Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample Name: | file.exe |
| Analysis ID: | 1310751 |
| MD5: | eeda5350767db40425db9c5f477f39f7 |
| SHA1: | 93614f3e1a9484df453f29c4c658ccdf3270841d |
| SHA256: | 046edea2e16ee4e7e52c8a88294272ed2893adaf46e057e3f45d0efdef288c85 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
Poverty Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Yara detected Poverty Stealer
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Snort IDS alert for network traffic
Query firmware table information (likely to detect VMs)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
AV process strings found (often used to terminate AV products)
Yara signature match
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Classification
- System is w10x64
file.exe (PID: 6992 cmdline: C:\Users\u ser\Deskto p\file.exe MD5: EEDA5350767DB40425DB9C5F477F39F7) 
WerFault.exe (PID: 7104 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 992 -s 745 72 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
{"C2 url": "69.46.15.167:2220"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.369.46.15.1674971022202047066 09/19/23-14:28:00.763272 |
| SID: | 2047066 |
| Source Port: | 49710 |
| Destination Port: | 2220 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_004033C0 | |
| Source: | Code function: | 0_2_008B3627 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00404EE0 | |
| Source: | Code function: | 0_2_00402F50 | |
| Source: | Code function: | 0_2_00405D70 | |
| Source: | Code function: | 0_2_00401710 | |
| Source: | Code function: | 0_2_008B5147 | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Binary or memory string: | memstr_da062dad-f | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process created: | ||
| Source: | Code function: | 0_2_00401710 | |
| Source: | Code function: | 0_2_00421847 | |
| Source: | Code function: | 0_2_0041F031 | |
| Source: | Code function: | 0_2_00420433 | |
| Source: | Code function: | 0_2_0041FEE2 | |
| Source: | Code function: | 0_2_0041F991 | |
| Source: | Code function: | 0_2_008BDF86 | |
| Source: | Code function: | 0_2_008BDF57 | |
| Source: | Code function: | 0_2_00A09518 | |
| Source: | Code function: | 0_2_00A0955B | |
| Source: | Code function: | 0_2_00405370 | |
| Source: | Code function: | 0_2_00401100 | |
| Source: | Code function: | 0_2_00403F10 | |
| Source: | Code function: | 0_2_008B55D7 | |
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00A06561 | |
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_00A09BC8 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Decision node followed by non-executed suspicious API: | graph_0-10406 | ||
| Source: | Code function: | 0_2_00A0955B | |
| Source: | Code function: | 0_2_004044D0 | |
| Source: | Code function: | 0_2_00404EE0 | |
| Source: | Code function: | 0_2_00402F50 | |
| Source: | Code function: | 0_2_00405D70 | |
| Source: | Code function: | 0_2_00401710 | |
| Source: | Code function: | 0_2_008B5147 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00404EC0 | |
| Source: | Code function: | 0_2_008B0D90 | |
| Source: | Code function: | 0_2_008B092B | |
| Source: | Code function: | 0_2_008B5127 | |
| Source: | Code function: | 0_2_00A05E3E | |
| Source: | Code function: | 0_2_00403570 | |
| Source: | Code function: | 0_2_00A0955B | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 131 Security Software Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | 1 Input Capture | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 1 Data from Local System | Automated Exfiltration | 1 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 2 Software Packing | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 2 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Avira | HEUR/AGEN.1312455 | ||
| 45% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 3% | Virustotal | Browse |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 69.46.15.167 | unknown | United States | 29802 | HVC-ASUS | true |
| Joe Sandbox Version: | 38.0.0 Beryl |
| Analysis ID: | 1310751 |
| Start date and time: | 2023-09-19 14:27:06 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 5m 18s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 21 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@2/5@0/1 |
| EGA Information: |
|
| HDC Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.21
- Excluded domains from analysis (whitelisted): www.bing.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, tse1.mm.bing.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, arc.msn.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryAttributesFile calls found.
| Time | Type | Description |
|---|---|---|
| 14:28:03 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 69.46.15.167 | Get hash | malicious | Poverty Stealer | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Poverty Stealer | Browse | |||
| Get hash | malicious | Poverty Stealer | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| HVC-ASUS | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Poverty Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_b881744bd24da49122ae106c74712cdb27f74121_9f84cedb_1b91792d\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8430992069287914 |
| Encrypted: | false |
| SSDEEP: | 192:d6GQm4cWvcu3HQ0l0I3jGu/u7syS274ItmFBa:2pXQ0lTjf/u7syX4ItUa |
| MD5: | E8C8CC321E832FDC5C14B6B44C82290A |
| SHA1: | AEEBB1C7CB5FB5EA0FC27C404E505EDAD7C730E8 |
| SHA-256: | BE9C5E6CBEB54177B0F422BA0672A8DD3849A9FD0E62F05DA0D14356DEA19119 |
| SHA-512: | 1FA1468CE51938673276351973DDC6B93477EEFDC35C3D03AA0E3FC6C8075B95A09220C9151463634B49B606D70B1093696E1F66B7E56D0B7B3C334C7599DF14 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1037888 |
| Entropy (8bit): | 2.348483192869241 |
| Encrypted: | false |
| SSDEEP: | 3072:cNsDmNPQVXBMDT4SYTD/gFJedWhAGDzYtYCtxv2TK1NEWNYenRqb:cnKmH4TuwJGmc0NZYUM |
| MD5: | 087B930973E68C311D0B044238335EF2 |
| SHA1: | 27BF916A83BF894E0193CC66003164A6DC62FC7E |
| SHA-256: | C004CD99AC9B0D724FFCC10732DD968C468B2CDB42C0800C6E5A566166C35146 |
| SHA-512: | 904C75ED982B696D44B6BB5C6579879347CEA8462F7B6082DFE166EC19267F9D0B224BFBD9641D35D5D24A05F38AA06310E3BACE97CD385C574554BF765D65C5 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8340 |
| Entropy (8bit): | 3.702830708695516 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNisC56uFx66YyPSU68lOgmfBisS3+pD+89bgssf9eAm:RrlsNiN6uFx66YaSU68cgmfAsSUg/f2 |
| MD5: | D6ECC99A7F9B4B657002F3BF83848BB8 |
| SHA1: | 52C56658763248D30A1C764F6638227ED01BD8AF |
| SHA-256: | 730BFE2BD08ACE48961D291AE0A35099C2A6720B08496024FA98BDA5F673E667 |
| SHA-512: | 78F5B7B352CF82F82A5B8E25439A64E4D9075EE5574D1E5BFC18148B128710F85341ECCA996466F64E7EF3BEBBDC16D8AF86620DF600E1B07A48C2501C60E6E8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4579 |
| Entropy (8bit): | 4.483077553980328 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zsLrJgtWI9f/Wgc8sqYjA8fm8M4JakFVT+q8oTvaqrg76A89d:uITfLFIugrsqYxJxTJaqrg76AKd |
| MD5: | 1723FEE5390E19DA1D5D5F7B3A6167DC |
| SHA1: | 00D83451CCDDC187902A443912515812EFF7E432 |
| SHA-256: | 5A60746776303B3DC6B297915AAAB145421500DB6D1A5AADA67D602E83513C7E |
| SHA-512: | 040366E21B05FC8364F484E6DE0023945B93C03CEE3D27447607D8E2E43BC9024543CE5BFD549F8974FFEDCF061022776ACB445E0C3C733E7B6223B5FA361CF9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1572864 |
| Entropy (8bit): | 4.374285386966342 |
| Encrypted: | false |
| SSDEEP: | 12288:AFcTQC4Lh9c+g1Ep7yMZK8yrWzte7y/5rmZrmQ0ithr7+i+invToKdw+d:qcTQC4Lh9c+g1Eag7 |
| MD5: | A06821F27C966E105C17B8CC8096D5D3 |
| SHA1: | 61F28FA80B9988E8952EBAF5DAACA4985EA2880E |
| SHA-256: | C77E5E6A62C37D7E029A3450BFDF3DE4415D28916177619B513238D1911295E1 |
| SHA-512: | 3D25FC1509D04D2BEBC2DD42C6B749E2970A01461C0B841859548D5B33620085D4CA4649E11625AC15BEE4413FFE6132878321ABB99DE8A42ADC87D749A58450 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.291629069127215 |
| TrID: |
|
| File name: | file.exe |
| File size: | 253'440 bytes |
| MD5: | eeda5350767db40425db9c5f477f39f7 |
| SHA1: | 93614f3e1a9484df453f29c4c658ccdf3270841d |
| SHA256: | 046edea2e16ee4e7e52c8a88294272ed2893adaf46e057e3f45d0efdef288c85 |
| SHA512: | a80eee56773bf4bd6c3352430e4b5a87c7e409e9c1157a593c8c29cf4b3973482ced805c135a5c409ce1ae1716af4c91143ab2054389b5034bb5b4a13c1235f5 |
| SSDEEP: | 3072:QJxeK7W6OTYqgg85NM768yG+BFjR4U/RjUTcz3oQ9kt:A7W6OJ85q768y/BFjGU/JUcoQ |
| TLSH: | E244C021B7F1D831E1A75A3050B1C6B22A3B7C6255B5C98B63941B3F5E307C1BFAA316 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^...?.].?.].?.].Ic].?.].IV].?.].Ib].?.].G[].?.].?.]^?.].Ig].?.].IR].?.].IU].?.]Rich.?.]................PE..L......c........... |
 | |
| Icon Hash: | c73601d0b0222d02 |
| Entrypoint: | 0x4035ae |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x63A50FCC [Fri Dec 23 02:17:48 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 82fc6aa150be346f557bda3dbcb8fac7 |
| Instruction |
|---|
| call 00007F380D0410F3h |
| jmp 00007F380D03E13Eh |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| xor ecx, ecx |
| cmp eax, dword ptr [00437008h+ecx*8] |
| je 00007F380D03E2C5h |
| inc ecx |
| cmp ecx, 2Dh |
| jc 00007F380D03E2A3h |
| lea ecx, dword ptr [eax-13h] |
| cmp ecx, 11h |
| jnbe 00007F380D03E2C0h |
| push 0000000Dh |
| pop eax |
| pop ebp |
| ret |
| mov eax, dword ptr [0043700Ch+ecx*8] |
| pop ebp |
| ret |
| add eax, FFFFFF44h |
| push 0000000Eh |
| pop ecx |
| cmp ecx, eax |
| sbb eax, eax |
| and eax, ecx |
| add eax, 08h |
| pop ebp |
| ret |
| call 00007F380D040D6Ah |
| test eax, eax |
| jne 00007F380D03E2B8h |
| mov eax, 00437170h |
| ret |
| add eax, 08h |
| ret |
| call 00007F380D040D57h |
| test eax, eax |
| jne 00007F380D03E2B8h |
| mov eax, 00437174h |
| ret |
| add eax, 0Ch |
| ret |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| push esi |
| call 00007F380D03E297h |
| mov ecx, dword ptr [ebp+08h] |
| push ecx |
| mov dword ptr [eax], ecx |
| call 00007F380D03E237h |
| pop ecx |
| mov esi, eax |
| call 00007F380D03E271h |
| mov dword ptr [eax], esi |
| pop esi |
| pop ebp |
| ret |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| mov ecx, dword ptr [ebp+08h] |
| test ecx, ecx |
| je 00007F380D03E2CDh |
| push FFFFFFE0h |
| xor edx, edx |
| pop eax |
| div ecx |
| cmp eax, dword ptr [ebp+0Ch] |
| jnc 00007F380D03E2C1h |
| call 00007F380D03E24Fh |
| mov dword ptr [eax], 0000000Ch |
| xor eax, eax |
| pop ebp |
| ret |
| imul ecx, dword ptr [ebp+0Ch] |
| push esi |
| mov esi, ecx |
| test esi, esi |
| jne 00007F380D03E2B3h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3598c | 0x64 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x308000 | 0x3f40 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2d88 | 0x40 | .text |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x1ec | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x354d0 | 0x35600 | False | 0.5114991949648712 | data | 5.520650305414998 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x37000 | 0x2d09e4 | 0x4400 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x308000 | 0x3f40 | 0x4000 | False | 0.45892333984375 | data | 4.046779794577083 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x3081c0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | 0.44398340248962653 | ||
| RT_ICON | 0x30a768 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | 0.47827868852459016 | ||
| RT_STRING | 0x30b320 | 0x28e | data | 0.4954128440366973 | ||
| RT_STRING | 0x30b5b0 | 0x284 | data | 0.47360248447204967 | ||
| RT_STRING | 0x30b838 | 0x706 | data | 0.42102335928809786 | ||
| RT_GROUP_ICON | 0x30b0f0 | 0x22 | data | 0.9705882352941176 | ||
| RT_VERSION | 0x30b118 | 0x208 | data | 0.5346153846153846 |
| DLL | Import |
|---|---|
| KERNEL32.dll | MoveFileExA, ReadConsoleA, InterlockedDecrement, SetDefaultCommConfigW, GetEnvironmentStringsW, SetConsoleScreenBufferSize, AddConsoleAliasW, SetVolumeMountPointW, GetComputerNameW, GetSystemDefaultLCID, GetModuleHandleW, GetCommConfig, GetConsoleAliasesLengthA, GetConsoleAliasExesW, GetDriveTypeA, GetEnvironmentStrings, GlobalAlloc, GetPrivateProfileIntA, LoadLibraryW, TerminateThread, ReadConsoleInputA, CopyFileW, SetConsoleCP, DeleteVolumeMountPointW, EnumSystemCodePagesA, LocalReAlloc, GetACP, GetVolumePathNameA, FindFirstFileW, DisconnectNamedPipe, CreateJobObjectA, GetNamedPipeHandleStateW, GetStartupInfoA, FindFirstFileA, GetLastError, GetCurrentDirectoryW, GetProcessVersion, LoadLibraryA, GetFileType, RemoveDirectoryW, FindAtomA, FindNextFileA, EnumDateFormatsA, SetLocaleInfoW, FreeEnvironmentStringsW, FindNextFileW, VirtualProtect, PurgeComm, FatalAppExitA, GetShortPathNameW, ReadConsoleInputW, FindAtomW, GetWindowsDirectoryW, FindFirstVolumeW, EnumSystemLocalesW, CreateFileW, CloseHandle, SetInformationJobObject, GetPrivateProfileSectionNamesW, CreateMailslotW, GetCommandLineW, WriteConsoleW, MoveFileA, HeapAlloc, EncodePointer, DecodePointer, HeapReAlloc, HeapSetInformation, GetStartupInfoW, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, Sleep, HeapSize, EnterCriticalSection, LeaveCriticalSection, HeapFree, SetFilePointer, SetHandleCount, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetOEMCP, IsValidCodePage, WideCharToMultiByte, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, IsProcessorFeaturePresent, LCMapStringW, MultiByteToWideChar, GetStringTypeW, RaiseException |
| USER32.dll | CharUpperW |
| GDI32.dll | SelectPalette, GetTextFaceW, GetCharWidthA |
| SHELL32.dll | DragFinish |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.369.46.15.1674971022202047066 09/19/23-14:28:00.763272 | TCP | 2047066 | ET TROJAN [ANY.RUN] PovertyStealer Check-In via TCP | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 19, 2023 14:28:00.629488945 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.762746096 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.762911081 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.763272047 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.763272047 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.895087004 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.895128965 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.895210981 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.895222902 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.895325899 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.895433903 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.895503998 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.895546913 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.895606995 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.896277905 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.896311045 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.896342993 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.896372080 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.896455050 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:00.896480083 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.896480083 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.896480083 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.896480083 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:00.896653891 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.027100086 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.027192116 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.027240038 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.027251959 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.027283907 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.027359009 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.027390957 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.027396917 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.027429104 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.027442932 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.027631044 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.027693987 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.028332949 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.028366089 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.028424025 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.028424025 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.028570890 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.028644085 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.028824091 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.028884888 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.028973103 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.029030085 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.069616079 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.069796085 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.159173012 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.159285069 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.159287930 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.159399986 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.159404993 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.159455061 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.159605026 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.159773111 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.159833908 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.159912109 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.160044909 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.160099983 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.160309076 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.160366058 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.160455942 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.160523891 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.160706043 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.160758972 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.160954952 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.161014080 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.161272049 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.161304951 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.161341906 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.161355019 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.161355019 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.161413908 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.161465883 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.161523104 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.161616087 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.161669016 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.161686897 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.161736965 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.161796093 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.161839008 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.161906958 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.161962986 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.162017107 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.162079096 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.162204981 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.162262917 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.162277937 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.162308931 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.162333012 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.162364960 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.162420034 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.162477970 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
| Sep 19, 2023 14:28:01.162529945 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.162640095 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.201411963 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.201466084 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.291055918 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.291114092 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.291147947 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.291256905 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.291517973 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292227030 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292548895 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292582989 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292615891 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292674065 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292705059 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292737961 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292768955 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292798042 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292830944 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292864084 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292895079 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292931080 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292962074 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.292994022 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.293024063 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.293173075 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.293287992 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.293370962 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.293466091 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.293560982 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.293656111 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.293759108 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.293859959 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.293967962 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.294101000 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.294200897 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.294298887 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.294414043 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.294518948 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.294636965 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.294737101 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.294853926 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.294981956 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.295089006 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.295187950 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.295295000 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.295464993 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.295568943 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.295641899 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.295720100 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.295844078 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.295958996 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.296057940 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.296178102 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.296257973 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.296402931 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.296508074 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.296626091 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.296715021 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.296845913 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.296951056 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.337519884 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.391109943 CEST | 2220 | 49710 | 69.46.15.167 | 192.168.2.3 |
| Sep 19, 2023 14:28:01.391288996 CEST | 49710 | 2220 | 192.168.2.3 | 69.46.15.167 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:27:52 |
| Start date: | 19/09/2023 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 253'440 bytes |
| MD5 hash: | EEDA5350767DB40425DB9C5F477F39F7 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 14:28:00 |
| Start date: | 19/09/2023 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1080000 |
| File size: | 434'592 bytes |
| MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 8.2% |
| Dynamic/Decrypted Code Coverage: | 81.3% |
| Signature Coverage: | 19.4% |
| Total number of Nodes: | 680 |
| Total number of Limit Nodes: | 7 |
Graph
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401710 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1174fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402F50 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 300fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405370 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 421memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00405D70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004033C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A06561 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403570 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404A40 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 200networksleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404B3A Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 124networksleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404D20 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 120threadsynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C6A0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 361memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041C799 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 285memorylibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403530 Relevance: 6.0, APIs: 4, Instructions: 18memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040BF60 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004042D9 Relevance: 5.1, APIs: 4, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00402122 Relevance: 3.2, APIs: 2, Instructions: 157fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040294E Relevance: 1.6, APIs: 1, Instructions: 74fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A06220 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401100 Relevance: 12.1, APIs: 8, Instructions: 146COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00403F10 Relevance: 12.1, APIs: 8, Instructions: 144COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B55D7 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 421memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B3627 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A09518 Relevance: .2, Instructions: 242COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A0955B Relevance: .2, Instructions: 203COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B5147 Relevance: .1, Instructions: 137COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00A05E3E Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B0D90 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008BDF86 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008BDF57 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B5127 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00404EC0 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B4F87 Relevance: 12.1, APIs: 8, Instructions: 120threadsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B4737 Relevance: 10.7, APIs: 7, Instructions: 236COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B4CA7 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 200sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008BC1C7 Relevance: 6.2, APIs: 4, Instructions: 179COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B4540 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 008B3797 Relevance: 6.0, APIs: 4, Instructions: 18memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |