Edit tour
Windows
Analysis Report
iPUk65i3yI.exe
Overview
General Information
| Sample name: | iPUk65i3yI.exerenamed because original name is a hash value |
| Original sample name: | 76845f267f56cb0fcc216d4ac9548131.exe |
| Analysis ID: | 1429931 |
| MD5: | 76845f267f56cb0fcc216d4ac9548131 |
| SHA1: | 7adbac444ea4368fd5c152099e40382e7a18ca3d |
| SHA256: | c165f0872716556f3a5612b4f220fea8620b32fc7ff9596fc430f8b9f88b513b |
| Tags: | 32exetrojan |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
iPUk65i3yI.exe (PID: 7352 cmdline: "C:\Users\ user\Deskt op\iPUk65i 3yI.exe" MD5: 76845F267F56CB0FCC216D4AC9548131) 
WerFault.exe (PID: 7516 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 352 -s 154 8 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "strollheavengwu.shop"], "Build id": "P6Mk0M--superstar"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_00415999 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00422458 | |
| Source: | Code function: | 0_2_0041C540 | |
| Source: | Code function: | 0_2_004357CA | |
| Source: | Code function: | 0_2_004359E2 | |
| Source: | Code function: | 0_2_00414C49 | |
| Source: | Code function: | 0_2_00433D10 | |
| Source: | Code function: | 0_2_00433D10 | |
| Source: | Code function: | 0_2_00424087 | |
| Source: | Code function: | 0_2_00424084 | |
| Source: | Code function: | 0_2_0040D140 | |
| Source: | Code function: | 0_2_00403260 | |
| Source: | Code function: | 0_2_00423943 | |
| Source: | Code function: | 0_2_0041F234 | |
| Source: | Code function: | 0_2_004142F0 | |
| Source: | Code function: | 0_2_0041E451 | |
| Source: | Code function: | 0_2_0041A420 | |
| Source: | Code function: | 0_2_0041A420 | |
| Source: | Code function: | 0_2_00414596 | |
| Source: | Code function: | 0_2_0041F640 | |
| Source: | Code function: | 0_2_004146E6 | |
| Source: | Code function: | 0_2_0042271D | |
| Source: | Code function: | 0_2_004137C9 | |
| Source: | Code function: | 0_2_0041F828 | |
| Source: | Code function: | 0_2_0041A8C0 | |
| Source: | Code function: | 0_2_0042F890 | |
| Source: | Code function: | 0_2_0042594F | |
| Source: | Code function: | 0_2_004259CD | |
| Source: | Code function: | 0_2_004259D2 | |
| Source: | Code function: | 0_2_00411A44 | |
| Source: | Code function: | 0_2_0040FA49 | |
| Source: | Code function: | 0_2_00431A70 | |
| Source: | Code function: | 0_2_0041CAEC | |
| Source: | Code function: | 0_2_00437C47 | |
| Source: | Code function: | 0_2_00437C45 | |
| Source: | Code function: | 0_2_00413C46 | |
| Source: | Code function: | 0_2_00421CC7 | |
| Source: | Code function: | 0_2_00424CB0 | |
| Source: | Code function: | 0_2_00415D7D | |
| Source: | Code function: | 0_2_00413E4A | |
| Source: | Code function: | 0_2_02D142EB | |
| Source: | Code function: | 0_2_02D142EE | |
| Source: | Code function: | 0_2_02CFD3A7 | |
| Source: | Code function: | 0_2_02D0D377 | |
| Source: | Code function: | 0_2_02D040B1 | |
| Source: | Code function: | 0_2_02D0A687 | |
| Source: | Code function: | 0_2_02D0A687 | |
| Source: | Code function: | 0_2_02D0E6B8 | |
| Source: | Code function: | 0_2_02D126BF | |
| Source: | Code function: | 0_2_02D047FD | |
| Source: | Code function: | 0_2_02D0C7A7 | |
| Source: | Code function: | 0_2_02D13BAA | |
| Source: | Code function: | 0_2_02CF34C7 | |
| Source: | Code function: | 0_2_02D07494 | |
| Source: | Code function: | 0_2_02D0F49B | |
| Source: | Code function: | 0_2_02D04557 | |
| Source: | Code function: | 0_2_02D1FAF7 | |
| Source: | Code function: | 0_2_02D0FA8F | |
| Source: | Code function: | 0_2_02D03A30 | |
| Source: | Code function: | 0_2_02D25A31 | |
| Source: | Code function: | 0_2_02D15BB6 | |
| Source: | Code function: | 0_2_02D0AB27 | |
| Source: | Code function: | 0_2_02D0F8A7 | |
| Source: | Code function: | 0_2_02D12984 | |
| Source: | Code function: | 0_2_02D0494D | |
| Source: | Code function: | 0_2_02D04EB0 | |
| Source: | Code function: | 0_2_02D27EAE | |
| Source: | Code function: | 0_2_02D03EAD | |
| Source: | Code function: | 0_2_02D27EAC | |
| Source: | Code function: | 0_2_02D05FE4 | |
| Source: | Code function: | 0_2_02D23F77 | |
| Source: | Code function: | 0_2_02D23F77 | |
| Source: | Code function: | 0_2_02D14F17 | |
| Source: | Code function: | 0_2_02D11F2E | |
| Source: | Code function: | 0_2_02D21CD7 | |
| Source: | Code function: | 0_2_02D01CAB | |
| Source: | Code function: | 0_2_02CFFCB0 | |
| Source: | Code function: | 0_2_02D25C49 | |
| Source: | Code function: | 0_2_02D15C34 | |
| Source: | Code function: | 0_2_02D15C39 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0042C500 | |
| Source: | Code function: | 0_2_0042C500 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00432010 | |
| Source: | Code function: | 0_2_004204B7 | |
| Source: | Code function: | 0_2_00404740 | |
| Source: | Code function: | 0_2_00420CA0 | |
| Source: | Code function: | 0_2_00406030 | |
| Source: | Code function: | 0_2_00403260 | |
| Source: | Code function: | 0_2_004052F0 | |
| Source: | Code function: | 0_2_004065F0 | |
| Source: | Code function: | 0_2_004345F0 | |
| Source: | Code function: | 0_2_0040F690 | |
| Source: | Code function: | 0_2_004397D0 | |
| Source: | Code function: | 0_2_0042594F | |
| Source: | Code function: | 0_2_004259D2 | |
| Source: | Code function: | 0_2_00431A70 | |
| Source: | Code function: | 0_2_0041CAEC | |
| Source: | Code function: | 0_2_00439AF0 | |
| Source: | Code function: | 0_2_00407CB0 | |
| Source: | Code function: | 0_2_00403D70 | |
| Source: | Code function: | 0_2_00402E70 | |
| Source: | Code function: | 0_2_02CF6297 | |
| Source: | Code function: | 0_2_02CF1267 | |
| Source: | Code function: | 0_2_02CF30D7 | |
| Source: | Code function: | 0_2_02CF34C7 | |
| Source: | Code function: | 0_2_02CF55DB | |
| Source: | Code function: | 0_2_02D29A37 | |
| Source: | Code function: | 0_2_02D15BB6 | |
| Source: | Code function: | 0_2_02CFF8F7 | |
| Source: | Code function: | 0_2_02D24857 | |
| Source: | Code function: | 0_2_02CFF824 | |
| Source: | Code function: | 0_2_02CF49A7 | |
| Source: | Code function: | 0_2_02CF3FD7 | |
| Source: | Code function: | 0_2_02D10F07 | |
| Source: | Code function: | 0_2_02CF7F17 | |
| Source: | Code function: | 0_2_02D21CD7 | |
| Source: | Code function: | 0_2_02D15C39 | |
| Source: | Code function: | 0_2_02D29D57 | |
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_02D78196 | |
| Source: | Code function: | 0_2_00429597 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_0043FBE8 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00433CC0 | |
| Source: | Code function: | 0_2_02CF092B | |
| Source: | Code function: | 0_2_02CF0D90 | |
| Source: | Code function: | 0_2_02D77A73 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| strollheavengwu.shop | 104.21.15.198 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| false | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.15.198 | strollheavengwu.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1429931 |
| Start date and time: | 2024-04-22 22:26:07 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 25s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | iPUk65i3yI.exerenamed because original name is a hash value |
| Original Sample Name: | 76845f267f56cb0fcc216d4ac9548131.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@2/5@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.168.117.173
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: iPUk65i3yI.exe
| Time | Type | Description |
|---|---|---|
| 22:27:03 | API Interceptor | |
| 22:27:30 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.15.198 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| strollheavengwu.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Remcos | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
|
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iPUk65i3yI.exe_2ec5395f16112ba3e812158ee989f8fd32d1fc_6086caad_64945b72-550f-47ce-b2ed-fb2dd609c044\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9926098330121135 |
| Encrypted: | false |
| SSDEEP: | 96:SPYlw2zsFxhqPxFj7qPcf+QXIDcQBc6mcEJcw35m+HbHg/opAnQPxVg7TFOy4UO1:YCjzlmC0/izt3jxpFPzuiF0Z24IO8H |
| MD5: | F3AAB371DEFDFFBD8F165C11A52EDBE3 |
| SHA1: | 1E3F18F0EDDC2E58CB375A660C8E04B2AF4A9E76 |
| SHA-256: | 7195D1BD7A83FB287512CCE5CD346BF5588D9FCE7692B7490E12FF4FD466BD39 |
| SHA-512: | 74985C6C2DF69EB91AF67536C88F70874C087862EC3710DD516B8DE7E72AE04B22B8258C98E6608E9790FBB9E53DD55CFC9B5D57469AD27747F9F068C6FDB3D1 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 47062 |
| Entropy (8bit): | 2.6828007998606007 |
| Encrypted: | false |
| SSDEEP: | 192:wXsXSjSVF4LydOzBAT0T+5QpFj+KGHhUAcP2NGPzVYzn4O0EH:ybSbZQzBs0tONHdcP2MPBE4z0 |
| MD5: | 2B8C485E91F9CCC15BB8D2C751285178 |
| SHA1: | 37CD95678749ABA6FBBFC935C20725C214BDC62C |
| SHA-256: | 752771A0FBE895BABAB3ECA88FF76D2F1BB43A4FC34F6C327294D5DFF29E4235 |
| SHA-512: | D9FAFF877646BAF3BDD8421D99B9BBA4440DC6F2AA7CE4743C7B7C920CE7BBBFA2B5B18671549CC452C7BCEB54848BC07944FC6D2C2D86900D9E9EC86863AA6C |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8334 |
| Entropy (8bit): | 3.69406677760908 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJch6eS6Y90SUvBMvgmfFB2pDO89bpj5sfkj7m:R6lXJC6r6Y+SUJMvgmfFBspjSfIy |
| MD5: | CDF52D1751A41723C02D173CC67978F0 |
| SHA1: | CDAAEF3A8C67189E24FD0A03961AEFC000250072 |
| SHA-256: | 8F6C42A9F2B78A6B3ADCD1C777FF957C90604C9173277CAEB58A3AB5E4842D30 |
| SHA-512: | 752D1C3D29DD7E2FCC315B973FD7225CE097BB77DEF64E5484CCEAC19FB36CBD9FB249BD182D5B83AF9282120A65E68075DD6A3CD99EB6898022C28340A5EC8B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4579 |
| Entropy (8bit): | 4.470657867336991 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zswJg77aI9PUWpW8VY4wYm8M4Jt/FJ+q8KyQ77sd:uIjf2I71N7VrdJVqU7sd |
| MD5: | C9DEB9E1339CFB39062AF1303DDAE439 |
| SHA1: | A7336F97BB91C1D029ED1E11B398FAA0D49CE45F |
| SHA-256: | 9C997D1D816B2554BAA9AE3D628AC56D5028594F6CCB6CF561F9FE9894CA14F3 |
| SHA-512: | E64684415442BDEC45171B75F0DD0314EDAAEE1754217E0871C58648FD17188C76D80E42ADABD5B37C2BC1D9015BFBEFB85102EC035BB321E1FABF6332CA3C6F |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.465409429593371 |
| Encrypted: | false |
| SSDEEP: | 6144:NIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNfdwBCswSbz:eXD94+WlLZMM6YFHF+z |
| MD5: | DA0D216615F89DA6369390EDDE38BB7A |
| SHA1: | 9409AB0CA0B3E0D9B5580A892B6C62B1F491A1C7 |
| SHA-256: | 2D6750848A37A5D591464412848FAA96567742A7E29AC6EE5946A7465389A7F9 |
| SHA-512: | DEF7C36AA6E4FD7AE1975D13AB44BD1DE9EF6BEF05A6C513ED99F395C6A59E319503FAF2DAF26CEB60A90D65220BBA572D2D611C208BF78B97FD8FB06C561D3E |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.459637649900326 |
| TrID: |
|
| File name: | iPUk65i3yI.exe |
| File size: | 370'688 bytes |
| MD5: | 76845f267f56cb0fcc216d4ac9548131 |
| SHA1: | 7adbac444ea4368fd5c152099e40382e7a18ca3d |
| SHA256: | c165f0872716556f3a5612b4f220fea8620b32fc7ff9596fc430f8b9f88b513b |
| SHA512: | 63fb848a46e99f441ef266e8a4dc6f64623a523982955bd032a30664e9a364595e041f91816c3e1fb1d4652c8f9bc9406f9fc710e36bf9aa911541b0437e9189 |
| SSDEEP: | 6144:eo4Qn2Rvp2bpnwXk4hJ/T2XHbD2lSUf1yG3MJ:eJQn2Rvp2Vn2t/TsHbDjQyG |
| TLSH: | 5D74E03073E0EC3AD56A4A71C96BC7F05D2FB8622D7496DB3754166F2E312909A3E306 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................S.......E.......B......)................L.......R.......W.....Rich............................PE..L.....Ld... |
 | |
| Icon Hash: | 6727676783571667 |
| Entrypoint: | 0x4015b0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x644C1601 [Fri Apr 28 18:52:49 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d10268a82f0ec0b09c4d5e18431c41e9 |
| Instruction |
|---|
| call 00007FE3F0E0CA00h |
| jmp 00007FE3F0E08CDDh |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov ecx, dword ptr [esp+04h] |
| test ecx, 00000003h |
| je 00007FE3F0E08E86h |
| mov al, byte ptr [ecx] |
| add ecx, 01h |
| test al, al |
| je 00007FE3F0E08EB0h |
| test ecx, 00000003h |
| jne 00007FE3F0E08E51h |
| add eax, 00000000h |
| lea esp, dword ptr [esp+00000000h] |
| lea esp, dword ptr [esp+00000000h] |
| mov eax, dword ptr [ecx] |
| mov edx, 7EFEFEFFh |
| add edx, eax |
| xor eax, FFFFFFFFh |
| xor eax, edx |
| add ecx, 04h |
| test eax, 81010100h |
| je 00007FE3F0E08E4Ah |
| mov eax, dword ptr [ecx-04h] |
| test al, al |
| je 00007FE3F0E08E94h |
| test ah, ah |
| je 00007FE3F0E08E86h |
| test eax, 00FF0000h |
| je 00007FE3F0E08E75h |
| test eax, FF000000h |
| je 00007FE3F0E08E64h |
| jmp 00007FE3F0E08E2Fh |
| lea eax, dword ptr [ecx-01h] |
| mov ecx, dword ptr [esp+04h] |
| sub eax, ecx |
| ret |
| lea eax, dword ptr [ecx-02h] |
| mov ecx, dword ptr [esp+04h] |
| sub eax, ecx |
| ret |
| lea eax, dword ptr [ecx-03h] |
| mov ecx, dword ptr [esp+04h] |
| sub eax, ecx |
| ret |
| lea eax, dword ptr [ecx-04h] |
| mov ecx, dword ptr [esp+04h] |
| sub eax, ecx |
| ret |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| sub esp, 20h |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| push edi |
| push 00000008h |
| pop ecx |
| mov esi, 0040C20Ch |
| lea edi, dword ptr [ebp-20h] |
| rep movsd |
| mov dword ptr [ebp-08h], eax |
| mov eax, dword ptr [ebp+0Ch] |
| pop edi |
| mov dword ptr [ebp-04h], eax |
| pop esi |
| test eax, eax |
| je 00007FE3F0E08E6Eh |
| test byte ptr [eax], 00000008h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4aebc | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x282f000 | 0xdc88 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x190 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xa59d | 0xa600 | 9808774d2d8323059b963611921381fc | False | 0.6182699548192772 | data | 6.5780027888601085 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xc000 | 0x3f7d0 | 0x3f800 | 5388b4298efb9505a71243bc518be023 | False | 0.7016217089074803 | data | 6.53415578942608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x4c000 | 0x27e22c8 | 0x2800 | 4a5f545f74df16f9652a9ecf98f7158c | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x282f000 | 0xdc88 | 0xde00 | fe3965f63c914b3f6704ea3287517976 | False | 0.5008445945945946 | data | 5.2791432506398 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| DOTOGACORIKEXECON | 0x283b568 | 0x476 | ASCII text, with very long lines (1142), with no line terminators | Turkish | Turkey | 0.6260945709281961 |
| RT_ICON | 0x282f5b0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Turkish | Turkey | 0.4312366737739872 |
| RT_ICON | 0x2830458 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Turkish | Turkey | 0.5744584837545126 |
| RT_ICON | 0x2830d00 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Turkish | Turkey | 0.6388248847926268 |
| RT_ICON | 0x28313c8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Turkish | Turkey | 0.6820809248554913 |
| RT_ICON | 0x2831930 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Turkish | Turkey | 0.524792531120332 |
| RT_ICON | 0x2833ed8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Turkish | Turkey | 0.5967213114754099 |
| RT_ICON | 0x2834860 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Turkish | Turkey | 0.6276595744680851 |
| RT_ICON | 0x2834d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Turkish | Turkey | 0.44429637526652455 |
| RT_ICON | 0x2835bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Turkish | Turkey | 0.5640794223826715 |
| RT_ICON | 0x2836480 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Turkish | Turkey | 0.6065668202764977 |
| RT_ICON | 0x2836b48 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Turkish | Turkey | 0.6690751445086706 |
| RT_ICON | 0x28370b0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Turkish | Turkey | 0.3886929460580913 |
| RT_ICON | 0x2839658 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Turkish | Turkey | 0.41862101313320826 |
| RT_ICON | 0x283a700 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Turkish | Turkey | 0.4430327868852459 |
| RT_ICON | 0x283b088 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Turkish | Turkey | 0.44148936170212766 |
| RT_STRING | 0x283bbe8 | 0x58c | data | 0.44084507042253523 | ||
| RT_STRING | 0x283c178 | 0x86 | data | 0.6417910447761194 | ||
| RT_STRING | 0x283c200 | 0x65a | data | 0.42927429274292744 | ||
| RT_STRING | 0x283c860 | 0x1ea | data | 0.48775510204081635 | ||
| RT_STRING | 0x283ca50 | 0x108 | data | 0.5454545454545454 | ||
| RT_STRING | 0x283cb58 | 0x12a | data | 0.5134228187919463 | ||
| RT_ACCELERATOR | 0x283b9e0 | 0x28 | data | 1.0 | ||
| RT_GROUP_ICON | 0x2834cc8 | 0x68 | data | Turkish | Turkey | 0.7115384615384616 |
| RT_GROUP_ICON | 0x283b4f0 | 0x76 | data | Turkish | Turkey | 0.6779661016949152 |
| RT_VERSION | 0x283ba08 | 0x1e0 | data | 0.5666666666666667 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetLocaleInfoA, GetConsoleAliasExesLengthA, SetFirmwareEnvironmentVariableA, GetComputerNameW, UnlockFile, GetModuleHandleW, GetConsoleAliasesLengthA, GetDateFormatA, SetCommState, GlobalAlloc, LoadLibraryW, IsValidLocale, HeapDestroy, FindNextVolumeW, IsBadWritePtr, GlobalUnfix, EnumCalendarInfoA, GetProcessHeaps, LoadLibraryA, SetCalendarInfoW, SetConsoleDisplayMode, SetCurrentDirectoryW, WaitForMultipleObjects, GetModuleFileNameA, SetConsoleTitleW, FreeEnvironmentStringsW, BuildCommDCBA, VirtualProtect, GetCurrentDirectoryA, FindAtomW, SetFileAttributesW, GetVolumeInformationW, LocalFileTimeToFileTime, GetProcAddress, GetFileSize, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, FlushFileBuffers, CreateFileA, CloseHandle |
| ADVAPI32.dll | ReadEventLogA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Turkish | Turkey |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 22, 2024 22:27:02.134573936 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.134656906 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:02.134766102 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.138631105 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.138667107 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:02.361022949 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:02.361278057 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.365935087 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.365959883 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:02.366193056 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:02.412023067 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.443958998 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.444014072 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.444113970 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:02.882814884 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:02.882910013 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:02.883094072 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.901290894 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.901324987 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:02.905783892 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.905884981 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:02.905988932 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.907284021 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:02.907321930 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.127580881 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.127819061 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.129501104 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.129513025 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.129765987 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.131520033 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.131561995 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.131587982 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.656584024 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.656721115 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.656814098 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.656902075 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.656909943 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.656979084 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.657023907 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.657077074 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.657128096 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.657145023 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.657242060 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.657299042 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.657313108 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.657424927 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.657483101 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.657495975 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.657593012 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.657659054 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.657671928 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.657826900 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.657891035 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.658307076 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.658337116 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.658365965 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.658379078 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.851205111 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.851273060 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:03.851367950 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.851757050 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:03.851790905 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.076394081 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.076535940 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.078392029 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.078419924 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.078778982 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.080391884 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.080601931 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.080647945 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.080719948 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.080739975 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.596702099 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.597013950 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.597111940 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.597186089 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.597223997 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.716886044 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.716927052 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.717046976 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.717510939 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.717529058 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.936182022 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.936515093 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.938153982 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.938180923 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.938543081 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:04.940443039 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.940675020 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:04.940717936 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:05.426084042 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:05.426213980 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:05.426301003 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:05.426528931 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:05.426570892 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:05.623624086 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:05.623673916 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:05.623871088 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:05.624222040 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:05.624239922 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:05.843120098 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:05.843206882 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:05.845288038 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:05.845303059 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:05.845658064 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:05.847610950 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:05.847759962 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:05.847798109 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:05.847877979 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:05.847889900 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:06.413459063 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:06.413713932 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:06.413746119 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:06.413770914 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:06.514574051 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:06.514628887 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:06.514722109 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:06.515342951 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:06.515373945 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:06.745040894 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:06.745150089 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:06.747004986 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:06.747020960 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:06.747534990 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:06.748781919 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:06.748934984 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:06.748980045 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:07.243700027 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:07.243993998 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:07.244158983 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:07.244158983 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:07.312525034 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:07.312616110 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:07.312722921 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:07.313110113 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:07.313144922 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:07.533879042 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:07.533982038 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:07.536201954 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:07.536226988 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:07.536566019 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:07.538310051 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:07.538458109 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:07.538470984 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:08.023574114 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:08.023711920 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:08.024136066 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:08.024537086 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:08.024600029 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:08.854778051 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:08.854871035 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:08.854979992 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:08.855647087 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:08.855684042 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.081135035 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.081402063 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.089351892 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.089380980 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.089792013 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.091382980 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.092289925 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.092339993 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.092482090 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.092535019 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.092680931 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.092753887 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.092912912 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.092959881 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.093144894 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.093210936 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.093411922 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.093485117 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.093501091 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.093518972 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.093698025 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.093753099 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.093801022 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.093895912 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.093952894 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.140115976 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.140357018 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.140431881 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.140492916 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.188111067 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.188352108 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:09.236157894 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:09.407447100 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:10.592921019 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:10.593055010 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Apr 22, 2024 22:27:10.593374014 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:10.593532085 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
| Apr 22, 2024 22:27:10.593554974 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 22, 2024 22:27:01.989098072 CEST | 56059 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 22, 2024 22:27:02.127250910 CEST | 53 | 56059 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 22, 2024 22:27:01.989098072 CEST | 192.168.2.4 | 1.1.1.1 | 0x2bef | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 22, 2024 22:27:02.127250910 CEST | 1.1.1.1 | 192.168.2.4 | 0x2bef | No error (0) | 104.21.15.198 | A (IP address) | IN (0x0001) | false | ||
| Apr 22, 2024 22:27:02.127250910 CEST | 1.1.1.1 | 192.168.2.4 | 0x2bef | No error (0) | 172.67.163.209 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 104.21.15.198 | 443 | 7352 | C:\Users\user\Desktop\iPUk65i3yI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 20:27:02 UTC | 267 | OUT | |
| 2024-04-22 20:27:02 UTC | 8 | OUT | |
| 2024-04-22 20:27:02 UTC | 808 | IN | |
| 2024-04-22 20:27:02 UTC | 7 | IN | |
| 2024-04-22 20:27:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 104.21.15.198 | 443 | 7352 | C:\Users\user\Desktop\iPUk65i3yI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 20:27:03 UTC | 268 | OUT | |
| 2024-04-22 20:27:03 UTC | 58 | OUT | |
| 2024-04-22 20:27:03 UTC | 808 | IN | |
| 2024-04-22 20:27:03 UTC | 561 | IN | |
| 2024-04-22 20:27:03 UTC | 1369 | IN | |
| 2024-04-22 20:27:03 UTC | 1369 | IN | |
| 2024-04-22 20:27:03 UTC | 1369 | IN | |
| 2024-04-22 20:27:03 UTC | 1369 | IN | |
| 2024-04-22 20:27:03 UTC | 1369 | IN | |
| 2024-04-22 20:27:03 UTC | 1369 | IN | |
| 2024-04-22 20:27:03 UTC | 1369 | IN | |
| 2024-04-22 20:27:03 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 104.21.15.198 | 443 | 7352 | C:\Users\user\Desktop\iPUk65i3yI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 20:27:04 UTC | 286 | OUT | |
| 2024-04-22 20:27:04 UTC | 15331 | OUT | |
| 2024-04-22 20:27:04 UTC | 2836 | OUT | |
| 2024-04-22 20:27:04 UTC | 810 | IN | |
| 2024-04-22 20:27:04 UTC | 20 | IN | |
| 2024-04-22 20:27:04 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 104.21.15.198 | 443 | 7352 | C:\Users\user\Desktop\iPUk65i3yI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 20:27:04 UTC | 285 | OUT | |
| 2024-04-22 20:27:04 UTC | 8788 | OUT | |
| 2024-04-22 20:27:05 UTC | 810 | IN | |
| 2024-04-22 20:27:05 UTC | 20 | IN | |
| 2024-04-22 20:27:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 104.21.15.198 | 443 | 7352 | C:\Users\user\Desktop\iPUk65i3yI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 20:27:05 UTC | 286 | OUT | |
| 2024-04-22 20:27:05 UTC | 15331 | OUT | |
| 2024-04-22 20:27:05 UTC | 5110 | OUT | |
| 2024-04-22 20:27:06 UTC | 814 | IN | |
| 2024-04-22 20:27:06 UTC | 20 | IN | |
| 2024-04-22 20:27:06 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 104.21.15.198 | 443 | 7352 | C:\Users\user\Desktop\iPUk65i3yI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 20:27:06 UTC | 285 | OUT | |
| 2024-04-22 20:27:06 UTC | 3798 | OUT | |
| 2024-04-22 20:27:07 UTC | 812 | IN | |
| 2024-04-22 20:27:07 UTC | 20 | IN | |
| 2024-04-22 20:27:07 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 104.21.15.198 | 443 | 7352 | C:\Users\user\Desktop\iPUk65i3yI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 20:27:07 UTC | 285 | OUT | |
| 2024-04-22 20:27:07 UTC | 1417 | OUT | |
| 2024-04-22 20:27:08 UTC | 818 | IN | |
| 2024-04-22 20:27:08 UTC | 20 | IN | |
| 2024-04-22 20:27:08 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49737 | 104.21.15.198 | 443 | 7352 | C:\Users\user\Desktop\iPUk65i3yI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-22 20:27:09 UTC | 287 | OUT | |
| 2024-04-22 20:27:09 UTC | 15331 | OUT | |
| 2024-04-22 20:27:09 UTC | 15331 | OUT | |
| 2024-04-22 20:27:09 UTC | 15331 | OUT | |
| 2024-04-22 20:27:09 UTC | 15331 | OUT | |
| 2024-04-22 20:27:09 UTC | 15331 | OUT | |
| 2024-04-22 20:27:09 UTC | 15331 | OUT | |
| 2024-04-22 20:27:09 UTC | 15331 | OUT | |
| 2024-04-22 20:27:09 UTC | 15331 | OUT | |
| 2024-04-22 20:27:09 UTC | 15331 | OUT | |
| 2024-04-22 20:27:09 UTC | 15331 | OUT | |
| 2024-04-22 20:27:10 UTC | 806 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 22:26:58 |
| Start date: | 22/04/2024 |
| Path: | C:\Users\user\Desktop\iPUk65i3yI.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 370'688 bytes |
| MD5 hash: | 76845F267F56CB0FCC216D4AC9548131 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 22:27:10 |
| Start date: | 22/04/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd50000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 8.9% |
| Dynamic/Decrypted Code Coverage: | 9.4% |
| Signature Coverage: | 27.1% |
| Total number of Nodes: | 361 |
| Total number of Limit Nodes: | 19 |
Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404740 Relevance: 5.5, Strings: 4, Instructions: 501COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D78196 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00414C49 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C540 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00433CC0 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004137C9 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004204B7 Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00420CA0 Relevance: .4, Instructions: 371COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00432010 Relevance: .3, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00433D10 Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00422458 Relevance: .2, Instructions: 153COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004357CA Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004359E2 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00429597 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042D608 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00417810 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00427F5A Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00427F84 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00436209 Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00435F1F Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00433B50 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004375CD Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00433C2A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D77E55 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042C500 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 153clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF49A7 Relevance: 5.5, Strings: 4, Instructions: 501COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004052F0 Relevance: 3.4, Strings: 2, Instructions: 851COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF55DB Relevance: 3.3, Strings: 2, Instructions: 809COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D13BAA Relevance: 3.1, Strings: 2, Instructions: 643COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF1267 Relevance: 3.0, Strings: 2, Instructions: 518COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00439AF0 Relevance: 2.8, Strings: 2, Instructions: 310COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D29D57 Relevance: 2.8, Strings: 2, Instructions: 310COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00413E4A Relevance: 2.6, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D040B1 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D04EB0 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D142EB Relevance: 1.9, Strings: 1, Instructions: 676COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D142EE Relevance: 1.9, Strings: 1, Instructions: 650COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D0C7A7 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041A8C0 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D0AB27 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041A420 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D0A687 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004065F0 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00413C46 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D03EAD Relevance: 1.4, Strings: 1, Instructions: 106COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041F234 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D0F49B Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D03A30 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042271D Relevance: 1.3, Strings: 1, Instructions: 88COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D12984 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041E451 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D0E6B8 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00407CB0 Relevance: .9, Instructions: 863COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF7F17 Relevance: .9, Instructions: 863COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403260 Relevance: .7, Instructions: 739COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF34C7 Relevance: .7, Instructions: 739COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004345F0 Relevance: .7, Instructions: 654COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D24857 Relevance: .7, Instructions: 654COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403D70 Relevance: .6, Instructions: 606COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF3FD7 Relevance: .6, Instructions: 606COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00406030 Relevance: .5, Instructions: 506COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF6297 Relevance: .5, Instructions: 506COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042594F Relevance: .4, Instructions: 439COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D15BB6 Relevance: .4, Instructions: 439COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004259D2 Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D15C39 Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004259CD Relevance: .4, Instructions: 388COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D15C34 Relevance: .4, Instructions: 388COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D10F07 Relevance: .4, Instructions: 371COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004397D0 Relevance: .3, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D29A37 Relevance: .3, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CFF824 Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D23F77 Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00431A70 Relevance: .2, Instructions: 186COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D21CD7 Relevance: .2, Instructions: 186COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D126BF Relevance: .2, Instructions: 153COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004142F0 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D04557 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040F690 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00415D7D Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CFF8F7 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D05FE4 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004146E6 Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D25A31 Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D0494D Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402E70 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF30D7 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041F828 Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D0FA8F Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041F640 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D0F8A7 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D25C49 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00424CB0 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D14F17 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042F890 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D1FAF7 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D0D377 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D77A73 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00411A44 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D01CAB Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00421CC7 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D11F2E Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CF0D90 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040FA49 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CFFCB0 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D140 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02CFD3A7 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D07494 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00414596 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00437C47 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00437C45 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D047FD Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D27EAE Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D27EAC Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02D1C767 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 153clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |