Windows
Analysis Report
lfY08S61Ig.exe
Overview
General Information
Sample name: | lfY08S61Ig.exerenamed because original name is a hash value |
Original sample name: | c33191b6acc759b04279cfe144307df5.exe |
Analysis ID: | 1434703 |
MD5: | c33191b6acc759b04279cfe144307df5 |
SHA1: | 5506845f558298c407fb5a18b20416708e3e6a25 |
SHA256: | f5354184d3b3097f88065284fbe9570e5d9a72972ae5134f0b496dac18a6b713 |
Tags: | exe |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- lfY08S61Ig.exe (PID: 7580 cmdline:
"C:\Users\ user\Deskt op\lfY08S6 1Ig.exe" MD5: C33191B6ACC759B04279CFE144307DF5) - WerFault.exe (PID: 7776 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 580 -s 150 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "stiffraspyofkwsl.shop"], "Build id": "P6Mk0M--superstar"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_0043C461 | |
Source: | Code function: | 0_2_0043E8D0 | |
Source: | Code function: | 0_2_00427059 | |
Source: | Code function: | 0_2_00413038 | |
Source: | Code function: | 0_2_0043E09F | |
Source: | Code function: | 0_2_004350A0 | |
Source: | Code function: | 0_2_0042213D | |
Source: | Code function: | 0_2_0042213D | |
Source: | Code function: | 0_2_0043D265 | |
Source: | Code function: | 0_2_0041D35E | |
Source: | Code function: | 0_2_0041D35E | |
Source: | Code function: | 0_2_00415470 | |
Source: | Code function: | 0_2_00424478 | |
Source: | Code function: | 0_2_00424478 | |
Source: | Code function: | 0_2_00428410 | |
Source: | Code function: | 0_2_00411419 | |
Source: | Code function: | 0_2_0043C436 | |
Source: | Code function: | 0_2_0043D4E8 | |
Source: | Code function: | 0_2_0043D48A | |
Source: | Code function: | 0_2_00416555 | |
Source: | Code function: | 0_2_0043C571 | |
Source: | Code function: | 0_2_0043C571 | |
Source: | Code function: | 0_2_0040D650 | |
Source: | Code function: | 0_2_00402650 | |
Source: | Code function: | 0_2_0043C615 | |
Source: | Code function: | 0_2_004226BD | |
Source: | Code function: | 0_2_00422760 | |
Source: | Code function: | 0_2_004097F0 | |
Source: | Code function: | 0_2_004258B0 | |
Source: | Code function: | 0_2_00426948 | |
Source: | Code function: | 0_2_00426953 | |
Source: | Code function: | 0_2_0043A930 | |
Source: | Code function: | 0_2_004279F5 | |
Source: | Code function: | 0_2_00424982 | |
Source: | Code function: | 0_2_00428A13 | |
Source: | Code function: | 0_2_00439A20 | |
Source: | Code function: | 0_2_0043EAF0 | |
Source: | Code function: | 0_2_00417ABA | |
Source: | Code function: | 0_2_0041DB00 | |
Source: | Code function: | 0_2_0041DB00 | |
Source: | Code function: | 0_2_00414D32 | |
Source: | Code function: | 0_2_0041DDC7 | |
Source: | Code function: | 0_2_0040FE47 | |
Source: | Code function: | 0_2_00411E13 | |
Source: | Code function: | 0_2_0043DE9C | |
Source: | Code function: | 0_2_0043DEB1 | |
Source: | Code function: | 0_2_0041DF3A | |
Source: | Code function: | 0_2_0043DFE0 | |
Source: | Code function: | 0_2_01BFE118 | |
Source: | Code function: | 0_2_01BFE103 | |
Source: | Code function: | 0_2_01BD00AE | |
Source: | Code function: | 0_2_01BDE02E | |
Source: | Code function: | 0_2_01BD207A | |
Source: | Code function: | 0_2_01BF5307 | |
Source: | Code function: | 0_2_01BFE306 | |
Source: | Code function: | 0_2_01BD329F | |
Source: | Code function: | 0_2_01BE72C0 | |
Source: | Code function: | 0_2_01BFE247 | |
Source: | Code function: | 0_2_01BE25E5 | |
Source: | Code function: | 0_2_01BE2488 | |
Source: | Code function: | 0_2_01BFD4CC | |
Source: | Code function: | 0_2_01BD67BC | |
Source: | Code function: | 0_2_01BFD74F | |
Source: | Code function: | 0_2_01BFC69D | |
Source: | Code function: | 0_2_01BD1680 | |
Source: | Code function: | 0_2_01BDD6F9 | |
Source: | Code function: | 0_2_01BFD6F1 | |
Source: | Code function: | 0_2_01BE46DF | |
Source: | Code function: | 0_2_01BE46DF | |
Source: | Code function: | 0_2_01BD56D7 | |
Source: | Code function: | 0_2_01BFC6C8 | |
Source: | Code function: | 0_2_01BE8677 | |
Source: | Code function: | 0_2_01BCD8B7 | |
Source: | Code function: | 0_2_01BC28B7 | |
Source: | Code function: | 0_2_01BE088D | |
Source: | Code function: | 0_2_01BE6BBA | |
Source: | Code function: | 0_2_01BE6BAF | |
Source: | Code function: | 0_2_01BE5B17 | |
Source: | Code function: | 0_2_01BFAB97 | |
Source: | Code function: | 0_2_01BE4BE9 | |
Source: | Code function: | 0_2_01BFEB37 | |
Source: | Code function: | 0_2_01BE5B17 | |
Source: | Code function: | 0_2_01BC9A57 | |
Source: | Code function: | 0_2_01BD7D21 | |
Source: | Code function: | 0_2_01BFED57 | |
Source: | Code function: | 0_2_01BF9C87 | |
Source: | Code function: | 0_2_01BE8C7A | |
Source: | Code function: | 0_2_01BE7C5C | |
Source: | Code function: | 0_2_01BDDC57 | |
Source: | Code function: | 0_2_01BD4F99 | |
Source: | Code function: | 0_2_01BDDE8D |
Networking |
---|
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Code function: | 0_2_00430520 |
Source: | Code function: | 0_2_00430520 |
Source: | Code function: | 0_2_00431CAA |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00437090 | |
Source: | Code function: | 0_2_004080A0 | |
Source: | Code function: | 0_2_00404160 | |
Source: | Code function: | 0_2_0042112E | |
Source: | Code function: | 0_2_0042213D | |
Source: | Code function: | 0_2_0043F190 | |
Source: | Code function: | 0_2_0041D35E | |
Source: | Code function: | 0_2_00403360 | |
Source: | Code function: | 0_2_00410390 | |
Source: | Code function: | 0_2_00406480 | |
Source: | Code function: | 0_2_0043F500 | |
Source: | Code function: | 0_2_00403750 | |
Source: | Code function: | 0_2_00405720 | |
Source: | Code function: | 0_2_004017B0 | |
Source: | Code function: | 0_2_00422840 | |
Source: | Code function: | 0_2_0042C85E | |
Source: | Code function: | 0_2_004218A0 | |
Source: | Code function: | 0_2_00406A50 | |
Source: | Code function: | 0_2_00428AC0 | |
Source: | Code function: | 0_2_00425B50 | |
Source: | Code function: | 0_2_00404B30 | |
Source: | Code function: | 0_2_00402D10 | |
Source: | Code function: | 0_2_0043EE70 | |
Source: | Code function: | 0_2_00439E10 | |
Source: | Code function: | 0_2_01BFF0D7 | |
Source: | Code function: | 0_2_01BFA077 | |
Source: | Code function: | 0_2_01BFF3F7 | |
Source: | Code function: | 0_2_01BC43C7 | |
Source: | Code function: | 0_2_01BC8307 | |
Source: | Code function: | 0_2_01BF72F7 | |
Source: | Code function: | 0_2_01BD05F7 | |
Source: | Code function: | 0_2_01BC35C7 | |
Source: | Code function: | 0_2_01BFF767 | |
Source: | Code function: | 0_2_01BC66E7 | |
Source: | Code function: | 0_2_01BC39B7 | |
Source: | Code function: | 0_2_01BC5987 | |
Source: | Code function: | 0_2_01BE1B07 | |
Source: | Code function: | 0_2_01BECAC5 | |
Source: | Code function: | 0_2_01BE5DB7 | |
Source: | Code function: | 0_2_01BC4D97 | |
Source: | Code function: | 0_2_01BE8D27 | |
Source: | Code function: | 0_2_01BC6CB7 |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_01C4678E |
Source: | Code function: | 0_2_00430169 |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_004337E7 | |
Source: | Code function: | 0_2_00444D69 | |
Source: | Code function: | 0_2_00444D69 | |
Source: | Code function: | 0_2_01BD4931 | |
Source: | Code function: | 0_2_01BF3A4E | |
Source: | Code function: | 0_2_01C4A107 | |
Source: | Code function: | 0_2_01C47805 | |
Source: | Code function: | 0_2_01C47A4F | |
Source: | Code function: | 0_2_01C49A1B | |
Source: | Code function: | 0_2_01C4ACC2 | |
Source: | Code function: | 0_2_01C4ACC2 | |
Source: | Code function: | 0_2_01C48E28 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Code function: | 0_2_01C4B480 |
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_01C4B480 |
Source: | Code function: | 0_2_0043B550 |
Source: | Code function: | 0_2_01BC092B | |
Source: | Code function: | 0_2_01BC0D90 | |
Source: | Code function: | 0_2_01C4606B |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 PowerShell | 1 DLL Side-Loading | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Screen Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 2 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Software Packing | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
74% | ReversingLabs | Win32.Spyware.Lummastealer | ||
54% | Virustotal | Browse | ||
100% | Avira | HEUR/AGEN.1310434 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
3% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
stiffraspyofkwsl.shop | 104.21.81.139 | true | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
false |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.81.139 | stiffraspyofkwsl.shop | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1434703 |
Start date and time: | 2024-05-01 16:42:12 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 18s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | lfY08S61Ig.exerenamed because original name is a hash value |
Original Sample Name: | c33191b6acc759b04279cfe144307df5.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@2/5@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.168.117.173
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
16:43:14 | API Interceptor | |
16:43:22 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | RisePro Stealer | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lfY08S61Ig.exe_4632ea77af8f117533587a7775e3a3f93d8dba_f70cea56_1dfe1d1e-84e7-4010-8d4f-0d39fd6fcc47\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9219912397777914 |
Encrypted: | false |
SSDEEP: | 192:tlMCNDcez0aW6mS0z6gtIkCjjs6YzuiFsZ24IO8+Lti:cC70TjZz6qIRj4zuiFsY4IO8+ |
MD5: | 011CC00D9D72F20B01AAE996647FBC63 |
SHA1: | 8EAE79FA2C90C5246BA095D402CF2B394302F2A0 |
SHA-256: | A3972666801905F37D01D909BF66159D7C4248B24DC400B4BAED047253D8CBAB |
SHA-512: | 98302C49D402624C55436B0EAF4D1BB70E496D01C5FDD016F249D1103ED8C8B4590A402018347EBAA516F3744C20087D2DEEBFAD3FCCCF48A0BD4A3E550D3AC5 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65414 |
Entropy (8bit): | 2.843544780151775 |
Encrypted: | false |
SSDEEP: | 384:chSR5bBCTMFddktNM5hiw/NYApu05ikLVN2SfFn:cmbBOgEM5t5ikL7j9n |
MD5: | 0003603BB58EE33C02B48EE314B2FA84 |
SHA1: | 228D7F5D6CD32BDDD99895D18A745E18E95CB6BB |
SHA-256: | BBC16E3063AAF769E3E4AD72B70D274F4A94E8A56777286D7CA0CA0EF93A8AF4 |
SHA-512: | 63E6707CF41CBE702F84ED8B329DDF77C9E9FD4580FB0A7DC0E71521B72CB5868FD14F573A23BB5DE19FAF66DE7FCF22D79ADC9B0151F182473F5939F4099588 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8332 |
Entropy (8bit): | 3.696280112186265 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJ7ujN6X6YSASUki8gmfgft6gCpDy89bE3sfo5Mm:R6lXJsN6X6YVSUN8gmfW6LE8fon |
MD5: | 2F23DE26D82E733FDFCDCD9902CC9959 |
SHA1: | 09B0E6C738445E49F0360A224355226D4FC129B4 |
SHA-256: | 999B30C5845842DD7553D0DD0A0DEDB629D3933410CAC82DFBC835CB5707C0C0 |
SHA-512: | 513F91DD1308303DFB57D5AF5DBD46BC79F121EA7C9314970FFBD5491A5CDABFE296A8AAAD57648D85FF41B6E8349DE86713EC72F6EAFB1292AC797DA21EE508 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4583 |
Entropy (8bit): | 4.458968692351987 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsFJg77aI9VktWpW8VYaYm8M4JhVFpuo+q8m8o5zqfd:uIjffI7jkc7VOJ9Mo5zqfd |
MD5: | 772EFBA80145AD3659DADBE5828605BA |
SHA1: | B7B00C9B9D6DB368274B714DCD7FCBAD2180F6CB |
SHA-256: | 896BFB97BE16B2927797931D8D49065FF17B8DC42DA054EF9CFF07A862BB0D97 |
SHA-512: | F0485D95A92E9E013778F920F8D708CD02AC4F192AB82A7724D9C350195D192B69216ECE3969069795E89CB85058070AB27FDDB58A402198E3ABA4D0BBCCE316 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.37206078413235 |
Encrypted: | false |
SSDEEP: | 6144:6FVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNoiL:yV1QyWWI/glMM6kF7eq |
MD5: | CDC5D5F878F74FA9081F21F9239E0413 |
SHA1: | C1B242F419A33DFDD701D02763CCF7B794E8076B |
SHA-256: | DCBBE8EDA0BB14BD5B5878A1283A2C68F16AA14DA6D8023EB4A5E78FBFE5AD2B |
SHA-512: | 5A27A9C9992594E2B717D55608C18227D470DF8EDF86BF8DC9549380FD52ADAC7C06CBE58B246B28619FFED96945A2036508C8F10FAB27164FA494FEB948B414 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.100843927069881 |
TrID: |
|
File name: | lfY08S61Ig.exe |
File size: | 393'728 bytes |
MD5: | c33191b6acc759b04279cfe144307df5 |
SHA1: | 5506845f558298c407fb5a18b20416708e3e6a25 |
SHA256: | f5354184d3b3097f88065284fbe9570e5d9a72972ae5134f0b496dac18a6b713 |
SHA512: | dcbc9face8a60d816e463e37a648802721d1664506e70f317cc8d9bc60b8dcf2c1fd0d8436446168d29b86b575419d7b8457e293f725a99b85e7c57d60910aaf |
SSDEEP: | 6144:J5kVkmn5BmgTF95t6uiUMf4kmopMkyAFHvnHgSXo0frH:J2kmnfbL6BUopRygnH7Xf |
TLSH: | D784AF43AAD47D50E9734B328E2E95E8325DFA518E197BA72218AB0F1CB0471DD73723 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:).q~H."~H."~H."s.6"_H."s..".H."s.."UH."w0z"}H."~H.".H."...".H."s.2".H."..7".H."Rich~H."........PE..L......c................... |
Icon Hash: | cd4d3d2e4e054d05 |
Entrypoint: | 0x403f81 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6390F2B6 [Wed Dec 7 20:08:22 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 37220d6fb688fa34839fa14fac301c01 |
Instruction |
---|
call 00007F98BC915ECFh |
jmp 00007F98BC910E34h |
cmp ecx, dword ptr [00419428h] |
jne 00007F98BC910FB4h |
rep ret |
jmp 00007F98BC91603Eh |
push ebp |
mov ebp, esp |
sub esp, 20h |
push esi |
push edi |
push 00000008h |
pop ecx |
mov esi, 004120B8h |
lea edi, dword ptr [ebp-20h] |
rep movsd |
mov esi, dword ptr [ebp+0Ch] |
mov edi, dword ptr [ebp+08h] |
test esi, esi |
je 00007F98BC910FC5h |
test byte ptr [esi], 00000010h |
je 00007F98BC910FC0h |
mov ecx, dword ptr [edi] |
sub ecx, 04h |
push ecx |
mov eax, dword ptr [ecx] |
mov esi, dword ptr [eax+18h] |
call dword ptr [eax+20h] |
mov dword ptr [ebp-08h], edi |
mov dword ptr [ebp-04h], esi |
test esi, esi |
je 00007F98BC910FBEh |
test byte ptr [esi], 00000008h |
je 00007F98BC910FB9h |
mov dword ptr [ebp-0Ch], 01994000h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
push dword ptr [ebp-10h] |
push dword ptr [ebp-1Ch] |
push dword ptr [ebp-20h] |
call dword ptr [004110B4h] |
pop edi |
pop esi |
mov esp, ebp |
pop ebp |
retn 0008h |
push eax |
push dword ptr fs:[00000000h] |
lea eax, dword ptr [esp+0Ch] |
sub esp, dword ptr [esp+0Ch] |
push ebx |
push esi |
push edi |
mov dword ptr [eax], ebp |
mov ebp, eax |
mov eax, dword ptr [00419428h] |
xor eax, ebp |
push eax |
mov dword ptr [ebp-10h], esp |
push dword ptr [ebp-04h] |
mov dword ptr [ebp-04h], FFFFFFFFh |
lea eax, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], eax |
ret |
push ebp |
mov ebp, esp |
push esi |
cld |
mov esi, dword ptr [ebp+0Ch] |
mov ecx, dword ptr [esi+08h] |
xor ecx, esi |
call 00007F98BC910EFBh |
push 00000000h |
push esi |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x17d8c | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1613000 | 0x17ca0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x111e0 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x17338 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x11000 | 0x170 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xf263 | 0xf400 | 26a605b1110d573593c125c5ec1d4ac0 | False | 0.6024269979508197 | data | 6.740153038223776 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x11000 | 0x75c4 | 0x7600 | 59b63a48d2f27b1a10af1af34297a7e1 | False | 0.3942995233050847 | data | 4.929058346914562 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x19000 | 0x15f9708 | 0x31600 | 57726de032ddbb89fffb1ff63c8783df | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x1613000 | 0x17ca0 | 0x17e00 | 70bc6b29317232c37f16b72c77406ed6 | False | 0.36337328206806285 | data | 4.559199466403747 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x1626058 | 0x330 | Device independent bitmap graphic, 48 x 96 x 1, image size 0 | 0.1948529411764706 | ||
RT_CURSOR | 0x1626388 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | 0.33223684210526316 | ||
RT_CURSOR | 0x16264e0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.2953091684434968 | ||
RT_CURSOR | 0x1627388 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.46705776173285196 | ||
RT_CURSOR | 0x1627c30 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.5361271676300579 | ||
RT_CURSOR | 0x16281c8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.26439232409381663 | ||
RT_CURSOR | 0x1629070 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.3686823104693141 | ||
RT_CURSOR | 0x1629918 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.49060693641618497 | ||
RT_ICON | 0x1613820 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | 0.4869402985074627 | ||
RT_ICON | 0x16146c8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | 0.608754512635379 | ||
RT_ICON | 0x1614f70 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | 0.6670506912442397 | ||
RT_ICON | 0x1615638 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | 0.6921965317919075 | ||
RT_ICON | 0x1615ba0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | 0.3941908713692946 | ||
RT_ICON | 0x1618148 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | 0.5124296435272045 | ||
RT_ICON | 0x16191f0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | 0.589344262295082 | ||
RT_ICON | 0x1619b78 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | 0.6790780141843972 | ||
RT_ICON | 0x161a058 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.3686034115138593 | ||
RT_ICON | 0x161af00 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.4575812274368231 | ||
RT_ICON | 0x161b7a8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | 0.4602534562211982 | ||
RT_ICON | 0x161be70 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.46315028901734107 | ||
RT_ICON | 0x161c3d8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | 0.2674273858921162 | ||
RT_ICON | 0x161e980 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | 0.30605065666041276 | ||
RT_ICON | 0x161fa28 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | 0.3599290780141844 | ||
RT_ICON | 0x161fef8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.4890724946695096 | ||
RT_ICON | 0x1620da0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.47382671480144406 | ||
RT_ICON | 0x1621648 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.4342485549132948 | ||
RT_ICON | 0x1621bb0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | 0.2779045643153527 | ||
RT_ICON | 0x1624158 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | 0.28869606003752346 | ||
RT_ICON | 0x1625200 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | 0.30778688524590164 | ||
RT_ICON | 0x1625b88 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | 0.32978723404255317 | ||
RT_STRING | 0x162a128 | 0x2c4 | data | 0.4887005649717514 | ||
RT_STRING | 0x162a3f0 | 0x390 | data | 0.4682017543859649 | ||
RT_STRING | 0x162a780 | 0x520 | data | 0.4375 | ||
RT_GROUP_CURSOR | 0x16264b8 | 0x22 | data | 1.0294117647058822 | ||
RT_GROUP_CURSOR | 0x1628198 | 0x30 | data | 0.9375 | ||
RT_GROUP_CURSOR | 0x1629e80 | 0x30 | data | 0.9375 | ||
RT_GROUP_ICON | 0x1619fe0 | 0x76 | data | 0.6610169491525424 | ||
RT_GROUP_ICON | 0x161fe90 | 0x68 | data | 0.7115384615384616 | ||
RT_GROUP_ICON | 0x1625ff0 | 0x68 | data | 0.7115384615384616 | ||
RT_VERSION | 0x1629eb0 | 0x274 | data | 0.5334394904458599 |
DLL | Import |
---|---|
KERNEL32.dll | GetComputerNameA, GetFullPathNameA, GlobalMemoryStatus, CommConfigDialogA, LoadLibraryExW, InterlockedIncrement, InterlockedDecrement, BackupSeek, GetWindowsDirectoryA, EnumTimeFormatsA, SetCommState, GlobalAlloc, LoadLibraryW, TerminateThread, GetLocaleInfoW, CreateEventA, GetConsoleAliasW, WriteConsoleW, GetModuleFileNameW, GetSystemDirectoryA, GetACP, MultiByteToWideChar, GetTempPathW, GetConsoleOutputCP, GetLastError, SetLastError, GetThreadLocale, GetProcAddress, LoadLibraryA, CreateHardLinkW, AddAtomA, SetCommMask, GlobalFindAtomW, BuildCommDCBA, VirtualProtect, GetVersionExA, ReadConsoleInputW, SetFileAttributesW, GetVolumeInformationW, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, WideCharToMultiByte, GetCommandLineW, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsDebuggerPresent, HeapFree, HeapAlloc, HeapSize, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, WriteFile, IsValidCodePage, GetOEMCP, GetCPInfo, GetCurrentThreadId, GetProcessHeap, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, LCMapStringW, GetConsoleCP, GetConsoleMode, SetFilePointerEx, SetStdHandle, FlushFileBuffers, OutputDebugStringW, GetStringTypeW, CreateFileW |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 1, 2024 16:43:11.300151110 CEST | 49705 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:11.300199032 CEST | 443 | 49705 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:11.300295115 CEST | 49705 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:11.303678989 CEST | 49705 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:11.303693056 CEST | 443 | 49705 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:11.509552002 CEST | 443 | 49705 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:11.509757042 CEST | 49705 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:11.514565945 CEST | 49705 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:11.514585018 CEST | 443 | 49705 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:11.514899015 CEST | 443 | 49705 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:11.627964973 CEST | 49705 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:11.633081913 CEST | 49705 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:11.633106947 CEST | 49705 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:11.633241892 CEST | 443 | 49705 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:12.035749912 CEST | 443 | 49705 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:12.035999060 CEST | 443 | 49705 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:12.036053896 CEST | 49705 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:14.899902105 CEST | 49705 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:14.899943113 CEST | 443 | 49705 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:14.954674006 CEST | 49706 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:14.954720020 CEST | 443 | 49706 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:14.954827070 CEST | 49706 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:14.955117941 CEST | 49706 | 443 | 192.168.2.8 | 104.21.81.139 |
May 1, 2024 16:43:14.955130100 CEST | 443 | 49706 | 104.21.81.139 | 192.168.2.8 |
May 1, 2024 16:43:15.143794060 CEST | 49706 | 443 | 192.168.2.8 | 104.21.81.139 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 1, 2024 16:43:11.173964977 CEST | 52309 | 53 | 192.168.2.8 | 1.1.1.1 |
May 1, 2024 16:43:11.275882006 CEST | 53 | 52309 | 1.1.1.1 | 192.168.2.8 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
May 1, 2024 16:43:11.173964977 CEST | 192.168.2.8 | 1.1.1.1 | 0x737c | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
May 1, 2024 16:43:11.275882006 CEST | 1.1.1.1 | 192.168.2.8 | 0x737c | No error (0) | 104.21.81.139 | A (IP address) | IN (0x0001) | false | ||
May 1, 2024 16:43:11.275882006 CEST | 1.1.1.1 | 192.168.2.8 | 0x737c | No error (0) | 172.67.189.159 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.8 | 49705 | 104.21.81.139 | 443 | 7580 | C:\Users\user\Desktop\lfY08S61Ig.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-05-01 14:43:11 UTC | 268 | OUT | |
2024-05-01 14:43:11 UTC | 8 | OUT | |
2024-05-01 14:43:12 UTC | 806 | IN | |
2024-05-01 14:43:12 UTC | 7 | IN | |
2024-05-01 14:43:12 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 16:43:04 |
Start date: | 01/05/2024 |
Path: | C:\Users\user\Desktop\lfY08S61Ig.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 393'728 bytes |
MD5 hash: | C33191B6ACC759B04279CFE144307DF5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 16:43:14 |
Start date: | 01/05/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x960000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 1.9% |
Dynamic/Decrypted Code Coverage: | 39.4% |
Signature Coverage: | 28.2% |
Total number of Nodes: | 71 |
Total number of Limit Nodes: | 6 |
Graph
Function 0043B550 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01C4678E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043E8D0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043C461 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AD26 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AA87 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B22D Relevance: 1.6, APIs: 1, Instructions: 120COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AC2D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004392D0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01C4644D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00430520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176clipboardCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004017B0 Relevance: 11.8, Strings: 9, Instructions: 584COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004097F0 Relevance: 9.1, Strings: 7, Instructions: 344COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC9A57 Relevance: 9.1, Strings: 7, Instructions: 344COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00416555 Relevance: 7.6, Strings: 6, Instructions: 92COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BD67BC Relevance: 7.6, Strings: 6, Instructions: 92COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404B30 Relevance: 6.7, Strings: 5, Instructions: 474COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC4D97 Relevance: 6.7, Strings: 5, Instructions: 474COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00413038 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BD329F Relevance: 5.2, Strings: 4, Instructions: 205COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043F500 Relevance: 4.1, Strings: 3, Instructions: 309COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFF767 Relevance: 4.1, Strings: 3, Instructions: 309COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00428AC0 Relevance: 3.7, Strings: 2, Instructions: 1242COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE8D27 Relevance: 3.7, Strings: 2, Instructions: 1242COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405720 Relevance: 3.3, Strings: 2, Instructions: 834COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC5987 Relevance: 3.3, Strings: 2, Instructions: 834COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00425B50 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE5DB7 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042112E Relevance: 2.9, Strings: 2, Instructions: 369COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043C571 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00439E10 Relevance: 1.9, Strings: 1, Instructions: 642COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFA077 Relevance: 1.9, Strings: 1, Instructions: 642COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004279F5 Relevance: 1.7, Strings: 1, Instructions: 469COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE7C5C Relevance: 1.7, Strings: 1, Instructions: 469COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004218A0 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE1B07 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042213D Relevance: 1.6, Strings: 1, Instructions: 332COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00426953 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE6BBA Relevance: 1.6, Strings: 1, Instructions: 309COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043F190 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFF3F7 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406A50 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC6CB7 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043EE70 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFF0D7 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00422760 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00439A20 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BF9C87 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFEB37 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043EAF0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFED57 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004226BD Relevance: 1.4, Strings: 1, Instructions: 160COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00411E13 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BD207A Relevance: 1.4, Strings: 1, Instructions: 100COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00428A13 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE8C7A Relevance: 1.3, Strings: 1, Instructions: 94COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFC6C8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DDC7 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BDE02E Relevance: 1.3, Strings: 1, Instructions: 89COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00424982 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE4BE9 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DF3A Relevance: 1.3, Strings: 1, Instructions: 79COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043C615 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043D4E8 Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFD74F Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004080A0 Relevance: .8, Instructions: 824COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC8307 Relevance: .8, Instructions: 824COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00427059 Relevance: .7, Instructions: 742COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE72C0 Relevance: .7, Instructions: 742COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403750 Relevance: .7, Instructions: 700COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC39B7 Relevance: .7, Instructions: 700COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00426948 Relevance: .7, Instructions: 676COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE6BAF Relevance: .7, Instructions: 676COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404160 Relevance: .6, Instructions: 609COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC43C7 Relevance: .6, Instructions: 609COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041D35E Relevance: .6, Instructions: 577COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406480 Relevance: .5, Instructions: 512COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC66E7 Relevance: .5, Instructions: 512COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00428410 Relevance: .4, Instructions: 387COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE8677 Relevance: .4, Instructions: 387COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00417ABA Relevance: .3, Instructions: 337COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BD7D21 Relevance: .3, Instructions: 337COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00424478 Relevance: .3, Instructions: 334COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE46DF Relevance: .3, Instructions: 334COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00411419 Relevance: .2, Instructions: 231COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BD1680 Relevance: .2, Instructions: 231COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402D10 Relevance: .2, Instructions: 227COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DB00 Relevance: .2, Instructions: 216COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00437090 Relevance: .2, Instructions: 179COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BF72F7 Relevance: .2, Instructions: 179COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00415470 Relevance: .1, Instructions: 146COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BD56D7 Relevance: .1, Instructions: 146COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00414D32 Relevance: .1, Instructions: 136COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BD4F99 Relevance: .1, Instructions: 136COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410390 Relevance: .1, Instructions: 129COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BD05F7 Relevance: .1, Instructions: 129COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BDD6F9 Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE2488 Relevance: .1, Instructions: 108COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403360 Relevance: .1, Instructions: 101COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC35C7 Relevance: .1, Instructions: 101COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402650 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC28B7 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040FE47 Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BD00AE Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004350A0 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BF5307 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004258B0 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE5B17 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043A930 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01C4606B Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFAB97 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043DFE0 Relevance: .0, Instructions: 50COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFE247 Relevance: .0, Instructions: 50COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE25E5 Relevance: .0, Instructions: 44COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BC0D90 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BE088D Relevance: .0, Instructions: 32COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043D265 Relevance: .0, Instructions: 31COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFD4CC Relevance: .0, Instructions: 31COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D650 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BCD8B7 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00430169 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01C4B480 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043D48A Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFD6F1 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043E09F Relevance: .0, Instructions: 13COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFE306 Relevance: .0, Instructions: 13COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043C436 Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043DE9C Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFE103 Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFC69D Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043DEB1 Relevance: .0, Instructions: 9COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BFE118 Relevance: .0, Instructions: 9COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BDDC57 Relevance: .0, Instructions: 8COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BDDE8D Relevance: .0, Instructions: 6COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01BF0787 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176clipboardCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |