5FC4B405CDC50F3D43E3206D0BA0C71B1ADFB0F3DB2C19084B63A8D2DC7FC5F728EBE7C7A5149A9A8C7E194B4C |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_e011f5d0-3b05-4084-9882-970e4d430110\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.831553319105843 |
| Encrypted: | false |
| SSDEEP: | 96:Xsg7sEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADKVh0:L7wu056rQjpazuiFQZ24IO8LA |
| MD5: | 49445557025460C97EEA225215A4AF3C |
| SHA1: | C927B4B3E1E3863283B20214FED7799DB9DC6EC2 |
| SHA-256: | 99455AD1814BA21BC88DADDDE20AAD462D1819C44020CD115594F86DA3237986 |
| SHA-512: | BD92F993EC064889BA4AE54D2F3D018D4ACA1D2892A81BC6BFC5308FCBDDB0A0F8A4FF833A823E447BE9949EA392EAEC244C58351F1CA8746A73AAE3D16E46A1 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_fec04291-1d36-471c-9fcc-58b35baad30b\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8471977815694767 |
| Encrypted: | false |
| SSDEEP: | 96:c5FgOsEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADKVg:CiOwu056rQjpQzuiFQZ24IO8LA |
| MD5: | 844ABF382B004C05D9717C366E44DF5B |
| SHA1: | B9EE720C1C5F27118A794943DE394EC8DD563E72 |
| SHA-256: | EBFF9D3F82ACEE92E6294A5BA5132EF7B532C120AE789EE239A52B2F8D81EC0D |
| SHA-512: | 9F28A878B9E8C45815D27199F4246BB058ADFBD7C0C4BC6D67370D8FDFE7556312E48113E65A45D3F438B5700711E68C0DB6ECA8F5EA80102797390238CB4B0A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 63114 |
| Entropy (8bit): | 2.229109378499161 |
| Encrypted: | false |
| SSDEEP: | 384:fpA0u+GgbzEo3HeACsDWO7/QMcytmu1edhB+YZZo:RAWnzEo8sx7/MBzo |
| MD5: | A61A9DCDA92B60643EA1FE7AFDA6568C |
| SHA1: | BEA1D5630B5DFA630C5D2125C3A3A90F8133B6D4 |
| SHA-256: | 652DAFE957B51DAFE654D827436FA5469169343F2DCD16CF47471AF4D2E2DF0D |
| SHA-512: | BC25CD0EDEE226466936553F9AC80C3D8BE5C82426FFB46A6BE2C01750F5E271B6C01C3E398E4E9F5AE33AE599211C091D248993F9487833CECC2D8B09038610 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8360 |
| Entropy (8bit): | 3.7018621886632825 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJMoG6IgNn6YEIYSUjzBgmf5/2jCpBZ89b9usfY/m:R6lXJMB6IgNn6YEnSUjVgmf5O9tf9 |
| MD5: | 16FCD458C5636448091CFBAE40567CB6 |
| SHA1: | 8246546EEE7A2CA1BCCEF028179857AD213E5515 |
| SHA-256: | 6D9D2CA59D92D22D0174B7462CAB9CC4D4DBF46B19D169AE67ED72E3E0D03581 |
| SHA-512: | 2412B9A21E6A0ED8F6F1660F7D799A8E9FF1A792B797110A1EFA9543CA2E81D0F5F9844B6A4CA5E503001958515DAD8E168BC84F1CF153ECEF074D4C1663EA02 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4619 |
| Entropy (8bit): | 4.500747745997885 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYTYm8M4JHCFh+q8FevkiPJq05d:uIjfZwI7VF7VvJymiM05d |
| MD5: | 4B107F434381456CB123342E7B9FD2AC |
| SHA1: | 5D96FCEA3D5937249DD37BD3D8383DD2F1E1AD18 |
| SHA-256: | 2EB4C1874F0619A3FC98701D02266C00DD0A3367C70EBEFA867778663419E9D8 |
| SHA-512: | EE05CFC5DAB0F170732306A6E6C61B538FEED378FCC8FB7262BF854504E31D59260D7BAFCE1FEFC2A031CE2B36361B16D1D612DBBFD42F2D14D73F762AFE2030 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 63006 |
| Entropy (8bit): | 2.2523632813119483 |
| Encrypted: | false |
| SSDEEP: | 384:HE0u+Gvz93HeA66WEE7/QMcytmu1edhpMtZPd:kWoz9oUE7/MpMt |
| MD5: | B8EB82071327FC710EBCECC30F77CAA4 |
| SHA1: | DCED6687541ABB7B3737BCEA3D2CE0A7C6A11866 |
| SHA-256: | F9EC4246F180068796F0D4A8AE7E9079CDE64EBA7C3B7183A729876760D426A4 |
| SHA-512: | 34B53AD172BEE33928E27A37C81D34FBEE45FD2D219C0CC05573B4647A83BC3A4625F7223CBA6E9B322F027AA29A0DBD549C5C81D5433FFEEBE225B35EBCD78D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8362 |
| Entropy (8bit): | 3.703801222141124 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJMo06IgNOZ6YEIlSUy9egmf5/2jCpB189b0usfHM8m:R6lXJMb6IgNA6YEKSUy9egmf5q0tfu |
| MD5: | 73540A7A783477A68C0363010B92AD7B |
| SHA1: | 1AE9F2F644D64C811B90A4EC77ECAAD0EE98E484 |
| SHA-256: | 5C307C40BAE8C5D2B2CB9620AAF702DF68F042077D2965AA9EBE06951F4351E2 |
| SHA-512: | 23D1C7A960F79E24DD5974B902CB826D002BCA8226927B979A14755C092023D4C4C60605776F421D64F67F35B07545121FA7CEF10A022A33FB0791848933BBF6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4619 |
| Entropy (8bit): | 4.503110704492799 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VY+Ym8M4JHCFAAY3+q8FevkiPJq05d:uIjfZwI7VF7VqJTtmiM05d |
| MD5: | 52D4DA91F4F61B442C22EAF339313511 |
| SHA1: | 48BC2C98C3DB1F17DFE51D402987EE4632BFFE23 |
| SHA-256: | 2214D20342EC0FAFAC01299BD9E728C9E2AC35CBB22F502F686697D62BAE7D8E |
| SHA-512: | B4CBA8EEB9006A6E495F412263E8931A1C7EB9F4D5C084CD9307A4090DFA191A7C3295998A10008771B98960D9C8D7E01B27FF859D6C8BA9B5CF635AC15754DD |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 72678 |
| Entropy (8bit): | 2.0091410133713747 |
| Encrypted: | false |
| SSDEEP: | 384:s86PpuimjzJzImBPiFJeXoWcmu1ed5BtXBlsO7:s86hu5zJ/iFJeXNB2O |
| MD5: | 5F6496BE0310A768E7ADDE48C7EC509A |
| SHA1: | CC04A0E5AF60BF6BDD247F11E056B3769023C165 |
| SHA-256: | 31AB2E45156639D0C6FF816E27FB1F76B110C48F917F41E77FF2571CFEA236F0 |
| SHA-512: | A61E26505DE9368E6063065EFE653E08001842A4931DEDD7957167A470DFBEB0305DB8D96DB9D1AB0C9904CE87BE3B4C13E1F4082F5C37AFFF9E6F971BF7A06E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8362 |
| Entropy (8bit): | 3.7031714881939073 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJMoA6I9y6YEISSUjTvgmf5/2jCpBP89bLusfbZm:R6lXJM/6I9y6YEdSUjTvgmf5oLtfI |
| MD5: | E902A72C8354DC6C23E07085DA0A31B6 |
| SHA1: | E24F74A4E004FF24D3EA637B1DCA8E8AE8F4EFA0 |
| SHA-256: | 079E48498521CD3462EBEC3087B85FA8E92936E6B3290DF17F629FAD0036AD33 |
| SHA-512: | 14BF3A7CA5A656AAD2EE0B9894E9D702DE852CDCCD7D79E1EC30BFF58989C40343F010641D138B47B64A3D4B89DDB38C7948BF78D6C189F08298A4ECCBEC1B4D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4619 |
| Entropy (8bit): | 4.502622269202652 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYgYm8M4JHCFC+q8FevkiPJq05d:uIjfZwI7VF7VMJ9miM05d |
| MD5: | A76BEFC086665DF11EC93AA239A50142 |
| SHA1: | 3E90615E5D5A2A55811877EEB1B66A715306312F |
| SHA-256: | 570D79EB317EBECA0E05286983AC3B48E0D8357074161DE17A92520590623724 |
| SHA-512: | 22032190DCD0C02BE9AD1571EA927A563A1EA6877B73E273B9FF1BA379DF3F4A84B5032B6CA56006164669EC5594F2C39ACB6D66338878421EF55B7962ACCADD |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 72254 |
| Entropy (8bit): | 2.021821672168551 |
| Encrypted: | false |
| SSDEEP: | 384:+PpuPh8zCdzIaBK6UjAxW+mu1ed5pMuAfGziE:+huPuz2zCbpMqj |
| MD5: | 7BB22D5DDBCFD900F4E7D43C02F7BCD2 |
| SHA1: | 519315CB1273CB38E864ABBB9047A9678FFFA746 |
| SHA-256: | D34AA65AB0487381AA1CE8415649B739330F8A3BA22007DF517B886B3D29E135 |
| SHA-512: | 079B919C9820431207EE791E38BAA80C00F87278FA17607CAA34CC99A2E10E6B103682D6003B62B794B6660DD34F9A53AD1B30909B0AC6B68145BF9C0EA975CC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8362 |
| Entropy (8bit): | 3.704665867064762 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJMoz6I9bB6YEIPSUjTvgmf5/2jCpBP89bCusfTWm:R6lXJMM6I9N6YEgSUjTvgmf5oCtfL |
| MD5: | 2954FAB85B549B85253B6565ECA5B9F6 |
| SHA1: | 715266CB4686608434C0CAB96CC8F771340D8295 |
| SHA-256: | E55933C8ADBA7EDE5BCC51646C520AD22FCADD16337AC9F392FD13398D19F412 |
| SHA-512: | E3FE5713389500D7D18AAF9AABBC1CC766464651D626856F1FCF4030E2BF9FE6094E42912CD768B2DFA23B557DC578BB5BD4C925D239DE3EA6805E7C615D4239 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4619 |
| Entropy (8bit): | 4.501212303698218 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYR5Ym8M4JHCF6+q8FevkiPJq05d:uIjfZwI7VF7VyoJFmiM05d |
| MD5: | A2F713F7064DBDC8C9161240DA825ECB |
| SHA1: | 3E2B8E2EAEF129E0E2CFE39C018916C375ED3560 |
| SHA-256: | 983EF7243D384BFC5C07AB09824243CF1644CDDC02BC1B5E61EA801C93B74D36 |
| SHA-512: | 78E13D1E42638051CAA2BF395D8FFF59EA3237D44D3E189A86DB07F25AE947E9200E410375195854EFB3EB5A8CAC5EDABBA8EB8E4B369BA8B776512E5B2937C4 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 79298 |
| Entropy (8bit): | 1.9906848721678903 |
| Encrypted: | false |
| SSDEEP: | 384:XKSGUH3zoxjXclzIzcKvAxWXd5UcXCA5XeLbcnZs:PrH3z6c+RUUXSMK |
| MD5: | 0D9BFD0F423F95471B63867F78EE793E |
| SHA1: | 4745AE2654989C7AAF753EABBA7922B910686E92 |
| SHA-256: | 95BA2BF6E9CF938EC4326540D4ECCCC7C874471BE554224D15CFC92DE882B04D |
| SHA-512: | 68B3E1A8D99C09DFCED5D37E36669866DD84E6564F423A2563B8BBE87E1C99926A670F96B17CED4A2A8012B6B341E8A8AB4F767E3348F84FBE8E2FC705BB5EDC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8362 |
| Entropy (8bit): | 3.704372588961267 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJMoC6IV1W6YEIcSUjUKgmf5/2jCpBO89bCusf0LvWm:R6lXJM96IVU6YETSUjUKgmf5vCtfQn |
| MD5: | A85C64EFDDC148F75F2756E4DE87A769 |
| SHA1: | 03BF0F5F038EA5B3AC94E7DA3EDBE3C713D05EC1 |
| SHA-256: | B33AB4EFA82A46785E9FF6BB58D3D306483412FE81879EC9AF75624FBF9AF7B1 |
| SHA-512: | F2C6AE26C7D3A9668ED1FF42BBE8D83FA29A2CB358813898C0B1F12BF07086F26EFFA3B1ECBC72C87E21E2AD1B98B2B7056F1BE27BB1AC6F0C954DA6A7D737AB |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4619 |
| Entropy (8bit): | 4.502605790473535 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYmYm8M4JHCFhjm+q8FevkiPJq05d:uIjfZwI7VF7VuJDmiM05d |
| MD5: | 2B4AA486B35ADB5169D87195CB33E57C |
| SHA1: | 3F2B7E96C6E0311C18C2EB9BC1302D1FD8D56258 |
| SHA-256: | 35BD2A10424770E791FA7F490248294655CAB1CD278E1EB4C5EC8A5DDFDA9E68 |
| SHA-512: | 11B57F786A89D2E767ECD72F6D5280B79EE10EDD1A9A04E1F283FE75430C0C6FD0600F51C0DCB10901B7002186C817D65294A2991603B338F5E904999B5522B0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 87908 |
| Entropy (8bit): | 1.9859431793581646 |
| Encrypted: | false |
| SSDEEP: | 384:qwofETxzvLKNRY+zI/cKo34A78YWed5Uc/QC/Wm3Jk/hDyk:do8TxzDd+LoY8gUgW1JDy |
| MD5: | 195028604EFD363426763E0687E2CE0C |
| SHA1: | 6515929D51E34D24D80C2080C42A692A0DECD369 |
| SHA-256: | 0220C37D653F95C47FD9C541572943692610C1A2816D0833B73FC16A3B20AF8D |
| SHA-512: | 8CE68E7B649FB0B0B6344AAA5E9FAED0FDE0B7E0492241B753AA6EE888E77C4CE1E524D327718872D5FA689E4AD31F8B6CC5A902EFC1ED405CF48A4504CEC371 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8362 |
| Entropy (8bit): | 3.7046363738620007 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJMo46I6+6YEIuSUjUKgmf5/2jCpBG89bZusf93zm:R6lXJMH6I6+6YExSUjUKgmf5HZtf8 |
| MD5: | 4E9EFE41AAB8EE1004FAE521A85FEC25 |
| SHA1: | E149550A4ADA4CD137907FCD9EA684437C640FBF |
| SHA-256: | C9FE288DBCCB5919D35E70B384AAF364217EC754989F65713865CF8271D595AD |
| SHA-512: | 01F6FB3E16B5200F833ABA06DDEC685438FA58DE458338F8965D058C95877D24D4498C39240AE6E70148EFAC8ECADEB062F035CCDA1E6E0169E84F98BEE950E2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4619 |
| Entropy (8bit): | 4.497317581305158 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYeYm8M4JHCFn+q8FevkiPJq05d:uIjfZwI7VF7VmJomiM05d |
| MD5: | DCD1355512908AF715B305CCD29C705F |
| SHA1: | 3036AD06C1B3BE64EF56F95750EE3C900B6E34C1 |
| SHA-256: | 170E56BB0DFC7BF82890C6384A42D6DEFEC3B3AFD9EB0B1F2B358CE56A660622 |
| SHA-512: | A39775A78D4BFA32DF2D0F51E356D5F0E7DB797956D53554CF29DC3901B3BEF0940A6CA267E5F72B4150358ADDED8B72C54C0797AE7B231AFD3E223E30A48107 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 102728 |
| Entropy (8bit): | 2.16637673452389 |
| Encrypted: | false |
| SSDEEP: | 384:PiFz3khz+JL5zp1Wu0GiLlWz+KYc5BTusd5s7cicvn1PimPAS:6p3khz+HeG6e+KYc5BTuUs7mn1dP/ |
| MD5: | F622C1B70277F7218725E2BE2F5DE74D |
| SHA1: | 339A7D8A75DEA1519D70B9E4628AB6CD2434F10E |
| SHA-256: | D972614966A1E4A080CDAE4AAE783EE0ABA6C0B6A68F5780C2817C5C1FCDFC1D |
| SHA-512: | 46183A8CE0CB544B3FD66DEA0C9E1698EB212A81D01EE703B57D52EC67BCAE24EF77964255102A4B6EB2DC9B3063590A205E0E5224C095E9FE727EA5357B5586 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8362 |
| Entropy (8bit): | 3.704860596510725 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJMoQ6i6YEIMSUyNVgmf5/2jCpB089beusfYsKm:R6lXJMP6i6YEjSUyNVgmf5petfYA |
| MD5: | 8AECA3F7840329A4AF7C00CABD9C15AA |
| SHA1: | 01CA291559D97F21B2E859D1B48095AB1F460354 |
| SHA-256: | B0D6A3B389F7FAEDDDDE570F372893BE13B0F0D6E213DF503D2EE3DB6E47D5D7 |
| SHA-512: | B28311366D08ADFE94C26ABDF64DC0E70937F52D5BDCD6A012AB0E3E868D3F26742223FE8782CAC50CF10CA35CB51CF1AC1B683C780921A7D91596272382730D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4619 |
| Entropy (8bit): | 4.503152776360678 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYNYm8M4JHCF0j+q8FevkiPJq05d:uIjfZwI7VF7VhJxmiM05d |
| MD5: | 0F1C91995AE599D5A4DA1D8CAC9D41C9 |
| SHA1: | 8A59F6D3603B8EFF9F4CB6B0B9FD8339681ED11D |
| SHA-256: | F23AA9CA062AEF3DDBC491639B2D00364159B1AB80E50004E2F10F20216EF38A |
| SHA-512: | 47CE994D02F7AF8F96C084166F987B2362CAE3C1AC09CBCF779D3E9F12C060900E601585C7B81CB026E359D56E2C46BA6DFDB767DC952D887C0D485F39F9EE79 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\xQXHoWMKoa.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.421560973691599 |
| Encrypted: | false |
| SSDEEP: | 6144:HSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN/0uhiTwQ:yvloTMW+EZMM6DFyF03wQ |
| MD5: | 43490431F7DAE4DA341C58DEF8C1A1B3 |
| SHA1: | D043F0732315D32E239DDF31CFC6799D89807131 |
| SHA-256: | 05500FC7E033EA0B34C9FB4C21881B4FB1F44232CB56FC779B4F987B0EFCF917 |
| SHA-512: | 5FA8A978475B74A9F5FFCF22EE12A9095F9C104D69EFBD4A517C14771779EF8D2DDAD8366F15F8B98CFA89A95F64E583AC11749947B364FE1CD7CBF615F7B779 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.6356736263357785 |
| TrID: |
|
| File name: | xQXHoWMKoa.exe |
| File size: | 350'720 bytes |
| MD5: | b6e4dc4fd0cc50fbb1236fe1108b886d |
| SHA1: | ca17fc4111dbc08551aabe0e890c337448a19eda |
| SHA256: | 114aa6cb595ed49423707788c3a06a79e250d23d0615108cbb3fb5bdd20af5c8 |
| SHA512: | eaebb7b46714e2e15fd604383f5c7bb092c7f2669edf1c462544aeb3a11a38b8feacdfae7b78fe6cc0b96c6764909dad7e249c0d31320a26c5df1fa1c911dfbb |
| SSDEEP: | 3072:FGSlqrvGown4AMsIqQk+ooNKeDe0T+ZvcXwR+YKZfwmuF5GZ4WDm/5O5XP0hd5A/:FanwpoNfe0Tb0aBwmuWaWa/5ORMAQOo |
| TLSH: | 9474AE02B2E1E870E57347324EADD6F4663EFD718E696B6B33585E0F14B01A1D622723 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e.....................................................l...............l.......Rich............PE..L....2.d................... |
 | |
| Icon Hash: | 63796de171636e0f |
| Entrypoint: | 0x4068fb |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x64E63208 [Wed Aug 23 16:21:28 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 5ec6dee0bb8cb06d2e2fd45ee1c1fbf4 |
| Instruction |
|---|
| call 00007F31E0BE5299h |
| jmp 00007F31E0BDACF5h |
| push 00000014h |
| push 00424C50h |
| call 00007F31E0BE21A4h |
| call 00007F31E0BDD0E3h |
| movzx esi, ax |
| push 00000002h |
| call 00007F31E0BE522Ch |
| pop ecx |
| mov eax, 00005A4Dh |
| cmp word ptr [00400000h], ax |
| je 00007F31E0BDACF6h |
| xor ebx, ebx |
| jmp 00007F31E0BDAD25h |
| mov eax, dword ptr [0040003Ch] |
| cmp dword ptr [eax+00400000h], 00004550h |
| jne 00007F31E0BDACDDh |
| mov ecx, 0000010Bh |
| cmp word ptr [eax+00400018h], cx |
| jne 00007F31E0BDACCFh |
| xor ebx, ebx |
| cmp dword ptr [eax+00400074h], 0Eh |
| jbe 00007F31E0BDACFBh |
| cmp dword ptr [eax+004000E8h], ebx |
| setne bl |
| mov dword ptr [ebp-1Ch], ebx |
| call 00007F31E0BE1A7Ah |
| test eax, eax |
| jne 00007F31E0BDACFAh |
| push 0000001Ch |
| call 00007F31E0BDADD1h |
| pop ecx |
| call 00007F31E0BE126Eh |
| test eax, eax |
| jne 00007F31E0BDACFAh |
| push 00000010h |
| call 00007F31E0BDADC0h |
| pop ecx |
| call 00007F31E0BE52A5h |
| and dword ptr [ebp-04h], 00000000h |
| call 00007F31E0BE444Bh |
| test eax, eax |
| jns 00007F31E0BDACFAh |
| push 0000001Bh |
| call 00007F31E0BDADA6h |
| pop ecx |
| call dword ptr [0041B0D0h] |
| mov dword ptr [01A10984h], eax |
| call 00007F31E0BE52C0h |
| mov dword ptr [0044882Ch], eax |
| call 00007F31E0BE4C63h |
| test eax, eax |
| jns 00007F31E0BDACFAh |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x25204 | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1611000 | 0xeb98 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1b220 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x23cf0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x23ca8 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1b000 | 0x1a0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x194ea | 0x19600 | afe1796fe6e1890621cf9721b30bd9e1 | False | 0.5758255080049262 | data | 6.677259404856937 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x1b000 | 0xab9c | 0xac00 | 2cee23bd9d6a184744abfc6e68e35e60 | False | 0.434070675872093 | data | 5.080401268951139 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x26000 | 0x15ea988 | 0x22800 | 00968b4e166063100821946111aa4334 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x1611000 | 0xeb98 | 0xec00 | ed7005df57540379239efc5b8893e801 | False | 0.3357885328389831 | data | 4.136501915128529 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x161a8a8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.26439232409381663 | ||
| RT_CURSOR | 0x161b750 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.3686823104693141 | ||
| RT_CURSOR | 0x161bff8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.49060693641618497 | ||
| RT_CURSOR | 0x161c590 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | 0.4375 | ||
| RT_CURSOR | 0x161c6c0 | 0xb0 | Device independent bitmap graphic, 16 x 32 x 1, image size 0 | 0.44886363636363635 | ||
| RT_CURSOR | 0x161c798 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.27238805970149255 | ||
| RT_CURSOR | 0x161d640 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.375 | ||
| RT_CURSOR | 0x161dee8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.5057803468208093 | ||
| RT_ICON | 0x1611640 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.5362903225806451 |
| RT_ICON | 0x1611d08 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.4095435684647303 |
| RT_ICON | 0x16142b0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.4441489361702128 |
| RT_ICON | 0x1614748 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Romanian | Romania | 0.4898720682302772 |
| RT_ICON | 0x16155f0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Romanian | Romania | 0.4657039711191336 |
| RT_ICON | 0x1615e98 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Romanian | Romania | 0.43713872832369943 |
| RT_ICON | 0x1616400 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.2774896265560166 |
| RT_ICON | 0x16189a8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Romanian | Romania | 0.28588180112570355 |
| RT_ICON | 0x1619a50 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Romanian | Romania | 0.3073770491803279 |
| RT_ICON | 0x161a3d8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.3421985815602837 |
| RT_STRING | 0x161e660 | 0x3f4 | data | Romanian | Romania | 0.4644268774703557 |
| RT_STRING | 0x161ea58 | 0x48a | data | Romanian | Romania | 0.45008605851979344 |
| RT_STRING | 0x161eee8 | 0x13e | data | Romanian | Romania | 0.5283018867924528 |
| RT_STRING | 0x161f028 | 0x35e | data | Romanian | Romania | 0.46867749419953597 |
| RT_STRING | 0x161f388 | 0x55e | data | Romanian | Romania | 0.44250363901018924 |
| RT_STRING | 0x161f8e8 | 0x2ac | data | Romanian | Romania | 0.4722222222222222 |
| RT_GROUP_CURSOR | 0x161c560 | 0x30 | data | 0.9375 | ||
| RT_GROUP_CURSOR | 0x161c770 | 0x22 | data | 1.0588235294117647 | ||
| RT_GROUP_CURSOR | 0x161e450 | 0x30 | data | 0.9375 | ||
| RT_GROUP_ICON | 0x1614718 | 0x30 | data | Romanian | Romania | 0.9375 |
| RT_GROUP_ICON | 0x161a840 | 0x68 | data | Romanian | Romania | 0.7019230769230769 |
| RT_VERSION | 0x161e480 | 0x1e0 | data | 0.5604166666666667 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetNumaProcessorNode, GetLocaleInfoA, LoadLibraryExW, GetTickCount, CreateRemoteThread, GetWindowsDirectoryA, GetVolumeInformationA, LoadLibraryW, ReadConsoleInputA, ReadProcessMemory, WriteConsoleW, GetModuleFileNameW, GetCompressedFileSizeA, GetTempPathW, SetThreadLocale, GetLastError, FindVolumeMountPointClose, VirtualAlloc, FindFirstChangeNotificationW, CopyFileA, SetStdHandle, SetFileAttributesA, LoadLibraryA, WriteConsoleA, LocalAlloc, SetCalendarInfoW, CreateHardLinkW, GetExitCodeThread, GetNumberFormatW, AddAtomW, RemoveDirectoryW, GlobalFindAtomW, GetOEMCP, VirtualProtect, AddConsoleAliasA, CreateFileW, CreateTimerQueueTimer, GetSystemDefaultLangID, OutputDebugStringW, FlushFileBuffers, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapFree, IsProcessorFeaturePresent, GetCommandLineA, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, IsValidCodePage, GetACP, GetCurrentThreadId, IsDebuggerPresent, GetProcessHeap, ExitProcess, GetModuleHandleExW, HeapSize, GetStdHandle, GetFileType, CloseHandle, GetModuleFileNameA, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, ReadFile, SetFilePointerEx, GetConsoleCP, GetConsoleMode |
| USER32.dll | GetMenuItemID |
| GDI32.dll | GetCharacterPlacementW |
| WINHTTP.dll | WinHttpConnect |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Romanian | Romania |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 04/19/24-19:24:58.164548 | TCP | 2856233 | ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 19, 2024 19:24:57.961867094 CEST | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
| Apr 19, 2024 19:24:58.164206028 CEST | 80 | 49705 | 185.172.128.90 | 192.168.2.5 |
| Apr 19, 2024 19:24:58.164305925 CEST | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
| Apr 19, 2024 19:24:58.164547920 CEST | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
| Apr 19, 2024 19:24:58.366190910 CEST | 80 | 49705 | 185.172.128.90 | 192.168.2.5 |
| Apr 19, 2024 19:24:59.690429926 CEST | 80 | 49705 | 185.172.128.90 | 192.168.2.5 |
| Apr 19, 2024 19:24:59.690536022 CEST | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
| Apr 19, 2024 19:25:00.888226986 CEST | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 19, 2024 19:25:11.992130041 CEST | 1.1.1.1 | 192.168.2.5 | 0x5813 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
| Apr 19, 2024 19:25:11.992130041 CEST | 1.1.1.1 | 192.168.2.5 | 0x5813 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Apr 19, 2024 19:26:12.754826069 CEST | 1.1.1.1 | 192.168.2.5 | 0x63f1 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Apr 19, 2024 19:26:12.754826069 CEST | 1.1.1.1 | 192.168.2.5 | 0x63f1 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49705 | 185.172.128.90 | 80 | 1088 | C:\Users\user\Desktop\xQXHoWMKoa.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Apr 19, 2024 19:24:58.164547920 CEST | 411 | OUT | |
| Apr 19, 2024 19:24:59.690429926 CEST | 204 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 19:24:51 |
| Start date: | 19/04/2024 |
| Path: | C:\Users\user\Desktop\xQXHoWMKoa.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 350'720 bytes |
| MD5 hash: | B6E4DC4FD0CC50FBB1236FE1108B886D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 19:24:52 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc90000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 19:24:53 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc90000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 19:24:54 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc90000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 19:24:54 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 19:24:55 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc90000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 19:24:56 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc90000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 19:24:58 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc90000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 19:24:59 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 19:24:59 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 19:24:59 |
| Start date: | 19/04/2024 |
| Path: | C:\Windows\SysWOW64\taskkill.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa10000 |
| File size: | 74'240 bytes |
| MD5 hash: | CA313FD7E6C2A778FFD21CFB5C1C56CD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 2.6% |
| Dynamic/Decrypted Code Coverage: | 7.6% |
| Signature Coverage: | 12.3% |
| Total number of Nodes: | 408 |
| Total number of Limit Nodes: | 6 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0364092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01C7F1BE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D70 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 311networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0364003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403180 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403280 Relevance: 4.6, APIs: 3, Instructions: 51COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03640E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004123EF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03640920 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01C7EE7D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041868D Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 251COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418FEE Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418E19 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03659080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408675 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036488DC Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418AA0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03658D07 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040CA21 Relevance: 3.0, APIs: 2, Instructions: 34timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408873 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041583F Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03655AA6 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418CF3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03658F5A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418F1F Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03659186 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408809 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03648A70 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03649AC7 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00421D0A Relevance: 1.3, Instructions: 1258COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00416A7C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00413C49 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041813E Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036583A5 Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00409860 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01C7EA9B Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03640D90 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00411192 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036513F9 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D070 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0364D2D7 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00407F24 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041701E Relevance: 18.4, APIs: 12, Instructions: 373COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040AF22 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0364B189 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00410C28 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03650E8F Relevance: 15.1, APIs: 10, Instructions: 69COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041743D Relevance: 13.7, APIs: 9, Instructions: 199COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036576A4 Relevance: 13.7, APIs: 9, Instructions: 199COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03641FD7 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 311networkCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004166A7 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0365690E Relevance: 12.2, APIs: 8, Instructions: 203COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00407A99 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041146B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03647D00 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405D70 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03645FD7 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040BD87 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040C6C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004121BC Relevance: 7.7, APIs: 5, Instructions: 199COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03642E87 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00415581 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036557E8 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036433E7 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00408094 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040E847 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0364EAAE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040B2CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0364B533 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |