Windows
Analysis Report
xQXHoWMKoa.exe
Overview
General Information
Sample name: | xQXHoWMKoa.exerenamed because original name is a hash value |
Original sample name: | b6e4dc4fd0cc50fbb1236fe1108b886d.exe |
Analysis ID: | 1428892 |
MD5: | b6e4dc4fd0cc50fbb1236fe1108b886d |
SHA1: | ca17fc4111dbc08551aabe0e890c337448a19eda |
SHA256: | 114aa6cb595ed49423707788c3a06a79e250d23d0615108cbb3fb5bdd20af5c8 |
Tags: | 32exetrojan |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- xQXHoWMKoa.exe (PID: 1088 cmdline:
"C:\Users\ user\Deskt op\xQXHoWM Koa.exe" MD5: B6E4DC4FD0CC50FBB1236FE1108B886D) - WerFault.exe (PID: 1720 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 732 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 1084 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 752 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 2640 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 768 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 5888 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 780 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 3636 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 920 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 5504 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 102 0 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 6472 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 088 -s 136 4 MD5: C31336C1EFC2CCB44B4326EA793040F2) - cmd.exe (PID: 1680 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "xQX HoWMKoa.ex e" /f & er ase "C:\Us ers\user\D esktop\xQX HoWMKoa.ex e" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3648 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3752 cmdline:
taskkill / im "xQXHoW MKoa.exe" /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
GCleaner | No Attribution |
{"C2 addresses": ["185.172.128.90"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
Click to see the 1 entries |
Timestamp: | 04/19/24-19:24:58.164548 |
SID: | 2856233 |
Source Port: | 49705 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_0041583F | |
Source: | Code function: | 0_2_03655AA6 |
Networking |
---|
Source: | Snort IDS: |
Source: | IPs: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00404710 | |
Source: | Code function: | 0_2_00409860 | |
Source: | Code function: | 0_2_0041813E | |
Source: | Code function: | 0_2_00413C49 | |
Source: | Code function: | 0_2_00413464 | |
Source: | Code function: | 0_2_00421D0A | |
Source: | Code function: | 0_2_036583A5 | |
Source: | Code function: | 0_2_03649AC7 | |
Source: | Code function: | 0_2_03644977 | |
Source: | Code function: | 0_2_036536CB |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_01C7F1BE |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 0_2_00404710 | |
Source: | Command line argument: | 0_2_03644977 | |
Source: | Command line argument: | 0_2_03644977 | |
Source: | Command line argument: | 0_2_03644977 |
Source: | Static PE information: |
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: | |||
Source: | Section loaded: |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_00424AC9 | |
Source: | Code function: | 0_2_00408591 | |
Source: | Code function: | 0_2_01C82198 | |
Source: | Code function: | 0_2_01C82976 | |
Source: | Code function: | 0_2_01C818CA | |
Source: | Code function: | 0_2_01C830A0 | |
Source: | Code function: | 0_2_01C813B7 | |
Source: | Code function: | 0_2_01C822BC | |
Source: | Code function: | 0_2_01C82260 | |
Source: | Code function: | 0_2_01C84CA2 | |
Source: | Code function: | 0_2_01C837F3 | |
Source: | Code function: | 0_2_01C837F3 | |
Source: | Code function: | 0_2_01C83FA2 | |
Source: | Code function: | 0_2_01C837F3 | |
Source: | Code function: | 0_2_01C837F3 | |
Source: | Code function: | 0_2_01C83FA2 | |
Source: | Code function: | 0_2_01C837F3 | |
Source: | Code function: | 0_2_01C837F3 | |
Source: | Code function: | 0_2_01C7FF75 | |
Source: | Code function: | 0_2_01C83FA2 | |
Source: | Code function: | 0_2_01C7FF51 | |
Source: | Code function: | 0_2_03654217 | |
Source: | Code function: | 0_2_0365480E | |
Source: | Code function: | 0_2_0365C709 | |
Source: | Code function: | 0_2_036487F8 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: |
Source: | API coverage: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: |
Source: | Code function: | 0_2_0041583F | |
Source: | Code function: | 0_2_03655AA6 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_0040C17B |
Source: | Code function: | 0_2_00411192 | |
Source: | Code function: | 0_2_0040C681 | |
Source: | Code function: | 0_2_01C7EA9B | |
Source: | Code function: | 0_2_0364092B | |
Source: | Code function: | 0_2_036513F9 | |
Source: | Code function: | 0_2_0364C8E8 | |
Source: | Code function: | 0_2_03640D90 |
Source: | Code function: | 0_2_00416A7C |
Source: | Process token adjusted: |
Source: | Code function: | 0_2_00408809 | |
Source: | Code function: | 0_2_0040C17B | |
Source: | Code function: | 0_2_00407C96 | |
Source: | Code function: | 0_2_00408675 | |
Source: | Code function: | 0_2_0364C3E2 | |
Source: | Code function: | 0_2_03648A70 | |
Source: | Code function: | 0_2_036488DC | |
Source: | Code function: | 0_2_03647EFD |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00408873 |
Source: | Code function: | 0_2_0041897A | |
Source: | Code function: | 0_2_0041892F | |
Source: | Code function: | 0_2_00418A15 | |
Source: | Code function: | 0_2_00418AA0 | |
Source: | Code function: | 0_2_004112A2 | |
Source: | Code function: | 0_2_00418CF3 | |
Source: | Code function: | 0_2_00418E19 | |
Source: | Code function: | 0_2_0041868D | |
Source: | Code function: | 0_2_00418F1F | |
Source: | Code function: | 0_2_004117C4 | |
Source: | Code function: | 0_2_00418FEE | |
Source: | Code function: | 0_2_03658BE1 | |
Source: | Code function: | 0_2_03658B96 | |
Source: | Code function: | 0_2_03659255 | |
Source: | Code function: | 0_2_03651A2B | |
Source: | Code function: | 0_2_03659186 | |
Source: | Code function: | 0_2_036588F4 | |
Source: | Code function: | 0_2_03659080 | |
Source: | Code function: | 0_2_03658F5A | |
Source: | Code function: | 0_2_03658D07 | |
Source: | Code function: | 0_2_03651509 | |
Source: | Code function: | 0_2_03658C7C |
Source: | Code function: | 0_2_0040CA21 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Virtualization/Sandbox Evasion | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 2 Software Packing | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
42% | ReversingLabs | Win32.Trojan.Stealerc | ||
100% | Avira | HEUR/AGEN.1361904 | ||
100% | Joe Sandbox ML |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bg.microsoft.map.fastly.net | 199.232.214.172 | true | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.172.128.90 | unknown | Russian Federation | 50916 | NADYMSS-ASRU | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1428892 |
Start date and time: | 2024-04-19 19:24:05 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 19s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 22 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | xQXHoWMKoa.exerenamed because original name is a hash value |
Original Sample Name: | b6e4dc4fd0cc50fbb1236fe1108b886d.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@13/30@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.165.165.26, 20.3.187.198, 13.85.23.206
- Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: xQXHoWMKoa.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
185.172.128.90 | Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| |
Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
Get hash | malicious | GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| ||
Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
Get hash | malicious | GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| ||
Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
Get hash | malicious | GCleaner | Browse |
| ||
Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
bg.microsoft.map.fastly.net | Get hash | malicious | AgentTesla | Browse |
| |
Get hash | malicious | CobaltStrike | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | Phisher | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Python Stealer | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
NADYMSS-ASRU | Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| |
Get hash | malicious | Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT | Browse |
| ||
Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Glupteba, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_0bdc8d69-8e2d-4916-98f4-e240f78a9879\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.831836904485459 |
Encrypted: | false |
SSDEEP: | 96:oQg6sEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADKVh0:46wu056rQjpazuiFQZ24IO8LA |
MD5: | 524A293EBD3FACBB576B8B0BA02F17A7 |
SHA1: | 0D22E36BD5182FB70C0C0DAF6BAEF847578382DA |
SHA-256: | FA98D85C95565670B904E103C52BDB3F499BC86368BA47ABAACB28B07E639FED |
SHA-512: | B635E49B414357B2332936A4973550D7070668578982A8765C05E37A6B848553D26CCCFF8E11D3B7D10767F3DDF5794EB8B60CC1EEE16A88484A99257BCEF330 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_6e2e51db-5a06-4548-9b3d-af2c418b903c\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8316513282031528 |
Encrypted: | false |
SSDEEP: | 96:6egLtg3sEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADf:kL63wu056rQjpazuiFQZ24IO8LA |
MD5: | 6286186ADA067A84B774CBA0E7BB72B4 |
SHA1: | 12F0ED1222D9F2972D8C0DB85B743132692C229F |
SHA-256: | 11598C8392606CA84A5EBB4797D79934AC6F310121B44230B29617148A955B26 |
SHA-512: | E86285C01F4D004BD06675CA5521BB8DDCC57CD337E4D8734D7C6C5FAF5520FB555C9703D2D207E23C8BD72CF2B7FB3A42A465BE37B1DEF98234F14D36B1BC67 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_74f6d4fe-d78d-47bf-aecf-6d5b1c3ba39f\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9289089646006553 |
Encrypted: | false |
SSDEEP: | 96:A5cPg01sEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADv:V4Owu056rQjpU7zuiFQZ24IO8LA |
MD5: | A2F6E1C630E5B72DEB1D906DC3A3C12B |
SHA1: | 37C02923920BF51630064C618F1348A45A723BC6 |
SHA-256: | 14C73A77DD822764981A1E20C1712A69F274893F18099ABCF64258BF1398A7F3 |
SHA-512: | 2E7AD6500ED6E3CD3E742BEAC48C472C4FC663263F49CD0F07AE6EE27C52F0BD8C4395B7AB203E3267029E1D9B60B16FB2909ADEF96DBC61CE0B29655EA01730 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_7dcbb10b-df83-4e6f-9b63-5201c606b345\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8320609326653187 |
Encrypted: | false |
SSDEEP: | 96:H6gasEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADKVh0:tawu056rQjpazuiFQZ24IO8LA |
MD5: | 6C61A9195D91FE1889E58B40F42029E0 |
SHA1: | C93080A04673CB8E4EDAA25D35B3B684892E8C1B |
SHA-256: | 1D2BD625FE53742AE4A5A46D6CD06A271C683C98176D1AC44EC04484E784D2BA |
SHA-512: | 7D2AC64D2BA81212855C3EB6EB998886CFA58F34F6DB503FDB58F55793CA7665FFA3402816EB88406A3934854F119825EB7A238B9BF0F31C0F90B7E7B61A916C |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_90fd96f2-59eb-4ce6-9d1e-de15edba0462\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8471873062805857 |
Encrypted: | false |
SSDEEP: | 96:iILegnsEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADK2:vLpnwu056rQjpQzuiFQZ24IO8LA |
MD5: | 0696ECBD932645279E648EF6FD145694 |
SHA1: | FCE9CBAC32EC32C84805A2380CF610C718DDE860 |
SHA-256: | 8C6D1BFE0DFD1DE7EADFFADE62BC0975F579270BFE8C309CCA6AF39DE2F28707 |
SHA-512: | 697422B5A7310A683317F1E63E91B6D990093D5FC4B405CDC50F3D43E3206D0BA0C71B1ADFB0F3DB2C19084B63A8D2DC7FC5F728EBE7C7A5149A9A8C7E194B4C |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_e011f5d0-3b05-4084-9882-970e4d430110\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.831553319105843 |
Encrypted: | false |
SSDEEP: | 96:Xsg7sEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADKVh0:L7wu056rQjpazuiFQZ24IO8LA |
MD5: | 49445557025460C97EEA225215A4AF3C |
SHA1: | C927B4B3E1E3863283B20214FED7799DB9DC6EC2 |
SHA-256: | 99455AD1814BA21BC88DADDDE20AAD462D1819C44020CD115594F86DA3237986 |
SHA-512: | BD92F993EC064889BA4AE54D2F3D018D4ACA1D2892A81BC6BFC5308FCBDDB0A0F8A4FF833A823E447BE9949EA392EAEC244C58351F1CA8746A73AAE3D16E46A1 |
Malicious: | false |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xQXHoWMKoa.exe_68a8f9de9bf6d6157d3cafcf5c5a1acbef520ae_fef8e22e_fec04291-1d36-471c-9fcc-58b35baad30b\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8471977815694767 |
Encrypted: | false |
SSDEEP: | 96:c5FgOsEhq7oA7JfdQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3ZFEOyKZj8OWEADKVg:CiOwu056rQjpQzuiFQZ24IO8LA |
MD5: | 844ABF382B004C05D9717C366E44DF5B |
SHA1: | B9EE720C1C5F27118A794943DE394EC8DD563E72 |
SHA-256: | EBFF9D3F82ACEE92E6294A5BA5132EF7B532C120AE789EE239A52B2F8D81EC0D |
SHA-512: | 9F28A878B9E8C45815D27199F4246BB058ADFBD7C0C4BC6D67370D8FDFE7556312E48113E65A45D3F438B5700711E68C0DB6ECA8F5EA80102797390238CB4B0A |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 63114 |
Entropy (8bit): | 2.229109378499161 |
Encrypted: | false |
SSDEEP: | 384:fpA0u+GgbzEo3HeACsDWO7/QMcytmu1edhB+YZZo:RAWnzEo8sx7/MBzo |
MD5: | A61A9DCDA92B60643EA1FE7AFDA6568C |
SHA1: | BEA1D5630B5DFA630C5D2125C3A3A90F8133B6D4 |
SHA-256: | 652DAFE957B51DAFE654D827436FA5469169343F2DCD16CF47471AF4D2E2DF0D |
SHA-512: | BC25CD0EDEE226466936553F9AC80C3D8BE5C82426FFB46A6BE2C01750F5E271B6C01C3E398E4E9F5AE33AE599211C091D248993F9487833CECC2D8B09038610 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8360 |
Entropy (8bit): | 3.7018621886632825 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJMoG6IgNn6YEIYSUjzBgmf5/2jCpBZ89b9usfY/m:R6lXJMB6IgNn6YEnSUjVgmf5O9tf9 |
MD5: | 16FCD458C5636448091CFBAE40567CB6 |
SHA1: | 8246546EEE7A2CA1BCCEF028179857AD213E5515 |
SHA-256: | 6D9D2CA59D92D22D0174B7462CAB9CC4D4DBF46B19D169AE67ED72E3E0D03581 |
SHA-512: | 2412B9A21E6A0ED8F6F1660F7D799A8E9FF1A792B797110A1EFA9543CA2E81D0F5F9844B6A4CA5E503001958515DAD8E168BC84F1CF153ECEF074D4C1663EA02 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4619 |
Entropy (8bit): | 4.500747745997885 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYTYm8M4JHCFh+q8FevkiPJq05d:uIjfZwI7VF7VvJymiM05d |
MD5: | 4B107F434381456CB123342E7B9FD2AC |
SHA1: | 5D96FCEA3D5937249DD37BD3D8383DD2F1E1AD18 |
SHA-256: | 2EB4C1874F0619A3FC98701D02266C00DD0A3367C70EBEFA867778663419E9D8 |
SHA-512: | EE05CFC5DAB0F170732306A6E6C61B538FEED378FCC8FB7262BF854504E31D59260D7BAFCE1FEFC2A031CE2B36361B16D1D612DBBFD42F2D14D73F762AFE2030 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 63006 |
Entropy (8bit): | 2.2523632813119483 |
Encrypted: | false |
SSDEEP: | 384:HE0u+Gvz93HeA66WEE7/QMcytmu1edhpMtZPd:kWoz9oUE7/MpMt |
MD5: | B8EB82071327FC710EBCECC30F77CAA4 |
SHA1: | DCED6687541ABB7B3737BCEA3D2CE0A7C6A11866 |
SHA-256: | F9EC4246F180068796F0D4A8AE7E9079CDE64EBA7C3B7183A729876760D426A4 |
SHA-512: | 34B53AD172BEE33928E27A37C81D34FBEE45FD2D219C0CC05573B4647A83BC3A4625F7223CBA6E9B322F027AA29A0DBD549C5C81D5433FFEEBE225B35EBCD78D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8362 |
Entropy (8bit): | 3.703801222141124 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJMo06IgNOZ6YEIlSUy9egmf5/2jCpB189b0usfHM8m:R6lXJMb6IgNA6YEKSUy9egmf5q0tfu |
MD5: | 73540A7A783477A68C0363010B92AD7B |
SHA1: | 1AE9F2F644D64C811B90A4EC77ECAAD0EE98E484 |
SHA-256: | 5C307C40BAE8C5D2B2CB9620AAF702DF68F042077D2965AA9EBE06951F4351E2 |
SHA-512: | 23D1C7A960F79E24DD5974B902CB826D002BCA8226927B979A14755C092023D4C4C60605776F421D64F67F35B07545121FA7CEF10A022A33FB0791848933BBF6 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4619 |
Entropy (8bit): | 4.503110704492799 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VY+Ym8M4JHCFAAY3+q8FevkiPJq05d:uIjfZwI7VF7VqJTtmiM05d |
MD5: | 52D4DA91F4F61B442C22EAF339313511 |
SHA1: | 48BC2C98C3DB1F17DFE51D402987EE4632BFFE23 |
SHA-256: | 2214D20342EC0FAFAC01299BD9E728C9E2AC35CBB22F502F686697D62BAE7D8E |
SHA-512: | B4CBA8EEB9006A6E495F412263E8931A1C7EB9F4D5C084CD9307A4090DFA191A7C3295998A10008771B98960D9C8D7E01B27FF859D6C8BA9B5CF635AC15754DD |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 72678 |
Entropy (8bit): | 2.0091410133713747 |
Encrypted: | false |
SSDEEP: | 384:s86PpuimjzJzImBPiFJeXoWcmu1ed5BtXBlsO7:s86hu5zJ/iFJeXNB2O |
MD5: | 5F6496BE0310A768E7ADDE48C7EC509A |
SHA1: | CC04A0E5AF60BF6BDD247F11E056B3769023C165 |
SHA-256: | 31AB2E45156639D0C6FF816E27FB1F76B110C48F917F41E77FF2571CFEA236F0 |
SHA-512: | A61E26505DE9368E6063065EFE653E08001842A4931DEDD7957167A470DFBEB0305DB8D96DB9D1AB0C9904CE87BE3B4C13E1F4082F5C37AFFF9E6F971BF7A06E |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8362 |
Entropy (8bit): | 3.7031714881939073 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJMoA6I9y6YEISSUjTvgmf5/2jCpBP89bLusfbZm:R6lXJM/6I9y6YEdSUjTvgmf5oLtfI |
MD5: | E902A72C8354DC6C23E07085DA0A31B6 |
SHA1: | E24F74A4E004FF24D3EA637B1DCA8E8AE8F4EFA0 |
SHA-256: | 079E48498521CD3462EBEC3087B85FA8E92936E6B3290DF17F629FAD0036AD33 |
SHA-512: | 14BF3A7CA5A656AAD2EE0B9894E9D702DE852CDCCD7D79E1EC30BFF58989C40343F010641D138B47B64A3D4B89DDB38C7948BF78D6C189F08298A4ECCBEC1B4D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4619 |
Entropy (8bit): | 4.502622269202652 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYgYm8M4JHCFC+q8FevkiPJq05d:uIjfZwI7VF7VMJ9miM05d |
MD5: | A76BEFC086665DF11EC93AA239A50142 |
SHA1: | 3E90615E5D5A2A55811877EEB1B66A715306312F |
SHA-256: | 570D79EB317EBECA0E05286983AC3B48E0D8357074161DE17A92520590623724 |
SHA-512: | 22032190DCD0C02BE9AD1571EA927A563A1EA6877B73E273B9FF1BA379DF3F4A84B5032B6CA56006164669EC5594F2C39ACB6D66338878421EF55B7962ACCADD |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 72254 |
Entropy (8bit): | 2.021821672168551 |
Encrypted: | false |
SSDEEP: | 384:+PpuPh8zCdzIaBK6UjAxW+mu1ed5pMuAfGziE:+huPuz2zCbpMqj |
MD5: | 7BB22D5DDBCFD900F4E7D43C02F7BCD2 |
SHA1: | 519315CB1273CB38E864ABBB9047A9678FFFA746 |
SHA-256: | D34AA65AB0487381AA1CE8415649B739330F8A3BA22007DF517B886B3D29E135 |
SHA-512: | 079B919C9820431207EE791E38BAA80C00F87278FA17607CAA34CC99A2E10E6B103682D6003B62B794B6660DD34F9A53AD1B30909B0AC6B68145BF9C0EA975CC |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8362 |
Entropy (8bit): | 3.704665867064762 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJMoz6I9bB6YEIPSUjTvgmf5/2jCpBP89bCusfTWm:R6lXJMM6I9N6YEgSUjTvgmf5oCtfL |
MD5: | 2954FAB85B549B85253B6565ECA5B9F6 |
SHA1: | 715266CB4686608434C0CAB96CC8F771340D8295 |
SHA-256: | E55933C8ADBA7EDE5BCC51646C520AD22FCADD16337AC9F392FD13398D19F412 |
SHA-512: | E3FE5713389500D7D18AAF9AABBC1CC766464651D626856F1FCF4030E2BF9FE6094E42912CD768B2DFA23B557DC578BB5BD4C925D239DE3EA6805E7C615D4239 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4619 |
Entropy (8bit): | 4.501212303698218 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYR5Ym8M4JHCF6+q8FevkiPJq05d:uIjfZwI7VF7VyoJFmiM05d |
MD5: | A2F713F7064DBDC8C9161240DA825ECB |
SHA1: | 3E2B8E2EAEF129E0E2CFE39C018916C375ED3560 |
SHA-256: | 983EF7243D384BFC5C07AB09824243CF1644CDDC02BC1B5E61EA801C93B74D36 |
SHA-512: | 78E13D1E42638051CAA2BF395D8FFF59EA3237D44D3E189A86DB07F25AE947E9200E410375195854EFB3EB5A8CAC5EDABBA8EB8E4B369BA8B776512E5B2937C4 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 79298 |
Entropy (8bit): | 1.9906848721678903 |
Encrypted: | false |
SSDEEP: | 384:XKSGUH3zoxjXclzIzcKvAxWXd5UcXCA5XeLbcnZs:PrH3z6c+RUUXSMK |
MD5: | 0D9BFD0F423F95471B63867F78EE793E |
SHA1: | 4745AE2654989C7AAF753EABBA7922B910686E92 |
SHA-256: | 95BA2BF6E9CF938EC4326540D4ECCCC7C874471BE554224D15CFC92DE882B04D |
SHA-512: | 68B3E1A8D99C09DFCED5D37E36669866DD84E6564F423A2563B8BBE87E1C99926A670F96B17CED4A2A8012B6B341E8A8AB4F767E3348F84FBE8E2FC705BB5EDC |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8362 |
Entropy (8bit): | 3.704372588961267 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJMoC6IV1W6YEIcSUjUKgmf5/2jCpBO89bCusf0LvWm:R6lXJM96IVU6YETSUjUKgmf5vCtfQn |
MD5: | A85C64EFDDC148F75F2756E4DE87A769 |
SHA1: | 03BF0F5F038EA5B3AC94E7DA3EDBE3C713D05EC1 |
SHA-256: | B33AB4EFA82A46785E9FF6BB58D3D306483412FE81879EC9AF75624FBF9AF7B1 |
SHA-512: | F2C6AE26C7D3A9668ED1FF42BBE8D83FA29A2CB358813898C0B1F12BF07086F26EFFA3B1ECBC72C87E21E2AD1B98B2B7056F1BE27BB1AC6F0C954DA6A7D737AB |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4619 |
Entropy (8bit): | 4.502605790473535 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYmYm8M4JHCFhjm+q8FevkiPJq05d:uIjfZwI7VF7VuJDmiM05d |
MD5: | 2B4AA486B35ADB5169D87195CB33E57C |
SHA1: | 3F2B7E96C6E0311C18C2EB9BC1302D1FD8D56258 |
SHA-256: | 35BD2A10424770E791FA7F490248294655CAB1CD278E1EB4C5EC8A5DDFDA9E68 |
SHA-512: | 11B57F786A89D2E767ECD72F6D5280B79EE10EDD1A9A04E1F283FE75430C0C6FD0600F51C0DCB10901B7002186C817D65294A2991603B338F5E904999B5522B0 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 87908 |
Entropy (8bit): | 1.9859431793581646 |
Encrypted: | false |
SSDEEP: | 384:qwofETxzvLKNRY+zI/cKo34A78YWed5Uc/QC/Wm3Jk/hDyk:do8TxzDd+LoY8gUgW1JDy |
MD5: | 195028604EFD363426763E0687E2CE0C |
SHA1: | 6515929D51E34D24D80C2080C42A692A0DECD369 |
SHA-256: | 0220C37D653F95C47FD9C541572943692610C1A2816D0833B73FC16A3B20AF8D |
SHA-512: | 8CE68E7B649FB0B0B6344AAA5E9FAED0FDE0B7E0492241B753AA6EE888E77C4CE1E524D327718872D5FA689E4AD31F8B6CC5A902EFC1ED405CF48A4504CEC371 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8362 |
Entropy (8bit): | 3.7046363738620007 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJMo46I6+6YEIuSUjUKgmf5/2jCpBG89bZusf93zm:R6lXJMH6I6+6YExSUjUKgmf5HZtf8 |
MD5: | 4E9EFE41AAB8EE1004FAE521A85FEC25 |
SHA1: | E149550A4ADA4CD137907FCD9EA684437C640FBF |
SHA-256: | C9FE288DBCCB5919D35E70B384AAF364217EC754989F65713865CF8271D595AD |
SHA-512: | 01F6FB3E16B5200F833ABA06DDEC685438FA58DE458338F8965D058C95877D24D4498C39240AE6E70148EFAC8ECADEB062F035CCDA1E6E0169E84F98BEE950E2 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4619 |
Entropy (8bit): | 4.497317581305158 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYeYm8M4JHCFn+q8FevkiPJq05d:uIjfZwI7VF7VmJomiM05d |
MD5: | DCD1355512908AF715B305CCD29C705F |
SHA1: | 3036AD06C1B3BE64EF56F95750EE3C900B6E34C1 |
SHA-256: | 170E56BB0DFC7BF82890C6384A42D6DEFEC3B3AFD9EB0B1F2B358CE56A660622 |
SHA-512: | A39775A78D4BFA32DF2D0F51E356D5F0E7DB797956D53554CF29DC3901B3BEF0940A6CA267E5F72B4150358ADDED8B72C54C0797AE7B231AFD3E223E30A48107 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 102728 |
Entropy (8bit): | 2.16637673452389 |
Encrypted: | false |
SSDEEP: | 384:PiFz3khz+JL5zp1Wu0GiLlWz+KYc5BTusd5s7cicvn1PimPAS:6p3khz+HeG6e+KYc5BTuUs7mn1dP/ |
MD5: | F622C1B70277F7218725E2BE2F5DE74D |
SHA1: | 339A7D8A75DEA1519D70B9E4628AB6CD2434F10E |
SHA-256: | D972614966A1E4A080CDAE4AAE783EE0ABA6C0B6A68F5780C2817C5C1FCDFC1D |
SHA-512: | 46183A8CE0CB544B3FD66DEA0C9E1698EB212A81D01EE703B57D52EC67BCAE24EF77964255102A4B6EB2DC9B3063590A205E0E5224C095E9FE727EA5357B5586 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8362 |
Entropy (8bit): | 3.704860596510725 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJMoQ6i6YEIMSUyNVgmf5/2jCpB089beusfYsKm:R6lXJMP6i6YEjSUyNVgmf5petfYA |
MD5: | 8AECA3F7840329A4AF7C00CABD9C15AA |
SHA1: | 01CA291559D97F21B2E859D1B48095AB1F460354 |
SHA-256: | B0D6A3B389F7FAEDDDDE570F372893BE13B0F0D6E213DF503D2EE3DB6E47D5D7 |
SHA-512: | B28311366D08ADFE94C26ABDF64DC0E70937F52D5BDCD6A012AB0E3E868D3F26742223FE8782CAC50CF10CA35CB51CF1AC1B683C780921A7D91596272382730D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4619 |
Entropy (8bit): | 4.503152776360678 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsZiJg77aI9PsWpW8VYNYm8M4JHCF0j+q8FevkiPJq05d:uIjfZwI7VF7VhJxmiM05d |
MD5: | 0F1C91995AE599D5A4DA1D8CAC9D41C9 |
SHA1: | 8A59F6D3603B8EFF9F4CB6B0B9FD8339681ED11D |
SHA-256: | F23AA9CA062AEF3DDBC491639B2D00364159B1AB80E50004E2F10F20216EF38A |
SHA-512: | 47CE994D02F7AF8F96C084166F987B2362CAE3C1AC09CBCF779D3E9F12C060900E601585C7B81CB026E359D56E2C46BA6DFDB767DC952D887C0D485F39F9EE79 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\xQXHoWMKoa.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.421560973691599 |
Encrypted: | false |
SSDEEP: | 6144:HSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN/0uhiTwQ:yvloTMW+EZMM6DFyF03wQ |
MD5: | 43490431F7DAE4DA341C58DEF8C1A1B3 |
SHA1: | D043F0732315D32E239DDF31CFC6799D89807131 |
SHA-256: | 05500FC7E033EA0B34C9FB4C21881B4FB1F44232CB56FC779B4F987B0EFCF917 |
SHA-512: | 5FA8A978475B74A9F5FFCF22EE12A9095F9C104D69EFBD4A517C14771779EF8D2DDAD8366F15F8B98CFA89A95F64E583AC11749947B364FE1CD7CBF615F7B779 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.6356736263357785 |
TrID: |
|
File name: | xQXHoWMKoa.exe |
File size: | 350'720 bytes |
MD5: | b6e4dc4fd0cc50fbb1236fe1108b886d |
SHA1: | ca17fc4111dbc08551aabe0e890c337448a19eda |
SHA256: | 114aa6cb595ed49423707788c3a06a79e250d23d0615108cbb3fb5bdd20af5c8 |
SHA512: | eaebb7b46714e2e15fd604383f5c7bb092c7f2669edf1c462544aeb3a11a38b8feacdfae7b78fe6cc0b96c6764909dad7e249c0d31320a26c5df1fa1c911dfbb |
SSDEEP: | 3072:FGSlqrvGown4AMsIqQk+ooNKeDe0T+ZvcXwR+YKZfwmuF5GZ4WDm/5O5XP0hd5A/:FanwpoNfe0Tb0aBwmuWaWa/5ORMAQOo |
TLSH: | 9474AE02B2E1E870E57347324EADD6F4663EFD718E696B6B33585E0F14B01A1D622723 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e.....................................................l...............l.......Rich............PE..L....2.d................... |
Icon Hash: | 63796de171636e0f |
Entrypoint: | 0x4068fb |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x64E63208 [Wed Aug 23 16:21:28 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 5ec6dee0bb8cb06d2e2fd45ee1c1fbf4 |
Instruction |
---|
call 00007F31E0BE5299h |
jmp 00007F31E0BDACF5h |
push 00000014h |
push 00424C50h |
call 00007F31E0BE21A4h |
call 00007F31E0BDD0E3h |
movzx esi, ax |
push 00000002h |
call 00007F31E0BE522Ch |
pop ecx |
mov eax, 00005A4Dh |
cmp word ptr [00400000h], ax |
je 00007F31E0BDACF6h |
xor ebx, ebx |
jmp 00007F31E0BDAD25h |
mov eax, dword ptr [0040003Ch] |
cmp dword ptr [eax+00400000h], 00004550h |
jne 00007F31E0BDACDDh |
mov ecx, 0000010Bh |
cmp word ptr [eax+00400018h], cx |
jne 00007F31E0BDACCFh |
xor ebx, ebx |
cmp dword ptr [eax+00400074h], 0Eh |
jbe 00007F31E0BDACFBh |
cmp dword ptr [eax+004000E8h], ebx |
setne bl |
mov dword ptr [ebp-1Ch], ebx |
call 00007F31E0BE1A7Ah |
test eax, eax |
jne 00007F31E0BDACFAh |
push 0000001Ch |
call 00007F31E0BDADD1h |
pop ecx |
call 00007F31E0BE126Eh |
test eax, eax |
jne 00007F31E0BDACFAh |
push 00000010h |
call 00007F31E0BDADC0h |
pop ecx |
call 00007F31E0BE52A5h |
and dword ptr [ebp-04h], 00000000h |
call 00007F31E0BE444Bh |
test eax, eax |
jns 00007F31E0BDACFAh |
push 0000001Bh |
call 00007F31E0BDADA6h |
pop ecx |
call dword ptr [0041B0D0h] |
mov dword ptr [01A10984h], eax |
call 00007F31E0BE52C0h |
mov dword ptr [0044882Ch], eax |
call 00007F31E0BE4C63h |
test eax, eax |
jns 00007F31E0BDACFAh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x25204 | 0x64 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1611000 | 0xeb98 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1b220 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x23cf0 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x23ca8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1b000 | 0x1a0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x194ea | 0x19600 | afe1796fe6e1890621cf9721b30bd9e1 | False | 0.5758255080049262 | data | 6.677259404856937 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x1b000 | 0xab9c | 0xac00 | 2cee23bd9d6a184744abfc6e68e35e60 | False | 0.434070675872093 | data | 5.080401268951139 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x26000 | 0x15ea988 | 0x22800 | 00968b4e166063100821946111aa4334 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x1611000 | 0xeb98 | 0xec00 | ed7005df57540379239efc5b8893e801 | False | 0.3357885328389831 | data | 4.136501915128529 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x161a8a8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.26439232409381663 | ||
RT_CURSOR | 0x161b750 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.3686823104693141 | ||
RT_CURSOR | 0x161bff8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.49060693641618497 | ||
RT_CURSOR | 0x161c590 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | 0.4375 | ||
RT_CURSOR | 0x161c6c0 | 0xb0 | Device independent bitmap graphic, 16 x 32 x 1, image size 0 | 0.44886363636363635 | ||
RT_CURSOR | 0x161c798 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.27238805970149255 | ||
RT_CURSOR | 0x161d640 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.375 | ||
RT_CURSOR | 0x161dee8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.5057803468208093 | ||
RT_ICON | 0x1611640 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.5362903225806451 |
RT_ICON | 0x1611d08 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.4095435684647303 |
RT_ICON | 0x16142b0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.4441489361702128 |
RT_ICON | 0x1614748 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Romanian | Romania | 0.4898720682302772 |
RT_ICON | 0x16155f0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Romanian | Romania | 0.4657039711191336 |
RT_ICON | 0x1615e98 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Romanian | Romania | 0.43713872832369943 |
RT_ICON | 0x1616400 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.2774896265560166 |
RT_ICON | 0x16189a8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Romanian | Romania | 0.28588180112570355 |
RT_ICON | 0x1619a50 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Romanian | Romania | 0.3073770491803279 |
RT_ICON | 0x161a3d8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.3421985815602837 |
RT_STRING | 0x161e660 | 0x3f4 | data | Romanian | Romania | 0.4644268774703557 |
RT_STRING | 0x161ea58 | 0x48a | data | Romanian | Romania | 0.45008605851979344 |
RT_STRING | 0x161eee8 | 0x13e | data | Romanian | Romania | 0.5283018867924528 |
RT_STRING | 0x161f028 | 0x35e | data | Romanian | Romania | 0.46867749419953597 |
RT_STRING | 0x161f388 | 0x55e | data | Romanian | Romania | 0.44250363901018924 |
RT_STRING | 0x161f8e8 | 0x2ac | data | Romanian | Romania | 0.4722222222222222 |
RT_GROUP_CURSOR | 0x161c560 | 0x30 | data | 0.9375 | ||
RT_GROUP_CURSOR | 0x161c770 | 0x22 | data | 1.0588235294117647 | ||
RT_GROUP_CURSOR | 0x161e450 | 0x30 | data | 0.9375 | ||
RT_GROUP_ICON | 0x1614718 | 0x30 | data | Romanian | Romania | 0.9375 |
RT_GROUP_ICON | 0x161a840 | 0x68 | data | Romanian | Romania | 0.7019230769230769 |
RT_VERSION | 0x161e480 | 0x1e0 | data | 0.5604166666666667 |
DLL | Import |
---|---|
KERNEL32.dll | GetNumaProcessorNode, GetLocaleInfoA, LoadLibraryExW, GetTickCount, CreateRemoteThread, GetWindowsDirectoryA, GetVolumeInformationA, LoadLibraryW, ReadConsoleInputA, ReadProcessMemory, WriteConsoleW, GetModuleFileNameW, GetCompressedFileSizeA, GetTempPathW, SetThreadLocale, GetLastError, FindVolumeMountPointClose, VirtualAlloc, FindFirstChangeNotificationW, CopyFileA, SetStdHandle, SetFileAttributesA, LoadLibraryA, WriteConsoleA, LocalAlloc, SetCalendarInfoW, CreateHardLinkW, GetExitCodeThread, GetNumberFormatW, AddAtomW, RemoveDirectoryW, GlobalFindAtomW, GetOEMCP, VirtualProtect, AddConsoleAliasA, CreateFileW, CreateTimerQueueTimer, GetSystemDefaultLangID, OutputDebugStringW, FlushFileBuffers, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapFree, IsProcessorFeaturePresent, GetCommandLineA, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, IsValidCodePage, GetACP, GetCurrentThreadId, IsDebuggerPresent, GetProcessHeap, ExitProcess, GetModuleHandleExW, HeapSize, GetStdHandle, GetFileType, CloseHandle, GetModuleFileNameA, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, ReadFile, SetFilePointerEx, GetConsoleCP, GetConsoleMode |
USER32.dll | GetMenuItemID |
GDI32.dll | GetCharacterPlacementW |
WINHTTP.dll | WinHttpConnect |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Romanian | Romania |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/19/24-19:24:58.164548 | TCP | 2856233 | ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 19, 2024 19:24:57.961867094 CEST | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
Apr 19, 2024 19:24:58.164206028 CEST | 80 | 49705 | 185.172.128.90 | 192.168.2.5 |
Apr 19, 2024 19:24:58.164305925 CEST | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
Apr 19, 2024 19:24:58.164547920 CEST | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
Apr 19, 2024 19:24:58.366190910 CEST | 80 | 49705 | 185.172.128.90 | 192.168.2.5 |
Apr 19, 2024 19:24:59.690429926 CEST | 80 | 49705 | 185.172.128.90 | 192.168.2.5 |
Apr 19, 2024 19:24:59.690536022 CEST | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
Apr 19, 2024 19:25:00.888226986 CEST | 49705 | 80 | 192.168.2.5 | 185.172.128.90 |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 19, 2024 19:25:11.992130041 CEST | 1.1.1.1 | 192.168.2.5 | 0x5813 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Apr 19, 2024 19:25:11.992130041 CEST | 1.1.1.1 | 192.168.2.5 | 0x5813 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Apr 19, 2024 19:26:12.754826069 CEST | 1.1.1.1 | 192.168.2.5 | 0x63f1 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Apr 19, 2024 19:26:12.754826069 CEST | 1.1.1.1 | 192.168.2.5 | 0x63f1 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.5 | 49705 | 185.172.128.90 | 80 | 1088 | C:\Users\user\Desktop\xQXHoWMKoa.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Apr 19, 2024 19:24:58.164547920 CEST | 411 | OUT | |
Apr 19, 2024 19:24:59.690429926 CEST | 204 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 19:24:51 |
Start date: | 19/04/2024 |
Path: | C:\Users\user\Desktop\xQXHoWMKoa.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 350'720 bytes |
MD5 hash: | B6E4DC4FD0CC50FBB1236FE1108B886D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 19:24:52 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc90000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 19:24:53 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc90000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 19:24:54 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc90000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 19:24:54 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 12 |
Start time: | 19:24:55 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc90000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 14 |
Start time: | 19:24:56 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc90000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 16 |
Start time: | 19:24:58 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc90000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 17 |
Start time: | 19:24:59 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x790000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 18 |
Start time: | 19:24:59 |
Start date: | 19/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 19 |
Start time: | 19:24:59 |
Start date: | 19/04/2024 |
Path: | C:\Windows\SysWOW64\taskkill.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa10000 |
File size: | 74'240 bytes |
MD5 hash: | CA313FD7E6C2A778FFD21CFB5C1C56CD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Execution Graph
Execution Coverage: | 2.6% |
Dynamic/Decrypted Code Coverage: | 7.6% |
Signature Coverage: | 12.3% |
Total number of Nodes: | 408 |
Total number of Limit Nodes: | 6 |
Graph
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0364092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01C7F1BE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D70 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 311networkCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0364003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403180 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403280 Relevance: 4.6, APIs: 3, Instructions: 51COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03640E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004123EF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03640920 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01C7EE7D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041868D Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 251COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00418FEE Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00418E19 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03659080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00408675 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036488DC Relevance: 6.1, APIs: 4, Instructions: 73COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00418AA0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03658D07 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040CA21 Relevance: 3.0, APIs: 2, Instructions: 34timeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00408873 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041583F Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03655AA6 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00418CF3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03658F5A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00418F1F Relevance: 1.5, APIs: 1, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03659186 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00408809 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03648A70 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03649AC7 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00421D0A Relevance: 1.3, Instructions: 1258COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00416A7C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00413C49 Relevance: .6, Instructions: 637COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041813E Relevance: .3, Instructions: 327COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036583A5 Relevance: .3, Instructions: 327COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00409860 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01C7EA9B Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03640D90 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00411192 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036513F9 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D070 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0364D2D7 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00407F24 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041701E Relevance: 18.4, APIs: 12, Instructions: 373COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040AF22 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0364B189 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410C28 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03650E8F Relevance: 15.1, APIs: 10, Instructions: 69COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041743D Relevance: 13.7, APIs: 9, Instructions: 199COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036576A4 Relevance: 13.7, APIs: 9, Instructions: 199COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03641FD7 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 311networkCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004166A7 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0365690E Relevance: 12.2, APIs: 8, Instructions: 203COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00407A99 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041146B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03647D00 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405D70 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03645FD7 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040BD87 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040C6C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004121BC Relevance: 7.7, APIs: 5, Instructions: 199COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03642E87 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00415581 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036557E8 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036433E7 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00408094 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040E847 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0364EAAE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040B2CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0364B533 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |