Edit tour
Windows
Analysis Report
qrLdMv1QXG.exe
Overview
General Information
| Sample name: | qrLdMv1QXG.exerenamed because original name is a hash value |
| Original sample name: | 7e4a8865ea7cf91c86ba9ba1711da71c.exe |
| Analysis ID: | 1429205 |
| MD5: | 7e4a8865ea7cf91c86ba9ba1711da71c |
| SHA1: | 2da3cb003e2eeffec21b503e8df6f85a252fac07 |
| SHA256: | 58514c9f457ef7389dea754163672f1b822fe211dfaf24cab313049cb3bd0f60 |
| Tags: | 32exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
qrLdMv1QXG.exe (PID: 2504 cmdline: "C:\Users\ user\Deskt op\qrLdMv1 QXG.exe" MD5: 7E4A8865EA7CF91C86BA9BA1711DA71C) 
WerFault.exe (PID: 4280 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 504 -s 152 0 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 2228 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 504 -s 165 6 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "strollheavengwu.shop"], "Build id": "P6Mk0M--key"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_004162D6 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0043B3B0 | |
| Source: | Code function: | 0_2_00410565 | |
| Source: | Code function: | 0_2_004156B6 | |
| Source: | Code function: | 0_2_004156B6 | |
| Source: | Code function: | 0_2_00438879 | |
| Source: | Code function: | 0_2_00437998 | |
| Source: | Code function: | 0_2_00437998 | |
| Source: | Code function: | 0_2_00435B8B | |
| Source: | Code function: | 0_2_0041CC60 | |
| Source: | Code function: | 0_2_0041CC60 | |
| Source: | Code function: | 0_2_0043AE80 | |
| Source: | Code function: | 0_2_0041AFE0 | |
| Source: | Code function: | 0_2_0041AFE0 | |
| Source: | Code function: | 0_2_0043B060 | |
| Source: | Code function: | 0_2_00426097 | |
| Source: | Code function: | 0_2_00426097 | |
| Source: | Code function: | 0_2_0040D160 | |
| Source: | Code function: | 0_2_0041210C | |
| Source: | Code function: | 0_2_0041B1E0 | |
| Source: | Code function: | 0_2_0043A182 | |
| Source: | Code function: | 0_2_0043A190 | |
| Source: | Code function: | 0_2_004222E7 | |
| Source: | Code function: | 0_2_004222ED | |
| Source: | Code function: | 0_2_00439389 | |
| Source: | Code function: | 0_2_00422422 | |
| Source: | Code function: | 0_2_004134B2 | |
| Source: | Code function: | 0_2_0043A5D0 | |
| Source: | Code function: | 0_2_004245D4 | |
| Source: | Code function: | 0_2_00410565 | |
| Source: | Code function: | 0_2_00424678 | |
| Source: | Code function: | 0_2_004245A8 | |
| Source: | Code function: | 0_2_0043B6A0 | |
| Source: | Code function: | 0_2_0041B6B0 | |
| Source: | Code function: | 0_2_004088F0 | |
| Source: | Code function: | 0_2_0043B9D0 | |
| Source: | Code function: | 0_2_0043B9D0 | |
| Source: | Code function: | 0_2_00417A65 | |
| Source: | Code function: | 0_2_00417A1A | |
| Source: | Code function: | 0_2_0041DB22 | |
| Source: | Code function: | 0_2_00407C70 | |
| Source: | Code function: | 0_2_00407C70 | |
| Source: | Code function: | 0_2_00437D40 | |
| Source: | Code function: | 0_2_0043AD70 | |
| Source: | Code function: | 0_2_00410D77 | |
| Source: | Code function: | 0_2_00410D77 | |
| Source: | Code function: | 0_2_00402D10 | |
| Source: | Code function: | 0_2_00412E93 | |
| Source: | Code function: | 0_2_00438F6A | |
| Source: | Code function: | 0_2_00414FC0 | |
| Source: | Code function: | 0_2_00431F80 | |
| Source: | Code function: | 0_2_03672373 | |
| Source: | Code function: | 0_2_0369A3E9 | |
| Source: | Code function: | 0_2_0369A3F7 | |
| Source: | Code function: | 0_2_0366D3C7 | |
| Source: | Code function: | 0_2_0367B247 | |
| Source: | Code function: | 0_2_0367B247 | |
| Source: | Code function: | 0_2_03675227 | |
| Source: | Code function: | 0_2_036862FE | |
| Source: | Code function: | 0_2_036862FE | |
| Source: | Code function: | 0_2_0369B2C7 | |
| Source: | Code function: | 0_2_036921E7 | |
| Source: | Code function: | 0_2_036991D1 | |
| Source: | Code function: | 0_2_0369B0E7 | |
| Source: | Code function: | 0_2_036730FA | |
| Source: | Code function: | 0_2_03673719 | |
| Source: | Code function: | 0_2_036707CC | |
| Source: | Code function: | 0_2_0369B617 | |
| Source: | Code function: | 0_2_03682689 | |
| Source: | Code function: | 0_2_0368254E | |
| Source: | Code function: | 0_2_03682554 | |
| Source: | Code function: | 0_2_036995F0 | |
| Source: | Code function: | 0_2_0367B447 | |
| Source: | Code function: | 0_2_03668B57 | |
| Source: | Code function: | 0_2_03697BFF | |
| Source: | Code function: | 0_2_03697BFF | |
| Source: | Code function: | 0_2_0367DA12 | |
| Source: | Code function: | 0_2_03698AE0 | |
| Source: | Code function: | 0_2_0368480F | |
| Source: | Code function: | 0_2_0369B907 | |
| Source: | Code function: | 0_2_0367B917 | |
| Source: | Code function: | 0_2_0367591D | |
| Source: | Code function: | 0_2_0367591D | |
| Source: | Code function: | 0_2_0368483B | |
| Source: | Code function: | 0_2_0369A837 | |
| Source: | Code function: | 0_2_036848DF | |
| Source: | Code function: | 0_2_03662F77 | |
| Source: | Code function: | 0_2_03670FDE | |
| Source: | Code function: | 0_2_03670FDE | |
| Source: | Code function: | 0_2_0369AFD7 | |
| Source: | Code function: | 0_2_03697FA7 | |
| Source: | Code function: | 0_2_0367CEC7 | |
| Source: | Code function: | 0_2_0367CEC7 | |
| Source: | Code function: | 0_2_03667ED7 | |
| Source: | Code function: | 0_2_03667ED7 | |
| Source: | Code function: | 0_2_03695DF2 | |
| Source: | Code function: | 0_2_0369BC37 | |
| Source: | Code function: | 0_2_0369BC37 | |
| Source: | Code function: | 0_2_03677CCC | |
| Source: | Code function: | 0_2_03677C81 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0042D8F0 | |
| Source: | Code function: | 0_2_0042D8F0 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00421370 | |
| Source: | Code function: | 0_2_004046D0 | |
| Source: | Code function: | 0_2_00420C42 | |
| Source: | Code function: | 0_2_00406030 | |
| Source: | Code function: | 0_2_00421090 | |
| Source: | Code function: | 0_2_00426097 | |
| Source: | Code function: | 0_2_00410140 | |
| Source: | Code function: | 0_2_00426148 | |
| Source: | Code function: | 0_2_004261C3 | |
| Source: | Code function: | 0_2_004261D5 | |
| Source: | Code function: | 0_2_004052F0 | |
| Source: | Code function: | 0_2_004032B0 | |
| Source: | Code function: | 0_2_004365C0 | |
| Source: | Code function: | 0_2_004065F0 | |
| Source: | Code function: | 0_2_0043B6A0 | |
| Source: | Code function: | 0_2_00433950 | |
| Source: | Code function: | 0_2_0043B9D0 | |
| Source: | Code function: | 0_2_0041DB22 | |
| Source: | Code function: | 0_2_00407C70 | |
| Source: | Code function: | 0_2_00402EC0 | |
| Source: | Code function: | 0_2_036703A7 | |
| Source: | Code function: | 0_2_036863AF | |
| Source: | Code function: | 0_2_03661267 | |
| Source: | Code function: | 0_2_036862FE | |
| Source: | Code function: | 0_2_03666297 | |
| Source: | Code function: | 0_2_03663127 | |
| Source: | Code function: | 0_2_03665557 | |
| Source: | Code function: | 0_2_03663517 | |
| Source: | Code function: | 0_2_036815D7 | |
| Source: | Code function: | 0_2_0368642A | |
| Source: | Code function: | 0_2_0368643C | |
| Source: | Code function: | 0_2_03693BB7 | |
| Source: | Code function: | 0_2_0369B907 | |
| Source: | Code function: | 0_2_03666857 | |
| Source: | Code function: | 0_2_03696827 | |
| Source: | Code function: | 0_2_03667ED7 | |
| Source: | Code function: | 0_2_0369BC37 | |
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_01CDF6F6 | |
| Source: | Code function: | 0_2_004286B8 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00435C40 | |
| Source: | Code function: | 0_2_01CDEFD3 | |
| Source: | Code function: | 0_2_0366092B | |
| Source: | Code function: | 0_2_03660D90 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 39% | ReversingLabs | Win32.Packed.Generic | ||
| 43% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 14% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 11% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| strollheavengwu.shop | 104.21.15.198 | true | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| false |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.15.198 | strollheavengwu.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1429205 |
| Start date and time: | 2024-04-21 10:02:05 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 30s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 11 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | qrLdMv1QXG.exerenamed because original name is a hash value |
| Original Sample Name: | 7e4a8865ea7cf91c86ba9ba1711da71c.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/9@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 10:02:56 | API Interceptor | |
| 10:03:26 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.15.198 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| strollheavengwu.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qrLdMv1QXG.exe_6f2fc2e5454b6ca343fbd4712c4948319d291f0_4915b7ca_140b9d2d-4e76-46c7-ad79-3a5aba1822de\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9941294451416329 |
| Encrypted: | false |
| SSDEEP: | 192:dxJc5HQiD0U7vNjtdF7zuiFLZ24IO8+Y:25HQiwU7vNjZzuiFLY4IO8+Y |
| MD5: | C96CABCE9C723642E6E9E48BEE22755A |
| SHA1: | AC0D1AC4755EB8E7758F21C3F58AFDBBAC1DE1BB |
| SHA-256: | 5030A7848FC88853ABFD76B725B9E069AB5296B8FFC33330775449453801F461 |
| SHA-512: | 33F2A12DCC153C250AEA8B9A98557BB32344F7A01D79265E6DA038CDD5BCEFB01F70F00B5B1D7DEFFDC2EC8FEE5446F7A8913453CE598B1C78B34B9DF6EEC9DD |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qrLdMv1QXG.exe_dab42b4fbe31c195557b22d8807203fa4c45350_4915b7ca_5670d64c-ae8b-4d92-80a6-a5bc086660b9\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.994662582909593 |
| Encrypted: | false |
| SSDEEP: | 192:nm5QCQih0p5baLjtdF7zuiFmZ24IO8rY:m5QCQiip5baLjZzuiFmY4IO8rY |
| MD5: | A82779058BAE3041EF422BABA2F3ADE5 |
| SHA1: | E2E3A024441E7AB0C69571CC66689B5B14F07509 |
| SHA-256: | 62C2A5216EBCEFD9AE0789923E4D67C4EEC47230C04FC78AF3035E68509AF152 |
| SHA-512: | D00E17887C71D1E96786FC33EC4AD06A66D184B3C36CC609BFF57127C1D2DD3ADAAE6FE372EBB82435AFB3615BA2E805BF79DAD4BEEDDC4C681A6852893160D8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 54970 |
| Entropy (8bit): | 2.6956245581885807 |
| Encrypted: | false |
| SSDEEP: | 384:z7lW+aUepjjBDYraCs7+Jrun8y5uMNxypn1P1:z7ozpjjBSaCFr85uMnyRp1 |
| MD5: | 47DF2E2AA9EA75CCFFE095FF07A9B84D |
| SHA1: | 57A7CCFEDC35BB291EEF2D6929D2DA2958663449 |
| SHA-256: | AF14635160D110E4E066479F855B00C8464DC95F29CD4F5150C13A764E8FE47A |
| SHA-512: | 911AC20C0A1A525E3D2DFF44438A6A230BBA0C58E8804D012C855FC3E3A90C25034BA9B9458970266ADBD499E29E32581D91C335A43D9D2160B869314002DD74 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8416 |
| Entropy (8bit): | 3.696170527052191 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJt/H6olD6YEIsSUe6BgmfJMpNj89bS51fIomm:R6lXJV6oZ6YEjSUesgmfJTSbfv |
| MD5: | CB8874A02A96A1D34826A8F83E77C273 |
| SHA1: | 6D4C668F0DFA8FE783C2D628C375A871E487A982 |
| SHA-256: | C619E8B4309C1B5F8236849E505F351C6045DB7F50FFAD98863B2E1B2E674549 |
| SHA-512: | 4CB54D5164E96E0F992C0C77B275382FD7A0C3C20C5E79FC29631A2972A2052C5F3AB66785448241F49402F8B67EEB59AC54A30514634FD9611D605DA49855D1 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4684 |
| Entropy (8bit): | 4.457218296573358 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsXJg77aI9cfWpW8VYo5Ym8M4JGNouF/m8+q8vWNoj8chkQhNd:uIjf5I7qO7VvoJG2Am8KW2guHhNd |
| MD5: | 08C3B71EC9FC8A8976B1BD6F6D6DEB9C |
| SHA1: | E0F5594A514A55E8224A35CF28DC45406F3EAFB1 |
| SHA-256: | BDE21AA215F88B8695084A8F5A14AA11F90996E27FFF83EC2C8439579B17AC78 |
| SHA-512: | FD271ED7B96A9B277E8340D36B7BE378C25170D08300C44C5989C24CB947B16A7B75ADEC3E211DF7280B97555062B8767E5272B18B612F0F2E9B5E979D916F97 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1086634 |
| Entropy (8bit): | 1.0838706407342276 |
| Encrypted: | false |
| SSDEEP: | 1536:+H0KqVroSx0MT8ih0TzcsHX7fKTx8SnC:+HQRoSOwh0zHG |
| MD5: | 10C18E61BFDEEE6EF7EB31D9A37ABBEB |
| SHA1: | 3396C240E74C42897C54FC7C20252DEA07E52BC8 |
| SHA-256: | 28EB33761B24359D109BAE73DDB86D099E9B748F9B16A0585096F759F7EA63DF |
| SHA-512: | FC86A80B2B44610EA82ADC52B4ECEB32708FB365F108FE8FA7B05B2FEB6B5B8661D48D06EBBD8E21AD39B4B66B5ECAA759ED593F0F4C19242FC616C6895C6C32 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8338 |
| Entropy (8bit): | 3.6998023511925227 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJt/A6oc6YEIZSUySgmfFcpDG89bJJsfujm:R6lXJy6oc6YE2SUySgmfF+Jifb |
| MD5: | 1A795D89804780A52B28BBDCCEB4DCB3 |
| SHA1: | 1FCD65E33D4D7102E44EE0CD5EAA9EBD5DF9C193 |
| SHA-256: | 40337D78E5580762A8A9371E7355E48C1C0EA5A6F96BF1F5047A65E6719CC10C |
| SHA-512: | C924DCEF0D0CC64455EF5B9BD8CB14B76781A3A0646D7F8CD1326CDC70EA94D92989179EEA3FEB53ECBD9ACA7F4008543FF96EA28282F0E900079BD1180A1CCD |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4583 |
| Entropy (8bit): | 4.468953331958849 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsXJg77aI9cfWpW8VYyvYm8M4JGNo2FpD+q82qSE8chkQhsd:uIjf5I7qO7V9yJG2qD/qKuHhsd |
| MD5: | AA5186C557A11C95508D75CB4CF97FA9 |
| SHA1: | BC80DF8D68A01FCECC06396A4A442ADC803C69DD |
| SHA-256: | 27FDAC1B12D25DA05854C4FBD229493FDE0872318CBB5DFF0C5B390276FC6E4F |
| SHA-512: | 55A1B4C8026736A8AE8397D2B901A8DFE3EBC4DDB37205F4C5784C40B8B36A727D1C26042FB612A8BA9D1E988EC28FFF46EE534A6ADA29C653272C8A3FCB1D46 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.421551502683806 |
| Encrypted: | false |
| SSDEEP: | 6144:CSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNn0uhiTw:RvloTMW+EZMM6DFyV03w |
| MD5: | 055215D31386B5914229566556732DA3 |
| SHA1: | 9008545DAD37EAD3762CBCA23BCAA46FB8B89BCA |
| SHA-256: | ACFCA8CAD660DB6A1A8EE7BDCD10E4E9A3F65A6CCB628133DE6A81330D84F529 |
| SHA-512: | 6E77F9BA99FA767294384B7868275B007B77477751C37BDB698930EB1777D44050D7CD1F75B2050E50A33CF46D50B2EA8963DB94B7BB9547BB80FBB92C2C2362 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.8688705145529045 |
| TrID: |
|
| File name: | qrLdMv1QXG.exe |
| File size: | 390'656 bytes |
| MD5: | 7e4a8865ea7cf91c86ba9ba1711da71c |
| SHA1: | 2da3cb003e2eeffec21b503e8df6f85a252fac07 |
| SHA256: | 58514c9f457ef7389dea754163672f1b822fe211dfaf24cab313049cb3bd0f60 |
| SHA512: | 033a0a0fb5b6396ce1f8f56bc00498b002431a0185e8de44e28e84fb55b9b05fc17a24e6302b2d7383680a0d36dedbf897a43d558a2ad922dd0caf07baa52e4e |
| SSDEEP: | 6144:PE8SuCG4gflIutJuSK86SaXnTmz0OFiP:PE8SfGrOkJujf1nTmz0y8 |
| TLSH: | DA848C13B2E07D94E6624B32DE2E86E4361DF9518E197B67321DAF1F17B40B2C263B11 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................./.......]..............w+..............w......Rich............PE..L......d................... |
 | |
| Icon Hash: | 63396de971636e0f |
| Entrypoint: | 0x403c12 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x64C08FBB [Wed Jul 26 03:15:07 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 4ea58a625e5f62fd2e96d191f2f95692 |
| Instruction |
|---|
| call 00007F4654B2CB95h |
| jmp 00007F4654B25E65h |
| push 00000014h |
| push 00415DC8h |
| call 00007F4654B2988Dh |
| call 00007F4654B2BC0Eh |
| movzx esi, ax |
| push 00000002h |
| call 00007F4654B2CB28h |
| pop ecx |
| mov eax, 00005A4Dh |
| cmp word ptr [00400000h], ax |
| je 00007F4654B25E66h |
| xor ebx, ebx |
| jmp 00007F4654B25E95h |
| mov eax, dword ptr [0040003Ch] |
| cmp dword ptr [eax+00400000h], 00004550h |
| jne 00007F4654B25E4Dh |
| mov ecx, 0000010Bh |
| cmp word ptr [eax+00400018h], cx |
| jne 00007F4654B25E3Fh |
| xor ebx, ebx |
| cmp dword ptr [eax+00400074h], 0Eh |
| jbe 00007F4654B25E6Bh |
| cmp dword ptr [eax+004000E8h], ebx |
| setne bl |
| mov dword ptr [ebp-1Ch], ebx |
| call 00007F4654B29704h |
| test eax, eax |
| jne 00007F4654B25E6Ah |
| push 0000001Ch |
| call 00007F4654B25F41h |
| pop ecx |
| call 00007F4654B29440h |
| test eax, eax |
| jne 00007F4654B25E6Ah |
| push 00000010h |
| call 00007F4654B25F30h |
| pop ecx |
| call 00007F4654B2B957h |
| and dword ptr [ebp-04h], 00000000h |
| call 00007F4654B2B253h |
| test eax, eax |
| jns 00007F4654B25E6Ah |
| push 0000001Bh |
| call 00007F4654B25F16h |
| pop ecx |
| call dword ptr [004100D0h] |
| mov dword ptr [01A12C68h], eax |
| call 00007F4654B2CB7Ch |
| mov dword ptr [0044AC20h], eax |
| call 00007F4654B2C779h |
| test eax, eax |
| jns 00007F4654B25E6Ah |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x161fc | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1613000 | 0x15e90 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x10200 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x15768 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x10000 | 0x198 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xe853 | 0xea00 | 819c9235eb94d31ac785f9154cd754b6 | False | 0.6033987713675214 | data | 6.682826629609375 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x10000 | 0x6b64 | 0x6c00 | 65ead7a81c3f88486603863d810f8f32 | False | 0.3952907986111111 | data | 4.777093689068747 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x17000 | 0x15fbc80 | 0x33c00 | f7565e722b4eb93a4150efd01bacdf3e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x1613000 | 0x15e90 | 0x16000 | 7b18e37c9d7a3dcb316a41bb3a1f6e0f | False | 0.3306329900568182 | data | 4.13646782714859 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x16239e8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.26439232409381663 | ||
| RT_CURSOR | 0x1624890 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.3686823104693141 | ||
| RT_CURSOR | 0x1625138 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.49060693641618497 | ||
| RT_CURSOR | 0x16256d0 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | 0.4375 | ||
| RT_CURSOR | 0x1625800 | 0xb0 | Device independent bitmap graphic, 16 x 32 x 1, image size 0 | 0.44886363636363635 | ||
| RT_CURSOR | 0x16258d8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.27238805970149255 | ||
| RT_CURSOR | 0x1626780 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.375 | ||
| RT_CURSOR | 0x1627028 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.5057803468208093 | ||
| RT_ICON | 0x1613870 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.5328341013824884 |
| RT_ICON | 0x1613f38 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.41120331950207467 |
| RT_ICON | 0x16164e0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.44858156028368795 |
| RT_ICON | 0x1616978 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Romanian | Romania | 0.5170575692963753 |
| RT_ICON | 0x1617820 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Romanian | Romania | 0.5045126353790613 |
| RT_ICON | 0x16180c8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Romanian | Romania | 0.45910138248847926 |
| RT_ICON | 0x1618790 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Romanian | Romania | 0.47832369942196534 |
| RT_ICON | 0x1618cf8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | Romanian | Romania | 0.2794605809128631 |
| RT_ICON | 0x161b2a0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | Romanian | Romania | 0.30816135084427765 |
| RT_ICON | 0x161c348 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | Romanian | Romania | 0.3389344262295082 |
| RT_ICON | 0x161ccd0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | Romanian | Romania | 0.36879432624113473 |
| RT_ICON | 0x161d1b0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Romanian | Romania | 0.27878464818763327 |
| RT_ICON | 0x161e058 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Romanian | Romania | 0.36913357400722024 |
| RT_ICON | 0x161e900 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.3951612903225806 |
| RT_ICON | 0x161efc8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Romanian | Romania | 0.3901734104046243 |
| RT_ICON | 0x161f530 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.2744813278008299 |
| RT_ICON | 0x1621ad8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Romanian | Romania | 0.3027673545966229 |
| RT_ICON | 0x1622b80 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Romanian | Romania | 0.3221311475409836 |
| RT_ICON | 0x1623508 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.35106382978723405 |
| RT_DIALOG | 0x16277b0 | 0x52 | data | 0.8780487804878049 | ||
| RT_STRING | 0x1627808 | 0x432 | data | Romanian | Romania | 0.45251396648044695 |
| RT_STRING | 0x1627c40 | 0x4d4 | data | Romanian | Romania | 0.44660194174757284 |
| RT_STRING | 0x1628118 | 0x13a | data | Romanian | Romania | 0.5286624203821656 |
| RT_STRING | 0x1628258 | 0x30a | data | Romanian | Romania | 0.47429305912596403 |
| RT_STRING | 0x1628568 | 0x638 | data | Romanian | Romania | 0.43027638190954776 |
| RT_STRING | 0x1628ba0 | 0x2ec | data | Romanian | Romania | 0.47058823529411764 |
| RT_GROUP_CURSOR | 0x16256a0 | 0x30 | data | 0.9375 | ||
| RT_GROUP_CURSOR | 0x16258b0 | 0x22 | data | 1.0588235294117647 | ||
| RT_GROUP_CURSOR | 0x1627590 | 0x30 | data | 0.9375 | ||
| RT_GROUP_ICON | 0x1616948 | 0x30 | data | Romanian | Romania | 0.9375 |
| RT_GROUP_ICON | 0x161d138 | 0x76 | data | Romanian | Romania | 0.6694915254237288 |
| RT_GROUP_ICON | 0x1623970 | 0x76 | data | Romanian | Romania | 0.6779661016949152 |
| RT_VERSION | 0x16275c0 | 0x1ec | data | 0.5386178861788617 |
| DLL | Import |
|---|---|
| KERNEL32.dll | LocalCompact, GetUserDefaultLCID, AddConsoleAliasW, CreateHardLinkA, GetTickCount, EnumTimeFormatsW, FindResourceExA, GetVolumeInformationA, LoadLibraryW, CopyFileW, WriteConsoleW, GetCompressedFileSizeA, GetTempPathW, SetThreadLocale, GetLastError, SetLastError, GetProcAddress, GetLocaleInfoA, SetStdHandle, SetFileAttributesA, WriteConsoleA, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, GetExitCodeThread, RemoveDirectoryW, AddAtomA, GlobalFindAtomW, GetModuleFileNameA, GetOEMCP, GlobalUnWire, LoadLibraryExA, ReadConsoleInputW, GetWindowsDirectoryW, AddConsoleAliasA, GetComputerNameA, FindFirstChangeNotificationW, CreateTimerQueueTimer, GetSystemDefaultLangID, OutputDebugStringW, FlushFileBuffers, HeapFree, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, IsDebuggerPresent, GetProcessHeap, HeapSize, EnterCriticalSection, LeaveCriticalSection, ReadFile, GetConsoleMode, ReadConsoleW, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, WriteFile, GetModuleFileNameW, LoadLibraryExW, HeapAlloc, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, HeapReAlloc, SetFilePointerEx, LCMapStringW, GetConsoleCP, CreateFileW |
| GDI32.dll | GetCharacterPlacementW |
| ADVAPI32.dll | DeregisterEventSource |
| WINHTTP.dll | WinHttpConnect |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Romanian | Romania |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 21, 2024 10:02:56.290056944 CEST | 49705 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:56.290139914 CEST | 443 | 49705 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:56.290272951 CEST | 49705 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:56.291353941 CEST | 49705 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:56.291385889 CEST | 443 | 49705 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:56.522763014 CEST | 443 | 49705 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:56.522910118 CEST | 49705 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:56.525213957 CEST | 49705 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:56.525243998 CEST | 443 | 49705 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:56.525681019 CEST | 443 | 49705 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:56.575229883 CEST | 49705 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:56.575269938 CEST | 49705 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:56.575433969 CEST | 443 | 49705 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.086143017 CEST | 443 | 49705 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.086453915 CEST | 443 | 49705 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.086546898 CEST | 49705 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.088989973 CEST | 49705 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.089030981 CEST | 443 | 49705 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.089061975 CEST | 49705 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.089078903 CEST | 443 | 49705 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.094355106 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.094392061 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.094456911 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.094741106 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.094759941 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.317291021 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.317518950 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.318442106 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.318454981 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.318782091 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.319935083 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.319969893 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.320034981 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862000942 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862129927 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862195969 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.862219095 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862293005 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862354040 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.862363100 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862433910 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862479925 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.862488031 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862559080 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862608910 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.862617016 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862704039 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862760067 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.862767935 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862843037 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.862888098 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.862895966 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.863055944 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.863112926 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.863296986 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.863307953 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.863322973 CEST | 49706 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.863329887 CEST | 443 | 49706 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.980386019 CEST | 49707 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.980456114 CEST | 443 | 49707 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:57.980539083 CEST | 49707 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.980793953 CEST | 49707 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:57.980829000 CEST | 443 | 49707 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:58.203613997 CEST | 443 | 49707 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:58.203738928 CEST | 49707 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:58.205166101 CEST | 49707 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:58.205188990 CEST | 443 | 49707 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:58.205529928 CEST | 443 | 49707 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:58.206779003 CEST | 49707 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:58.206959009 CEST | 49707 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:58.207009077 CEST | 443 | 49707 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:58.708930969 CEST | 443 | 49707 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:58.709096909 CEST | 443 | 49707 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:58.709182978 CEST | 49707 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:58.709398985 CEST | 49707 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:58.709439039 CEST | 443 | 49707 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:58.836241961 CEST | 49708 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:58.836278915 CEST | 443 | 49708 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:58.836365938 CEST | 49708 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:58.836625099 CEST | 49708 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:58.836641073 CEST | 443 | 49708 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.053631067 CEST | 443 | 49708 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.053714991 CEST | 49708 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.054693937 CEST | 49708 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.054706097 CEST | 443 | 49708 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.055027008 CEST | 443 | 49708 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.056497097 CEST | 49708 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.056641102 CEST | 49708 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.056674004 CEST | 443 | 49708 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.056778908 CEST | 49708 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.056787968 CEST | 443 | 49708 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.581727028 CEST | 443 | 49708 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.581937075 CEST | 49708 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.741935968 CEST | 49709 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.742031097 CEST | 443 | 49709 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.742108107 CEST | 49709 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.742472887 CEST | 49709 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.742486954 CEST | 443 | 49709 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.967087984 CEST | 443 | 49709 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.967267036 CEST | 49709 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.968826056 CEST | 49709 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.968836069 CEST | 443 | 49709 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.969588041 CEST | 443 | 49709 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.971359968 CEST | 49709 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.971512079 CEST | 49709 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.971539974 CEST | 443 | 49709 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:02:59.971668959 CEST | 49709 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:02:59.971676111 CEST | 443 | 49709 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:00.395379066 CEST | 443 | 49709 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:00.395623922 CEST | 49709 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:00.585650921 CEST | 49710 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:00.585736990 CEST | 443 | 49710 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:00.585824966 CEST | 49710 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:00.586309910 CEST | 49710 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:00.586344957 CEST | 443 | 49710 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:00.811341047 CEST | 443 | 49710 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:00.811414957 CEST | 49710 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:00.812531948 CEST | 49710 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:00.812551975 CEST | 443 | 49710 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:00.812884092 CEST | 443 | 49710 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:00.814579010 CEST | 49710 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:00.814666033 CEST | 49710 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:00.814702988 CEST | 443 | 49710 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:01.208095074 CEST | 443 | 49710 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:01.208393097 CEST | 49710 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:01.289649963 CEST | 49711 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:01.289740086 CEST | 443 | 49711 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:01.289844990 CEST | 49711 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:01.290122032 CEST | 49711 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:01.290155888 CEST | 443 | 49711 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:01.513775110 CEST | 443 | 49711 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:01.513911009 CEST | 49711 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:01.514998913 CEST | 49711 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:01.515024900 CEST | 443 | 49711 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:01.515366077 CEST | 443 | 49711 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:01.516886950 CEST | 49711 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:01.516963005 CEST | 49711 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:01.516973972 CEST | 443 | 49711 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.021087885 CEST | 443 | 49711 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.021301985 CEST | 49711 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.552752018 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.552828074 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.552911997 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.553237915 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.553268909 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.777803898 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.777992010 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.779437065 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.779457092 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.780283928 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.781888008 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.782571077 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.782613993 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.782716990 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.782758951 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.782905102 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.782957077 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.783118010 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.783152103 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.783349037 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.783386946 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.783581018 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.783615112 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.783632994 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.783658981 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.783802986 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.783840895 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.783883095 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.783901930 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.783977032 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.784041882 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.784092903 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.828161955 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:02.828553915 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.828649044 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.828682899 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Apr 21, 2024 10:03:02.872129917 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:04.412096024 CEST | 443 | 49712 | 104.21.15.198 | 192.168.2.5 |
| Apr 21, 2024 10:03:04.412359953 CEST | 49712 | 443 | 192.168.2.5 | 104.21.15.198 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 21, 2024 10:02:56.162630081 CEST | 51527 | 53 | 192.168.2.5 | 1.1.1.1 |
| Apr 21, 2024 10:02:56.285168886 CEST | 53 | 51527 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 21, 2024 10:02:56.162630081 CEST | 192.168.2.5 | 1.1.1.1 | 0x2e4c | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 21, 2024 10:02:56.285168886 CEST | 1.1.1.1 | 192.168.2.5 | 0x2e4c | No error (0) | 104.21.15.198 | A (IP address) | IN (0x0001) | false | ||
| Apr 21, 2024 10:02:56.285168886 CEST | 1.1.1.1 | 192.168.2.5 | 0x2e4c | No error (0) | 172.67.163.209 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49705 | 104.21.15.198 | 443 | 2504 | C:\Users\user\Desktop\qrLdMv1QXG.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 08:02:56 UTC | 267 | OUT | |
| 2024-04-21 08:02:56 UTC | 8 | OUT | |
| 2024-04-21 08:02:57 UTC | 816 | IN | |
| 2024-04-21 08:02:57 UTC | 7 | IN | |
| 2024-04-21 08:02:57 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49706 | 104.21.15.198 | 443 | 2504 | C:\Users\user\Desktop\qrLdMv1QXG.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 08:02:57 UTC | 268 | OUT | |
| 2024-04-21 08:02:57 UTC | 52 | OUT | |
| 2024-04-21 08:02:57 UTC | 814 | IN | |
| 2024-04-21 08:02:57 UTC | 555 | IN | |
| 2024-04-21 08:02:57 UTC | 1369 | IN | |
| 2024-04-21 08:02:57 UTC | 1369 | IN | |
| 2024-04-21 08:02:57 UTC | 1369 | IN | |
| 2024-04-21 08:02:57 UTC | 1369 | IN | |
| 2024-04-21 08:02:57 UTC | 1369 | IN | |
| 2024-04-21 08:02:57 UTC | 1369 | IN | |
| 2024-04-21 08:02:57 UTC | 1369 | IN | |
| 2024-04-21 08:02:57 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49707 | 104.21.15.198 | 443 | 2504 | C:\Users\user\Desktop\qrLdMv1QXG.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 08:02:58 UTC | 286 | OUT | |
| 2024-04-21 08:02:58 UTC | 12833 | OUT | |
| 2024-04-21 08:02:58 UTC | 822 | IN | |
| 2024-04-21 08:02:58 UTC | 20 | IN | |
| 2024-04-21 08:02:58 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49708 | 104.21.15.198 | 443 | 2504 | C:\Users\user\Desktop\qrLdMv1QXG.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 08:02:59 UTC | 286 | OUT | |
| 2024-04-21 08:02:59 UTC | 15075 | OUT | |
| 2024-04-21 08:02:59 UTC | 812 | IN | |
| 2024-04-21 08:02:59 UTC | 20 | IN | |
| 2024-04-21 08:02:59 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49709 | 104.21.15.198 | 443 | 2504 | C:\Users\user\Desktop\qrLdMv1QXG.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 08:02:59 UTC | 286 | OUT | |
| 2024-04-21 08:02:59 UTC | 15331 | OUT | |
| 2024-04-21 08:02:59 UTC | 5234 | OUT | |
| 2024-04-21 08:03:00 UTC | 810 | IN | |
| 2024-04-21 08:03:00 UTC | 20 | IN | |
| 2024-04-21 08:03:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49710 | 104.21.15.198 | 443 | 2504 | C:\Users\user\Desktop\qrLdMv1QXG.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 08:03:00 UTC | 285 | OUT | |
| 2024-04-21 08:03:00 UTC | 5440 | OUT | |
| 2024-04-21 08:03:01 UTC | 814 | IN | |
| 2024-04-21 08:03:01 UTC | 20 | IN | |
| 2024-04-21 08:03:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49711 | 104.21.15.198 | 443 | 2504 | C:\Users\user\Desktop\qrLdMv1QXG.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 08:03:01 UTC | 285 | OUT | |
| 2024-04-21 08:03:01 UTC | 1389 | OUT | |
| 2024-04-21 08:03:02 UTC | 812 | IN | |
| 2024-04-21 08:03:02 UTC | 20 | IN | |
| 2024-04-21 08:03:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49712 | 104.21.15.198 | 443 | 2504 | C:\Users\user\Desktop\qrLdMv1QXG.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 08:03:02 UTC | 287 | OUT | |
| 2024-04-21 08:03:02 UTC | 15331 | OUT | |
| 2024-04-21 08:03:02 UTC | 15331 | OUT | |
| 2024-04-21 08:03:02 UTC | 15331 | OUT | |
| 2024-04-21 08:03:02 UTC | 15331 | OUT | |
| 2024-04-21 08:03:02 UTC | 15331 | OUT | |
| 2024-04-21 08:03:02 UTC | 15331 | OUT | |
| 2024-04-21 08:03:02 UTC | 15331 | OUT | |
| 2024-04-21 08:03:02 UTC | 15331 | OUT | |
| 2024-04-21 08:03:02 UTC | 15331 | OUT | |
| 2024-04-21 08:03:02 UTC | 15331 | OUT | |
| 2024-04-21 08:03:04 UTC | 806 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:02:54 |
| Start date: | 21/04/2024 |
| Path: | C:\Users\user\Desktop\qrLdMv1QXG.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 390'656 bytes |
| MD5 hash: | 7E4A8865EA7CF91C86BA9BA1711DA71C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 10:03:08 |
| Start date: | 21/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd20000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 10:03:09 |
| Start date: | 21/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd20000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 8.6% |
| Dynamic/Decrypted Code Coverage: | 7.9% |
| Signature Coverage: | 26.1% |
| Total number of Nodes: | 356 |
| Total number of Limit Nodes: | 17 |
Graph
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004046D0 Relevance: 5.5, Strings: 4, Instructions: 506COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041CC60 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DB22 Relevance: 3.6, APIs: 2, Instructions: 615COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01CDF6F6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041AFE0 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004162D6 Relevance: 1.7, APIs: 1, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00435B8B Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00435C40 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00420C42 Relevance: .4, Instructions: 431COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00421370 Relevance: .4, Instructions: 381COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00421090 Relevance: .4, Instructions: 373COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B3B0 Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AE80 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00438879 Relevance: .1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00437998 Relevance: .1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041210C Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00410565 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004286B8 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0366003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00427C0B Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 72memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00437E48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004241EB Relevance: 3.6, APIs: 2, Instructions: 582COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00435AA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DE00 Relevance: 3.2, APIs: 2, Instructions: 215COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042DFB8 Relevance: 3.1, APIs: 2, Instructions: 123COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03660E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004394EC Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041860C Relevance: 1.5, APIs: 1, Instructions: 33COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01CDF3B5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042D8F0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 155clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036862FE Relevance: 7.1, Strings: 5, Instructions: 837COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00426097 Relevance: 7.1, Strings: 5, Instructions: 837COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367CEC7 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0366092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03665557 Relevance: 3.3, Strings: 2, Instructions: 842COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004052F0 Relevance: 3.3, Strings: 2, Instructions: 842COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0369BC37 Relevance: 2.9, Strings: 2, Instructions: 360COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B9D0 Relevance: 2.9, Strings: 2, Instructions: 360COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367B247 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03696827 Relevance: 2.0, Strings: 1, Instructions: 700COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004365C0 Relevance: 2.0, Strings: 1, Instructions: 700COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0368643C Relevance: 1.7, Strings: 1, Instructions: 432COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004261D5 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036863AF Relevance: 1.7, Strings: 1, Instructions: 429COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00426148 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0368642A Relevance: 1.6, Strings: 1, Instructions: 388COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004261C3 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03677CCC Relevance: 1.6, Strings: 1, Instructions: 357COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00417A65 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03666857 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004065F0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0368483B Relevance: 1.4, Strings: 1, Instructions: 188COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004245D4 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036848DF Relevance: 1.4, Strings: 1, Instructions: 169COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00424678 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0368480F Relevance: 1.4, Strings: 1, Instructions: 126COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004245A8 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03673719 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004134B2 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03697FA7 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00437D40 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03667ED7 Relevance: .9, Instructions: 864COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00407C70 Relevance: .9, Instructions: 864COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03663517 Relevance: .7, Instructions: 698COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004032B0 Relevance: .7, Instructions: 698COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03661267 Relevance: .5, Instructions: 544COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03666297 Relevance: .5, Instructions: 497COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406030 Relevance: .5, Instructions: 497COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036815D7 Relevance: .4, Instructions: 381COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03668B57 Relevance: .4, Instructions: 373COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004088F0 Relevance: .4, Instructions: 373COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367B447 Relevance: .3, Instructions: 310COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041B1E0 Relevance: .3, Instructions: 310COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367B917 Relevance: .3, Instructions: 291COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041B6B0 Relevance: .3, Instructions: 291COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0369B907 Relevance: .3, Instructions: 290COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B6A0 Relevance: .3, Instructions: 290COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0369B617 Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03670FDE Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00410D77 Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03693BB7 Relevance: .2, Instructions: 192COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00433950 Relevance: .2, Instructions: 192COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0369B2C7 Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B060 Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0369B0E7 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03662F77 Relevance: .2, Instructions: 152COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402D10 Relevance: .2, Instructions: 152COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03675227 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00414FC0 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03697BFF Relevance: .1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03698AE0 Relevance: .1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036730FA Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00412E93 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036703A7 Relevance: .1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00410140 Relevance: .1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03672373 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03663127 Relevance: .1, Instructions: 100COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402EC0 Relevance: .1, Instructions: 100COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0369AFD7 Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AD70 Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036991D1 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00438F6A Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0367DA12 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036921E7 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00431F80 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01CDEFD3 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03682554 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004222ED Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0369A837 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043A5D0 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03660D90 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03695DF2 Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0368254E Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004222E7 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036707CC Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 036995F0 Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00439389 Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0366D3C7 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D160 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03677C81 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00417A1A Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0369A3E9 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043A182 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 03682689 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00422422 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0369A3F7 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043A190 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0368DB57 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 155clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |