Edit tour
Windows
Analysis Report
launcher.exe
Overview
General Information
| Sample name: | launcher.exe |
| Analysis ID: | 1429438 |
| MD5: | 913b4744fbcd88cbc9ba44808a835a91 |
| SHA1: | d5cb6cbe5d4ad8b20a351080a6bc8e85fa72a64e |
| SHA256: | b411fa289b897c774560292abcf7c298e29e1b9b8243357b1cc7d25a28622739 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
launcher.exe (PID: 7444 cmdline: "C:\Users\ user\Deskt op\launche r.exe" MD5: 913B4744FBCD88CBC9BA44808A835A91) - RegAsm.exe (PID: 7464 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 7472 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) 
WerFault.exe (PID: 7560 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 444 -s 596 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "sideindexfollowragelrew.pw"], "Build id": "LPnhqo--@Krystalik3"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 04/22/24-07:00:05.913565 |
| SID: | 2049958 |
| Source Port: | 63363 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_0041698E | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_003749E4 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_003A407B | |
| Source: | Code function: | 0_2_003BF060 | |
| Source: | Code function: | 0_2_0039C127 | |
| Source: | Code function: | 0_2_003A2170 | |
| Source: | Code function: | 0_2_00399169 | |
| Source: | Code function: | 0_2_003A715C | |
| Source: | Code function: | 0_2_003AA237 | |
| Source: | Code function: | 0_2_003AA237 | |
| Source: | Code function: | 0_2_003AA234 | |
| Source: | Code function: | 0_2_003AA234 | |
| Source: | Code function: | 0_2_003BB28E | |
| Source: | Code function: | 0_2_003BB28E | |
| Source: | Code function: | 0_2_0039C2F5 | |
| Source: | Code function: | 0_2_003BE360 | |
| Source: | Code function: | 0_2_003BB475 | |
| Source: | Code function: | 0_2_003A9AFE | |
| Source: | Code function: | 0_2_003A9AFE | |
| Source: | Code function: | 0_2_003BE480 | |
| Source: | Code function: | 0_2_003974EC | |
| Source: | Code function: | 0_2_0039A569 | |
| Source: | Code function: | 0_2_003A0550 | |
| Source: | Code function: | 0_2_003BC5B0 | |
| Source: | Code function: | 0_2_00399672 | |
| Source: | Code function: | 0_2_003BC655 | |
| Source: | Code function: | 0_2_003BE680 | |
| Source: | Code function: | 0_2_003BD6D2 | |
| Source: | Code function: | 0_2_00396726 | |
| Source: | Code function: | 0_2_003AB748 | |
| Source: | Code function: | 0_2_003A7783 | |
| Source: | Code function: | 0_2_0039781B | |
| Source: | Code function: | 0_2_003928E0 | |
| Source: | Code function: | 0_2_00387A30 | |
| Source: | Code function: | 0_2_003A0A30 | |
| Source: | Code function: | 0_2_003BEA10 | |
| Source: | Code function: | 0_2_003A8276 | |
| Source: | Code function: | 0_2_003A8B65 | |
| Source: | Code function: | 0_2_003A8C65 | |
| Source: | Code function: | 0_2_00396C43 | |
| Source: | Code function: | 0_2_003A3CB4 | |
| Source: | Code function: | 0_2_003BED10 | |
| Source: | Code function: | 0_2_00397D14 | |
| Source: | Code function: | 0_2_003A5D90 | |
| Source: | Code function: | 0_2_003B5E10 | |
| Source: | Code function: | 0_2_0039AE50 | |
| Source: | Code function: | 0_2_003BBE88 | |
| Source: | Code function: | 0_2_003A7F75 | |
| Source: | Code function: | 0_2_003BCFBD | |
| Source: | Code function: | 0_2_003BCFD6 | |
| Source: | Code function: | 0_2_0039AFC0 | |
| Source: | Code function: | 2_2_00436045 | |
| Source: | Code function: | 2_2_00439050 | |
| Source: | Code function: | 2_2_00426318 | |
| Source: | Code function: | 2_2_004395E0 | |
| Source: | Code function: | 2_2_00420960 | |
| Source: | Code function: | 2_2_00422B45 | |
| Source: | Code function: | 2_2_00415B90 | |
| Source: | Code function: | 2_2_0041EC4B | |
| Source: | Code function: | 2_2_00416CF7 | |
| Source: | Code function: | 2_2_0041CD40 | |
| Source: | Code function: | 2_2_00435E5E | |
| Source: | Code function: | 2_2_00435E5E | |
| Source: | Code function: | 2_2_004246CE | |
| Source: | Code function: | 2_2_004246CE | |
| Source: | Code function: | 2_2_004120BC | |
| Source: | Code function: | 2_2_0041B120 | |
| Source: | Code function: | 2_2_00415139 | |
| Source: | Code function: | 2_2_00437180 | |
| Source: | Code function: | 2_2_00414242 | |
| Source: | Code function: | 2_2_00439250 | |
| Source: | Code function: | 2_2_00437225 | |
| Source: | Code function: | 2_2_004112F6 | |
| Source: | Code function: | 2_2_004382A2 | |
| Source: | Code function: | 2_2_00422353 | |
| Source: | Code function: | 2_2_004123EB | |
| Source: | Code function: | 2_2_0040D4B0 | |
| Source: | Code function: | 2_2_00402600 | |
| Source: | Code function: | 2_2_0041B600 | |
| Source: | Code function: | 2_2_00423735 | |
| Source: | Code function: | 2_2_00422E46 | |
| Source: | Code function: | 2_2_00411813 | |
| Source: | Code function: | 2_2_00423835 | |
| Source: | Code function: | 2_2_004398E0 | |
| Source: | Code function: | 2_2_004128E4 | |
| Source: | Code function: | 2_2_0041E884 | |
| Source: | Code function: | 2_2_004309E0 | |
| Source: | Code function: | 2_2_00436A58 | |
| Source: | Code function: | 2_2_00415A20 | |
| Source: | Code function: | 2_2_00437B8D | |
| Source: | Code function: | 2_2_00437BA6 | |
| Source: | Code function: | 2_2_00439C30 | |
| Source: | Code function: | 2_2_00421D2C | |
| Source: | Code function: | 2_2_00413D39 | |
| Source: | Code function: | 2_2_00424E07 | |
| Source: | Code function: | 2_2_00424E07 | |
| Source: | Code function: | 2_2_00424E04 | |
| Source: | Code function: | 2_2_00424E04 | |
| Source: | Code function: | 2_2_00416EC5 | |
| Source: | Code function: | 2_2_00438F30 | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_0042CA70 | |
| Source: | Code function: | 2_2_0042CA70 | |
| Source: | Code function: | 2_2_0042CC40 | |
| Source: | Code function: | 0_2_003BF060 | |
| Source: | Code function: | 0_2_003BA0F0 | |
| Source: | Code function: | 0_2_003AE2B6 | |
| Source: | Code function: | 0_2_00386430 | |
| Source: | Code function: | 0_2_003A9AFE | |
| Source: | Code function: | 0_2_00389590 | |
| Source: | Code function: | 0_2_0038D6B0 | |
| Source: | Code function: | 0_2_003B06FD | |
| Source: | Code function: | 0_2_00388720 | |
| Source: | Code function: | 0_2_003B7780 | |
| Source: | Code function: | 0_2_003AD84F | |
| Source: | Code function: | 0_2_003A993B | |
| Source: | Code function: | 0_2_003AB99F | |
| Source: | Code function: | 0_2_0038B990 | |
| Source: | Code function: | 0_2_00373A69 | |
| Source: | Code function: | 0_2_003ABAB5 | |
| Source: | Code function: | 0_2_00388AF0 | |
| Source: | Code function: | 0_2_003ABAC7 | |
| Source: | Code function: | 0_2_00395B20 | |
| Source: | Code function: | 0_2_003A5B24 | |
| Source: | Code function: | 0_2_003A6B10 | |
| Source: | Code function: | 0_2_0038AC84 | |
| Source: | Code function: | 0_2_003BED10 | |
| Source: | Code function: | 0_2_003A8DDB | |
| Source: | Code function: | 0_2_003ACF18 | |
| Source: | Code function: | 0_2_00389FE0 | |
| Source: | Code function: | 2_2_004216E0 | |
| Source: | Code function: | 2_2_00401750 | |
| Source: | Code function: | 2_2_004328B0 | |
| Source: | Code function: | 2_2_00404BB0 | |
| Source: | Code function: | 2_2_00420FF2 | |
| Source: | Code function: | 2_2_00401000 | |
| Source: | Code function: | 2_2_004246CE | |
| Source: | Code function: | 2_2_00404160 | |
| Source: | Code function: | 2_2_0042B2CD | |
| Source: | Code function: | 2_2_004032F0 | |
| Source: | Code function: | 2_2_00408280 | |
| Source: | Code function: | 2_2_0041D2B0 | |
| Source: | Code function: | 2_2_00432350 | |
| Source: | Code function: | 2_2_0042841F | |
| Source: | Code function: | 2_2_00406560 | |
| Source: | Code function: | 2_2_0042656F | |
| Source: | Code function: | 2_2_0042450B | |
| Source: | Code function: | 2_2_004036C0 | |
| Source: | Code function: | 2_2_004106F0 | |
| Source: | Code function: | 2_2_004206F4 | |
| Source: | Code function: | 2_2_00426685 | |
| Source: | Code function: | 2_2_00426697 | |
| Source: | Code function: | 2_2_0041D6B2 | |
| Source: | Code function: | 2_2_004057D0 | |
| Source: | Code function: | 2_2_004398E0 | |
| Source: | Code function: | 2_2_004239AB | |
| Source: | Code function: | 2_2_00427AE8 | |
| Source: | Code function: | 2_2_00406C00 | |
| Source: | Code function: | 2_2_00439C30 | |
| Source: | Code function: | 2_2_00434CC0 | |
| Source: | Code function: | 2_2_00428E86 | |
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_004298A2 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00364B1C | |
| Source: | Code function: | 2_2_0044113D | |
| Source: | Code function: | 2_2_00441191 | |
| Source: | Code function: | 2_2_0043EBCF | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_003749E4 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00434400 | |
| Source: | Code function: | 0_2_003690B3 | |
| Source: | Code function: | 0_2_00375AAE | |
| Source: | Code function: | 0_2_0036CE48 | |
| Source: | Code function: | 0_2_003780AD | |
| Source: | Code function: | 0_2_003690B3 | |
| Source: | Code function: | 0_2_00365156 | |
| Source: | Code function: | 0_2_003652B2 | |
| Source: | Code function: | 0_2_003653E7 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 0_2_003CF7BD | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00364E7C | |
| Source: | Code function: | 0_2_0036F6AF | |
| Source: | Code function: | 0_2_00377789 | |
| Source: | Code function: | 0_2_003777D4 | |
| Source: | Code function: | 0_2_0037786F | |
| Source: | Code function: | 0_2_003778FA | |
| Source: | Code function: | 0_2_00377B4D | |
| Source: | Code function: | 0_2_0036FBD5 | |
| Source: | Code function: | 0_2_00377C76 | |
| Source: | Code function: | 0_2_00377D7C | |
| Source: | Code function: | 0_2_00377E4B | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00365050 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 411 Process Injection | 12 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 411 Process Injection | LSASS Memory | 151 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 12 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 31 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 12 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 23% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1317017 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse | ||
| 24% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 14% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 14% | Virustotal | Browse | ||
| 14% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 14% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 24% | Virustotal | Browse | ||
| 0% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| productivelookewr.shop | 104.21.11.250 | true | true |
| unknown |
| sideindexfollowragelrew.pw | unknown | unknown | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| false |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.11.250 | productivelookewr.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1429438 |
| Start date and time: | 2024-04-22 06:59:09 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 25s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | launcher.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/5@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.89.179.12
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 07:00:05 | API Interceptor | |
| 07:00:13 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.11.250 | Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| productivelookewr.shop | Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | RisePro Stealer | Browse |
| |
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, RisePro Stealer | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_launcher.exe_unk_b0bb7f6d90ed2f8ba3c75ebe9dc55dc31e4cb28_122839a5_de3fb72a-2063-40a2-b49d-422c40f56fc6\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7971542237410658 |
| Encrypted: | false |
| SSDEEP: | 96:aF5LFSzDqZO2wsghqDEyCfIQXIDcQvc6QcEVcw3cE/f+HbHg/BQAS/YyNl4EfaAs:aLLzA2w8Q0BU/4jeTMzuiFFZ24IO8Hf |
| MD5: | 0EDD2FCD0220238FDD2D55612432AF1E |
| SHA1: | 7AF39E5E77B14053BBE8E76940320F8B8B79FAE5 |
| SHA-256: | 31D5E34E86986C5DF683A37C9D309EA23F999EA13801DB45F4381D1C763B1223 |
| SHA-512: | 4583A57247C892E79CE388E62C454E351DEFA1871E0F71CAECE512D4C8C61D6057FEA5C68CDBDF73C612FA7445B128BDC5584127F0ED41969D0C32AB1C66ED71 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 40616 |
| Entropy (8bit): | 1.9414788471263662 |
| Encrypted: | false |
| SSDEEP: | 96:5H8liE3p16sKeAbqg3c9brwYYTKki75I4vvOLWSilevo0B7tjfKmp4TbS94sSCOe:a9kuhLBkO5H+voSxjfj4w0HwOKGEuGD |
| MD5: | 30B1A5724501B2431E1C71B776CEDF34 |
| SHA1: | 4A5A1C0490895A156C4A9ED62E2F5AFF1F7C8DC8 |
| SHA-256: | 1EB1D0BFB0A5021FFF2653F2C578A301DEF1B41B15851631CDEDC22F5F1DA43A |
| SHA-512: | 9F3635971563C3A65A95314846ADCE5E4A4473E2ABCBC5081E77B0D76058F79828DAB1167A1C2593BBA1EE46D8CB79A9DAB7DFE5B8765E7C2858D67CA0E929BC |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8320 |
| Entropy (8bit): | 3.6992080068150726 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJo16wL6Y9OSUcigmfWq7prB89byxsfHGm:R6lXJS6W6YkSUcigmfWqYyqfP |
| MD5: | 910BE4E946862215863E7E7C9EAC9AEC |
| SHA1: | 88E1840EA76F03D4214AB1D694AF4D4272D65916 |
| SHA-256: | AFF03C7AF332FDBAE1FFDF8285B4F5AF71A4A9F3DEBDC57CE041744FF367BEA2 |
| SHA-512: | 46360F58BFE5B9E9A49D4083B0FE2C0B9C2DF62860F455230632D25F390D122C12AC0D6A6AB2FE91FD90DD7FD8C6C35BF3138E1FFB9EC4A1581BD54FD6C7C011 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4603 |
| Entropy (8bit): | 4.469412429961924 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsauJg77aI9DIWpW8VYAYm8M4JhMsEFk+q8wHRQOQsd:uIjfakI7ph7VIJhMCRxQOQsd |
| MD5: | C3DFFD7FF58ADEFCECF0B333D6FF91DD |
| SHA1: | 5983A671EA29578E583B935094B2A089628EEFE0 |
| SHA-256: | 717EE5BA93216C90A6A091A94961E714E69D74AA018368EC76DD4CD2481D78FD |
| SHA-512: | 49D46E5AA9B25E786CDB9798A976F1DB1D26FDB65E38403B54C05BEF272A95B332F614EBBE0E8336D125CE992032D8619BE4D7DBA18DABC8FFADB00F59DC9CD6 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.4654274525378606 |
| Encrypted: | false |
| SSDEEP: | 6144:sIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNOdwBCswSbn:RXD94+WlLZMM6YFH0+n |
| MD5: | F510FB7BF5C2B9835A4B700D17ED9763 |
| SHA1: | DDC266EB1BF710F208FA1E1F2AEC1B5F386BB12E |
| SHA-256: | 6DCDE34B1BE03E22D4A04345CF83DE77813EA83E549158F5EEC6B377B5901BAB |
| SHA-512: | 89F7D7CCA14BF72F0842BC71CA1BFA215B4B934BE056D6C319FFDE1DDC56A0732D0AF45071EC88A88DB8915CCBEB8CD2299E9D92DE54915CF07E9412432EAE97 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 0.26264220467827815 |
| TrID: |
|
| File name: | launcher.exe |
| File size: | 26'684'528 bytes |
| MD5: | 913b4744fbcd88cbc9ba44808a835a91 |
| SHA1: | d5cb6cbe5d4ad8b20a351080a6bc8e85fa72a64e |
| SHA256: | b411fa289b897c774560292abcf7c298e29e1b9b8243357b1cc7d25a28622739 |
| SHA512: | ab0c1ec3840947262d4825bbc1cb1f0f056fceda99d7886ce7f83c432faf91a89e17f81e21132a9f997a895c0dd3cdb3d987b47608020cb1260657d782847863 |
| SSDEEP: | 12288:5R5ouJIVQhcEWuDG6X/ob2qlTIiw/TmQxFZpC:dnJIG2EFlf09GTmYvC |
| TLSH: | 9447F15138C08032D6B3163605E4DAF46F3EF9720F795E9B2754CBBE4F31281DA2666A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..%wt.vwt.vwt.v...w{t.v...w.t.v...wbt.v...wet.v...wct.v...w~t.vwt.v(t.v...w:t.v...wvt.v...wvt.vRichwt.v................PE..L.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x404ab3 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6625B229 [Mon Apr 22 00:41:13 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 735d296c22306fc0a800ccc2ec8ed2a4 |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| call 00007F8CC45049FAh |
| jmp 00007F8CC4504289h |
| push ebp |
| mov ebp, esp |
| jmp 00007F8CC450441Fh |
| push dword ptr [ebp+08h] |
| call 00007F8CC450E089h |
| pop ecx |
| test eax, eax |
| je 00007F8CC4504421h |
| push dword ptr [ebp+08h] |
| call 00007F8CC450AE59h |
| pop ecx |
| test eax, eax |
| je 00007F8CC45043F8h |
| pop ebp |
| ret |
| cmp dword ptr [ebp+08h], FFFFFFFFh |
| je 00007F8CC450189Bh |
| jmp 00007F8CC4504CEDh |
| push ebp |
| mov ebp, esp |
| push dword ptr [ebp+08h] |
| call 00007F8CC4504CFFh |
| pop ecx |
| pop ebp |
| ret |
| cmp ecx, dword ptr [0046FB00h] |
| jne 00007F8CC4504413h |
| ret |
| jmp 00007F8CC4504D1Bh |
| mov ecx, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], ecx |
| pop ecx |
| pop edi |
| pop edi |
| pop esi |
| pop ebx |
| mov esp, ebp |
| pop ebp |
| push ecx |
| ret |
| mov ecx, dword ptr [ebp-10h] |
| xor ecx, ebp |
| call 00007F8CC45043E9h |
| jmp 00007F8CC45043F2h |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [0046FB00h] |
| xor eax, ebp |
| push eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [0046FB00h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2492c | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x70600 | 0x2670 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x72000 | 0x192c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x22fc8 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x22f08 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1c000 | 0x15c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1aa04 | 0x1ac00 | 4c15859801cd6ab3f1aa5dccad948842 | False | 0.5813011098130841 | data | 6.5915998748822755 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x1c000 | 0x9128 | 0x9200 | 16c627fe23119da2727ba8da8cc1c5bc | False | 0.3929259417808219 | data | 4.724243668286385 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x26000 | 0x4b754 | 0x4aa00 | ba209df452c86214b5e95060f558d8f1 | False | 0.9890009945561139 | data | 7.991346479525204 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x72000 | 0x192c | 0x1a00 | 4ffd6745fcfe5bbf5835bbc8afa78671 | False | 0.7521033653846154 | data | 6.485622010377947 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| USER32.dll | CreateCaret, ShowWindowAsync, InSendMessageEx |
| ADVAPI32.dll | DuplicateToken |
| SHELL32.dll | ShellExecuteExA |
| KERNEL32.dll | GetProcessHeap, HeapSize, CreateFileW, TlsSetValue, SetStdHandle, SetEnvironmentVariableW, WaitForSingleObject, CreateRemoteThread, VirtualProtectEx, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, FreeEnvironmentStringsW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, WriteConsoleW, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 04/22/24-07:00:05.913565 | UDP | 2049958 | ET TROJAN Lumma Stealer Related Domain in DNS Lookup (sideindexfollowragelrew .pw) | 63363 | 53 | 192.168.2.4 | 1.1.1.1 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 22, 2024 07:00:06.178782940 CEST | 49730 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.178867102 CEST | 443 | 49730 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.178949118 CEST | 49730 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.182369947 CEST | 49730 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.182404041 CEST | 443 | 49730 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.416579008 CEST | 443 | 49730 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.416862965 CEST | 49730 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.436605930 CEST | 49730 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.436682940 CEST | 443 | 49730 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.437585115 CEST | 443 | 49730 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.482963085 CEST | 49730 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.502408028 CEST | 49730 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.502450943 CEST | 49730 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.502680063 CEST | 443 | 49730 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.983664036 CEST | 443 | 49730 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.983978987 CEST | 443 | 49730 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.984075069 CEST | 49730 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.985940933 CEST | 49730 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.985964060 CEST | 443 | 49730 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.988688946 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.988768101 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.988915920 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.989172935 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:06.989224911 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.214340925 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.214428902 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.225066900 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.225105047 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.225820065 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.227861881 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.227912903 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.228056908 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.795875072 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796027899 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796120882 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.796144009 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796175003 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796231031 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.796262980 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796413898 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796467066 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.796498060 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796595097 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796650887 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.796665907 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796756029 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796814919 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.796827078 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796922922 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.796974897 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.796987057 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.797157049 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.797224045 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.802328110 CEST | 49732 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.802356005 CEST | 443 | 49732 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.839673996 CEST | 49735 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.839732885 CEST | 443 | 49735 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:07.839962006 CEST | 49735 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.840250015 CEST | 49735 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:07.840284109 CEST | 443 | 49735 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.066049099 CEST | 443 | 49735 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.066180944 CEST | 49735 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.067764997 CEST | 49735 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.067790985 CEST | 443 | 49735 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.068327904 CEST | 443 | 49735 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.079961061 CEST | 49735 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.080642939 CEST | 49735 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.080710888 CEST | 443 | 49735 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.080799103 CEST | 49735 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.080815077 CEST | 443 | 49735 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.614280939 CEST | 443 | 49735 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.614548922 CEST | 443 | 49735 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.614661932 CEST | 49735 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.614661932 CEST | 49735 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.643733025 CEST | 49738 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.643806934 CEST | 443 | 49738 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.643906116 CEST | 49738 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.644279957 CEST | 49738 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.644315004 CEST | 443 | 49738 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.866707087 CEST | 443 | 49738 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.866919041 CEST | 49738 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.868114948 CEST | 49738 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.868145943 CEST | 443 | 49738 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.868678093 CEST | 443 | 49738 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:08.878326893 CEST | 49738 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.878475904 CEST | 49738 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:08.878544092 CEST | 443 | 49738 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:09.397305965 CEST | 443 | 49738 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:09.397561073 CEST | 443 | 49738 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:09.397641897 CEST | 49738 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:09.397716999 CEST | 49738 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:09.397757053 CEST | 443 | 49738 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:09.463663101 CEST | 49740 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:09.463704109 CEST | 443 | 49740 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:09.463804960 CEST | 49740 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:09.464131117 CEST | 49740 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:09.464148998 CEST | 443 | 49740 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:09.688216925 CEST | 443 | 49740 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:09.688323021 CEST | 49740 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:09.690074921 CEST | 49740 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:09.690087080 CEST | 443 | 49740 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:09.690633059 CEST | 443 | 49740 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:09.700684071 CEST | 49740 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:09.700813055 CEST | 49740 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:09.700886011 CEST | 443 | 49740 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:09.701000929 CEST | 49740 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:09.701010942 CEST | 443 | 49740 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:10.272198915 CEST | 443 | 49740 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:10.272403002 CEST | 443 | 49740 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:10.272617102 CEST | 49740 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:10.272804022 CEST | 49740 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:10.272850037 CEST | 443 | 49740 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:10.369210958 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:10.369245052 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:10.369329929 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:10.370045900 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:10.370059967 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:10.594491959 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:10.594923019 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:10.596050978 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:10.596081972 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:10.596383095 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:10.597987890 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:10.598144054 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:10.598196983 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.123061895 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.123388052 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.123402119 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:11.123469114 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:11.139533997 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:11.139575958 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.139739037 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:11.140053034 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:11.140069962 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.364940882 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.365206957 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:11.366511106 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:11.366523027 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.367014885 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.368340969 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:11.368562937 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:11.368570089 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.868935108 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.869184971 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:11.869220972 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:11.869268894 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.264590025 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.264683008 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.264786959 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.265180111 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.265218019 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.488970995 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.489106894 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.490227938 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.490246058 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.490848064 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.491982937 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.492734909 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.492805004 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.492939949 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.493006945 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.493141890 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.493372917 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.493529081 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.493567944 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.493762016 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.493803024 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.493999004 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.494054079 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.494075060 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.494182110 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.494308949 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.494349957 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.494389057 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.494424105 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.494550943 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.540162086 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.540585995 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.540663004 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.540704012 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.584161043 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.584405899 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 22, 2024 07:00:12.628197908 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:12.808670998 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:14.558342934 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 22, 2024 07:00:14.558579922 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 22, 2024 07:00:05.913564920 CEST | 63363 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 22, 2024 07:00:06.036990881 CEST | 53 | 63363 | 1.1.1.1 | 192.168.2.4 |
| Apr 22, 2024 07:00:06.039350033 CEST | 59884 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 22, 2024 07:00:06.174057961 CEST | 53 | 59884 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 22, 2024 07:00:05.913564920 CEST | 192.168.2.4 | 1.1.1.1 | 0x7915 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 22, 2024 07:00:06.039350033 CEST | 192.168.2.4 | 1.1.1.1 | 0xa7a9 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 22, 2024 07:00:06.174057961 CEST | 1.1.1.1 | 192.168.2.4 | 0xa7a9 | No error (0) | 104.21.11.250 | A (IP address) | IN (0x0001) | false | ||
| Apr 22, 2024 07:00:06.174057961 CEST | 1.1.1.1 | 192.168.2.4 | 0xa7a9 | No error (0) | 172.67.150.207 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 104.21.11.250 | 443 | 7472 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 05:00:06 UTC | 269 | OUT | |
| 2024-04-22 05:00:06 UTC | 8 | OUT | |
| 2024-04-22 05:00:06 UTC | 806 | IN | |
| 2024-04-22 05:00:06 UTC | 7 | IN | |
| 2024-04-22 05:00:06 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49732 | 104.21.11.250 | 443 | 7472 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 05:00:07 UTC | 270 | OUT | |
| 2024-04-22 05:00:07 UTC | 60 | OUT | |
| 2024-04-22 05:00:07 UTC | 804 | IN | |
| 2024-04-22 05:00:07 UTC | 565 | IN | |
| 2024-04-22 05:00:07 UTC | 1369 | IN | |
| 2024-04-22 05:00:07 UTC | 1369 | IN | |
| 2024-04-22 05:00:07 UTC | 1369 | IN | |
| 2024-04-22 05:00:07 UTC | 1369 | IN | |
| 2024-04-22 05:00:07 UTC | 1369 | IN | |
| 2024-04-22 05:00:07 UTC | 745 | IN | |
| 2024-04-22 05:00:07 UTC | 1369 | IN | |
| 2024-04-22 05:00:07 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49735 | 104.21.11.250 | 443 | 7472 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 05:00:08 UTC | 288 | OUT | |
| 2024-04-22 05:00:08 UTC | 15331 | OUT | |
| 2024-04-22 05:00:08 UTC | 2838 | OUT | |
| 2024-04-22 05:00:08 UTC | 808 | IN | |
| 2024-04-22 05:00:08 UTC | 20 | IN | |
| 2024-04-22 05:00:08 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49738 | 104.21.11.250 | 443 | 7472 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 05:00:08 UTC | 287 | OUT | |
| 2024-04-22 05:00:08 UTC | 8790 | OUT | |
| 2024-04-22 05:00:09 UTC | 808 | IN | |
| 2024-04-22 05:00:09 UTC | 20 | IN | |
| 2024-04-22 05:00:09 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49740 | 104.21.11.250 | 443 | 7472 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 05:00:09 UTC | 288 | OUT | |
| 2024-04-22 05:00:09 UTC | 15331 | OUT | |
| 2024-04-22 05:00:09 UTC | 5112 | OUT | |
| 2024-04-22 05:00:10 UTC | 802 | IN | |
| 2024-04-22 05:00:10 UTC | 20 | IN | |
| 2024-04-22 05:00:10 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49742 | 104.21.11.250 | 443 | 7472 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 05:00:10 UTC | 287 | OUT | |
| 2024-04-22 05:00:10 UTC | 7088 | OUT | |
| 2024-04-22 05:00:11 UTC | 798 | IN | |
| 2024-04-22 05:00:11 UTC | 20 | IN | |
| 2024-04-22 05:00:11 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49743 | 104.21.11.250 | 443 | 7472 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 05:00:11 UTC | 287 | OUT | |
| 2024-04-22 05:00:11 UTC | 1410 | OUT | |
| 2024-04-22 05:00:11 UTC | 810 | IN | |
| 2024-04-22 05:00:11 UTC | 20 | IN | |
| 2024-04-22 05:00:11 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49746 | 104.21.11.250 | 443 | 7472 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 05:00:12 UTC | 289 | OUT | |
| 2024-04-22 05:00:12 UTC | 15331 | OUT | |
| 2024-04-22 05:00:12 UTC | 15331 | OUT | |
| 2024-04-22 05:00:12 UTC | 15331 | OUT | |
| 2024-04-22 05:00:12 UTC | 15331 | OUT | |
| 2024-04-22 05:00:12 UTC | 15331 | OUT | |
| 2024-04-22 05:00:12 UTC | 15331 | OUT | |
| 2024-04-22 05:00:12 UTC | 15331 | OUT | |
| 2024-04-22 05:00:12 UTC | 15331 | OUT | |
| 2024-04-22 05:00:12 UTC | 15331 | OUT | |
| 2024-04-22 05:00:12 UTC | 15331 | OUT | |
| 2024-04-22 05:00:14 UTC | 810 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 07:00:04 |
| Start date: | 22/04/2024 |
| Path: | C:\Users\user\Desktop\launcher.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x360000 |
| File size: | 26'684'528 bytes |
| MD5 hash: | 913B4744FBCD88CBC9BA44808A835A91 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 07:00:04 |
| Start date: | 22/04/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x160000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 07:00:04 |
| Start date: | 22/04/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xb40000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 07:00:05 |
| Start date: | 22/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xdb0000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.6% |
| Dynamic/Decrypted Code Coverage: | 10% |
| Signature Coverage: | 12.2% |
| Total number of Nodes: | 90 |
| Total number of Limit Nodes: | 4 |
Graph
Function 003CF7BD Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0036230A Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84synchronizationthreadwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AE2B6 Relevance: 9.0, Strings: 7, Instructions: 231COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00377C76 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A5B24 Relevance: 6.4, Strings: 5, Instructions: 174COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003749E4 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00365156 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00389FE0 Relevance: 5.5, Strings: 4, Instructions: 475COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003778FA Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AA234 Relevance: 4.4, Strings: 3, Instructions: 653COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AA237 Relevance: 4.4, Strings: 3, Instructions: 641COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A9AFE Relevance: 4.3, Strings: 3, Instructions: 587COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A5D90 Relevance: 4.0, Strings: 3, Instructions: 257COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AB99F Relevance: 3.4, Strings: 2, Instructions: 867COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0038AC84 Relevance: 3.3, Strings: 2, Instructions: 822COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003ABAC7 Relevance: 3.0, Strings: 2, Instructions: 450COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003ABAB5 Relevance: 2.9, Strings: 2, Instructions: 400COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BF060 Relevance: 2.8, Strings: 2, Instructions: 319COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00386430 Relevance: 1.8, Strings: 1, Instructions: 541COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00364E7C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00377B4D Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00377D7C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0036F6AF Relevance: 1.5, APIs: 1, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003652B2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A7F75 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039A569 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BC655 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A3CB4 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003780AD Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0038D6B0 Relevance: .9, Instructions: 857COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00388AF0 Relevance: .7, Instructions: 732COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00389590 Relevance: .7, Instructions: 661COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A8DDB Relevance: .6, Instructions: 596COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BA0F0 Relevance: .6, Instructions: 591COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0038B990 Relevance: .5, Instructions: 536COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A6B10 Relevance: .4, Instructions: 396COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A2170 Relevance: .4, Instructions: 385COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A0550 Relevance: .3, Instructions: 309COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BED10 Relevance: .3, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A0A30 Relevance: .3, Instructions: 283COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00399169 Relevance: .3, Instructions: 270COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003974EC Relevance: .3, Instructions: 260COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BEA10 Relevance: .3, Instructions: 260COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039781B Relevance: .2, Instructions: 212COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AD84F Relevance: .2, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003ACF18 Relevance: .2, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B7780 Relevance: .2, Instructions: 192COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00396726 Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BB475 Relevance: .2, Instructions: 167COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BE480 Relevance: .2, Instructions: 164COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BE680 Relevance: .2, Instructions: 161COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A993B Relevance: .2, Instructions: 156COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AB748 Relevance: .2, Instructions: 154COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B06FD Relevance: .1, Instructions: 147COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039AE50 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BB28E Relevance: .1, Instructions: 141COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00395B20 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A8276 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00399672 Relevance: .1, Instructions: 106COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00397D14 Relevance: .1, Instructions: 104COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039AFC0 Relevance: .1, Instructions: 102COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00387A30 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BE360 Relevance: .1, Instructions: 94COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00388720 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039C127 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A8B65 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A407B Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A7783 Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B5E10 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A715C Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039C2F5 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00396C43 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00375AAE Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003928E0 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A8C65 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BC5B0 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BD6D2 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0036CE48 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BCFBD Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BCFD6 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BBE88 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00367FC8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00371F0C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00379F99 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0036F878 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00362556 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003625EB Relevance: 10.5, APIs: 7, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0036CE6A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037312A Relevance: 7.7, APIs: 5, Instructions: 202COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003627F4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00368DA2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003746F0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0036C094 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00375686 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0036836D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00368D02 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 14.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 4.4% |
| Total number of Nodes: | 272 |
| Total number of Limit Nodes: | 17 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00434400 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004298A2 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042878F Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 88memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004366FA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004368C5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DFF0 Relevance: 3.2, APIs: 2, Instructions: 191COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00415FD0 Relevance: 3.2, APIs: 2, Instructions: 162COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00418F60 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00425BEE Relevance: 1.9, APIs: 1, Instructions: 353COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00425D04 Relevance: 1.8, APIs: 1, Instructions: 339COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043778E Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00434270 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043434B Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004326B2 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042CA70 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |