Edit tour
Windows
Analysis Report
setup.exe
Overview
General Information
| Sample name: | setup.exe |
| Analysis ID: | 1461307 |
| MD5: | 864fb28b0001b98ddd896dbdc604db30 |
| SHA1: | 2c7691795b4313704b79c3dfe70b956e84b45a11 |
| SHA256: | 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
setup.exe (PID: 3160 cmdline: "C:\Users\ user\Deskt op\setup.e xe" MD5: 864FB28B0001B98DDD896DBDC604DB30) - RegAsm.exe (PID: 5592 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) 
WerFault.exe (PID: 2436 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 160 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["richardflorespoew.shop", "strwawrunnygjwu.shop", "justifycanddidatewd.shop", "raiseboltskdlwpow.shop", "falseaudiencekd.shop", "pleasurenarrowsdla.shop", "feighminoritsjda.shop", "marathonbeedksow.shop", "backcreammykiel.shop"], "Build id": "LPnhqo--@nevermoredielzt"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 1_2_00415E52 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00B02953 | |
| Source: | Code function: | 1_2_004178F0 | |
| Source: | Code function: | 1_2_0043A180 | |
| Source: | Code function: | 1_2_0040A2D0 | |
| Source: | Code function: | 1_2_00426B33 | |
| Source: | Code function: | 1_2_0041FB90 | |
| Source: | Code function: | 1_2_004153B5 | |
| Source: | Code function: | 1_2_004153B5 | |
| Source: | Code function: | 1_2_00425E08 | |
| Source: | Code function: | 1_2_00416EDE | |
| Source: | Code function: | 1_2_00416EDE | |
| Source: | Code function: | 1_2_00416EDE | |
| Source: | Code function: | 1_2_00416EDE | |
| Source: | Code function: | 1_2_00416EDE | |
| Source: | Code function: | 1_2_00416EDE | |
| Source: | Code function: | 1_2_00439790 | |
| Source: | Code function: | 1_2_0041DFB0 | |
| Source: | Code function: | 1_2_00410840 | |
| Source: | Code function: | 1_2_00408800 | |
| Source: | Code function: | 1_2_00410017 | |
| Source: | Code function: | 1_2_004270D3 | |
| Source: | Code function: | 1_2_004270D3 | |
| Source: | Code function: | 1_2_004270D3 | |
| Source: | Code function: | 1_2_004270D3 | |
| Source: | Code function: | 1_2_004270D3 | |
| Source: | Code function: | 1_2_004270D3 | |
| Source: | Code function: | 1_2_004270D3 | |
| Source: | Code function: | 1_2_004270D3 | |
| Source: | Code function: | 1_2_0042290F | |
| Source: | Code function: | 1_2_00427124 | |
| Source: | Code function: | 1_2_0042692A | |
| Source: | Code function: | 1_2_00415210 | |
| Source: | Code function: | 1_2_0040DAF0 | |
| Source: | Code function: | 1_2_00425280 | |
| Source: | Code function: | 1_2_00425280 | |
| Source: | Code function: | 1_2_00439AA0 | |
| Source: | Code function: | 1_2_00437B72 | |
| Source: | Code function: | 1_2_00434B10 | |
| Source: | Code function: | 1_2_00423BB3 | |
| Source: | Code function: | 1_2_00424400 | |
| Source: | Code function: | 1_2_00412C82 | |
| Source: | Code function: | 1_2_00439DF0 | |
| Source: | Code function: | 1_2_00422DA7 | |
| Source: | Code function: | 1_2_0041C67E | |
| Source: | Code function: | 1_2_00425609 | |
| Source: | Code function: | 1_2_0041061A | |
| Source: | Code function: | 1_2_00409E80 | |
| Source: | Code function: | 1_2_00402E80 | |
| Source: | Code function: | 1_2_004246A0 | |
| Source: | Code function: | 1_2_00434EB0 | |
| Source: | Code function: | 1_2_00425E02 | |
| Source: | Code function: | 1_2_00430F70 | |
| Source: | Code function: | 1_2_00425733 | |
| Source: | Code function: | 1_2_004255C5 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 1_2_0042E310 | |
| Source: | Code function: | 1_2_0042E310 | |
| Source: | Code function: | 1_2_0042EC21 | |
| Source: | Code function: | 0_2_00AEC810 | |
| Source: | Code function: | 0_2_00AF6926 | |
| Source: | Code function: | 0_2_00AF3AA0 | |
| Source: | Code function: | 0_2_00AF1AF3 | |
| Source: | Code function: | 0_2_00B04B3E | |
| Source: | Code function: | 0_2_00AE5CC0 | |
| Source: | Code function: | 0_2_00B06C64 | |
| Source: | Code function: | 0_2_00AFFEFD | |
| Source: | Code function: | 0_2_00AFBFF9 | |
| Source: | Code function: | 1_2_004178F0 | |
| Source: | Code function: | 1_2_00420940 | |
| Source: | Code function: | 1_2_00416ACF | |
| Source: | Code function: | 1_2_004053A0 | |
| Source: | Code function: | 1_2_0041D4E0 | |
| Source: | Code function: | 1_2_00416EDE | |
| Source: | Code function: | 1_2_0041FFEC | |
| Source: | Code function: | 1_2_00439790 | |
| Source: | Code function: | 1_2_00408800 | |
| Source: | Code function: | 1_2_004270D3 | |
| Source: | Code function: | 1_2_00438080 | |
| Source: | Code function: | 1_2_004210AC | |
| Source: | Code function: | 1_2_00407140 | |
| Source: | Code function: | 1_2_004381C0 | |
| Source: | Code function: | 1_2_00401262 | |
| Source: | Code function: | 1_2_0041F2CC | |
| Source: | Code function: | 1_2_00439AA0 | |
| Source: | Code function: | 1_2_004103C0 | |
| Source: | Code function: | 1_2_00437C02 | |
| Source: | Code function: | 1_2_00406C30 | |
| Source: | Code function: | 1_2_004384E0 | |
| Source: | Code function: | 1_2_00437D20 | |
| Source: | Code function: | 1_2_00439DF0 | |
| Source: | Code function: | 1_2_00432580 | |
| Source: | Code function: | 1_2_00421E79 | |
| Source: | Code function: | 1_2_0041C67E | |
| Source: | Code function: | 1_2_00405EE0 | |
| Source: | Code function: | 1_2_004246A0 | |
| Source: | Code function: | 1_2_00434EB0 | |
| Source: | Code function: | 1_2_00403F20 | |
| Source: | Code function: | 1_2_00401FE0 | |
| Source: | Code function: | 1_2_004217E0 | |
| Source: | Code function: | 1_2_0040178D | |
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_0042D8C5 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Command line argument: | 0_2_00AE8EC0 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00AEBA57 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00B02953 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_004362B0 | |
| Source: | Code function: | 0_2_00AEC06D | |
| Source: | Code function: | 0_2_00B00C65 | |
| Source: | Code function: | 0_2_00AF9680 | |
| Source: | Code function: | 0_2_00B05C53 | |
| Source: | Code function: | 0_2_00AEC06D | |
| Source: | Code function: | 0_2_00AEC1FA | |
| Source: | Code function: | 0_2_00AEBD66 | |
| Source: | Code function: | 0_2_00AEFE83 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 0_2_0147018D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00AEBB3C | |
| Source: | Code function: | 0_2_00B0508D | |
| Source: | Code function: | 0_2_00AFC8E0 | |
| Source: | Code function: | 0_2_00B0581C | |
| Source: | Code function: | 0_2_00B059F1 | |
| Source: | Code function: | 0_2_00B05922 | |
| Source: | Code function: | 0_2_00B05288 | |
| Source: | Code function: | 0_2_00B0532F | |
| Source: | Code function: | 0_2_00B0537A | |
| Source: | Code function: | 0_2_00B054A0 | |
| Source: | Code function: | 0_2_00B05415 | |
| Source: | Code function: | 0_2_00AFCDA9 | |
| Source: | Code function: | 0_2_00B056F3 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00AEBF63 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 411 Process Injection | 12 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 411 Process Injection | LSASS Memory | 151 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 12 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 4 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 82% | ReversingLabs | Win32.Spyware.Lummastealer | ||
| 80% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1317017 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 8% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 15% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 17% | Virustotal | Browse | ||
| 14% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 14% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 15% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 14% | Virustotal | Browse | ||
| 13% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | malware | ||
| 8% | Virustotal | Browse | ||
| 14% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 14% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| backcreammykiel.shop | 104.21.90.18 | true | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| true |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.90.18 | backcreammykiel.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1461307 |
| Start date and time: | 2024-06-23 18:48:07 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 46s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | setup.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/5@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.168.117.173
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 12:48:55 | API Interceptor | |
| 12:49:11 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.90.18 | Get hash | malicious | LummaC, DCRat, LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC, MicroClip | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| backcreammykiel.shop | Get hash | malicious | LummaC, DCRat, LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC, MicroClip | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | RisePro Stealer | Browse |
| |
| Get hash | malicious | LummaC, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | RisePro Stealer | Browse |
| |
| Get hash | malicious | LummaC, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, DCRat, LummaC Stealer | Browse |
|
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_setup.exe_unknow_8464e4fd7a473682826b889ee6ebc9a041806666_fb4ad30c_1e34bb94-6c1a-4e68-a2c4-14aed3266004\Report.wer 
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9032313793430391 |
| Encrypted: | false |
| SSDEEP: | 96:nmF67JPs1hqy1yDfRgBQXIDcQvc6QcEVcw3cE/n+HbHg/1AnQECaVDPCoLnNfoUa:maJPjh0BU/gjICBqzuiF5Z24IO8z6 |
| MD5: | 23B5BB885BDA0507143F7895134D3731 |
| SHA1: | 488FE61BAE9B1A5250C4908354077EDF4AD35210 |
| SHA-256: | B5D19A91DBD77E6349553A68018A17D82EBD5BFDDF7833E114474812CF74B85B |
| SHA-512: | 421877024027D2E79CCC653711C3EDA21EF2E4A5AA40E5BFA3BDCD0BB1C8FF1981B477DFF5F0198A2CBD72AB3D577803DDD796D985C9910AED606777A8C15565 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 38028 |
| Entropy (8bit): | 2.1530547977226298 |
| Encrypted: | false |
| SSDEEP: | 192:pnicXW1Xyt/sPOYs3SaVDsS/I46enGAd/i:hiPYpL3SaRsS/I466i |
| MD5: | D066339690A2E8BC7A0D0D937C68BB87 |
| SHA1: | 7CED279E83AC991BD4BBC0551EFBB258F10CFB76 |
| SHA-256: | D5F152C31078816C30C187CF1D5B100D842A89B804663D5ADD4F962C34836076 |
| SHA-512: | CE9F423551D84D9C39C3828637A38C3713D719CBEA45F173C4D525CF33029E1F87414D8BCFEC30EE982685C86AA56DA0862585AE25551C0EB192AEBF7F0A61D2 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8302 |
| Entropy (8bit): | 3.6925507388227663 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJSw6k6YEIYSU9uikgmfPdJDApr089bLosf2A5m:R6lXJ96k6YEnSU9uZgmfPdJDkLbfI |
| MD5: | 05F4B69D713933F6449960C67803B6C8 |
| SHA1: | EBA522DAAA32AD60DC494D8D4C4B345FA991938D |
| SHA-256: | D3BC6DC8EEC9BE6FB503A1557E6FC8A9262339EEE5C5AB008E7052384275BE92 |
| SHA-512: | AEA6AD4B85E6BC5FCD639D51ACAABC37FA57C19DB9C819B78593E03FACECDA00D9A3B9E9616512AF3E6E0AFAA462A6647F328AB4CC2BC896E143624BF53EA2FB |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4584 |
| Entropy (8bit): | 4.4472178756200496 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsPJg77aI98fWpW8VYjYm8M4JSddiFH+q8RuMyeX/VIkd:uIjfxI7OO7VnJSduiTyeX/VIkd |
| MD5: | 1083C895A7B00D3AB37C92ECB07C9EC8 |
| SHA1: | A5B49CB282B87C99C03A6CFBEAA097342B228DE6 |
| SHA-256: | 9283360ACA7ED28E032B2D67F6F93DB9975F401574B3F921040EF1CD4DFCB04D |
| SHA-512: | BD6AFEC5715D7AE26947F29AD320F4CF7C1670D20EFC95628975ED765D79D8A86AF02646A7E9654697E1566234FD632EFFED678A90C897EB37D377DCE83914D2 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.421334784014075 |
| Encrypted: | false |
| SSDEEP: | 6144:GSvfpi6ceLP/9skLmb0OTgWSPHaJG8nAgeMZMMhA2fX4WABlEnNG0uhiTw:lvloTgW+EZMM6DFy003w |
| MD5: | 1F55EA4B06E8FB477BA58C946BF2C5F5 |
| SHA1: | 5760A672F53A0F3255249F1D1640B47F7A49433B |
| SHA-256: | 2439BD4E7340EAD3B3BB4EBF3118698A28EEAB462CA644A134B04A67A255C34B |
| SHA-512: | B269F4F9B36073F0693A684E12E91CE0359E3F8E92AFB0C2B7651D3425BA3F4F8E145FA9F24C0A8E8F12BD3BDCBF505E34C4CFEFAB1E0E1F3CF71F0535FD2172 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.606039017653037 |
| TrID: |
|
| File name: | setup.exe |
| File size: | 536'576 bytes |
| MD5: | 864fb28b0001b98ddd896dbdc604db30 |
| SHA1: | 2c7691795b4313704b79c3dfe70b956e84b45a11 |
| SHA256: | 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0 |
| SHA512: | a7bec87ea630cbcfb28770bda372ebb7435f753caf6b8255c06d546f11a56c60018ad75f16938d50bb88749b2a2be970c9a9708455b65e5619dc4acae5be1317 |
| SSDEEP: | 12288:cckdVi3+T/Tvm4YqTwEa+1mieYTAk+tvC4hV8vTuNnlv:ccoNT/laKmu6K5vTuNl |
| TLSH: | CAB4E041B4C08032D5A2157305B5D7B55A7EB9714FA19ACFA3D00EBECF302D2EB3696A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|]../]../]../....L../......./....K../.S..O../.S..H../....T../]../.../.S...../.P..\../.P..\../Rich]../................PE..L.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x40b7e9 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66716A0D [Tue Jun 18 11:05:49 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 99046e3afc60e2ca10c62342349ab573 |
| Instruction |
|---|
| call 00007F5B75051D87h |
| jmp 00007F5B7505143Fh |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| mov ecx, dword ptr [eax+3Ch] |
| add ecx, eax |
| movzx eax, word ptr [ecx+14h] |
| lea edx, dword ptr [ecx+18h] |
| add edx, eax |
| movzx eax, word ptr [ecx+06h] |
| imul esi, eax, 28h |
| add esi, edx |
| cmp edx, esi |
| je 00007F5B750515DBh |
| mov ecx, dword ptr [ebp+0Ch] |
| cmp ecx, dword ptr [edx+0Ch] |
| jc 00007F5B750515CCh |
| mov eax, dword ptr [edx+08h] |
| add eax, dword ptr [edx+0Ch] |
| cmp ecx, eax |
| jc 00007F5B750515CEh |
| add edx, 28h |
| cmp edx, esi |
| jne 00007F5B750515ACh |
| xor eax, eax |
| pop esi |
| pop ebp |
| ret |
| mov eax, edx |
| jmp 00007F5B750515BBh |
| push esi |
| call 00007F5B7505208Dh |
| test eax, eax |
| je 00007F5B750515E2h |
| mov eax, dword ptr fs:[00000018h] |
| mov esi, 00482C54h |
| mov edx, dword ptr [eax+04h] |
| jmp 00007F5B750515C6h |
| cmp edx, eax |
| je 00007F5B750515D2h |
| xor eax, eax |
| mov ecx, edx |
| lock cmpxchg dword ptr [esi], ecx |
| test eax, eax |
| jne 00007F5B750515B2h |
| xor al, al |
| pop esi |
| ret |
| mov al, 01h |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+08h], 00000000h |
| jne 00007F5B750515C9h |
| mov byte ptr [00482C58h], 00000001h |
| call 00007F5B75051883h |
| call 00007F5B750546D0h |
| test al, al |
| jne 00007F5B750515C6h |
| xor al, al |
| pop ebp |
| ret |
| call 00007F5B750611B0h |
| test al, al |
| jne 00007F5B750515CCh |
| push 00000000h |
| call 00007F5B750546D7h |
| pop ecx |
| jmp 00007F5B750515ABh |
| mov al, 01h |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| cmp byte ptr [00482C59h], 00000000h |
| je 00007F5B750515C6h |
| mov al, 01h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x36c1c | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x84000 | 0x1ff0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x34ba8 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x34ae8 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2c000 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2ae80 | 0x2b000 | 4cef04bfd6a856d676a20168b55991fa | False | 0.5568790879360465 | data | 6.6415730792011125 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2c000 | 0xb35e | 0xb400 | 64ea1ad55f0f2be727280d496192c7f3 | False | 0.42172309027777777 | OpenPGP Public Key Version 3 | 5.02587358743008 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x38000 | 0x4b868 | 0x4a800 | f2ad39b2f7442e6a0b387d840c7ba732 | False | 0.9861282246224832 | data | 7.988107939711677 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x84000 | 0x1ff0 | 0x2000 | c10142443bcc2b196f0abb39f4271c62 | False | 0.7646484375 | data | 6.557127630374172 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| ADVAPI32.dll | GetNumberOfEventLogRecords |
| KERNEL32.dll | CreateFileW, HeapSize, WriteConsoleW, CloseHandle, WaitForSingleObject, CreateThread, VirtualAlloc, GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetProcessHeap, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, SetEndOfFile |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 23, 2024 18:48:55.472493887 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:55.472523928 CEST | 443 | 49705 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:55.472599983 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:55.473892927 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:55.473907948 CEST | 443 | 49705 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:55.994275093 CEST | 443 | 49705 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:55.994338989 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:55.999203920 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:55.999212980 CEST | 443 | 49705 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.000118971 CEST | 443 | 49705 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.052402973 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.069652081 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.069667101 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.069765091 CEST | 443 | 49705 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.462074995 CEST | 443 | 49705 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.462181091 CEST | 443 | 49705 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.462308884 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.463648081 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.463665962 CEST | 443 | 49705 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.463713884 CEST | 49705 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.463721037 CEST | 443 | 49705 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.471035004 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.471054077 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.471127033 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.471430063 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.471446991 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.967505932 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.967664003 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.994180918 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.994195938 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.994533062 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:56.996470928 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.996504068 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:56.996630907 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.669300079 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.669344902 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.669428110 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.669440031 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.669531107 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.669558048 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.669572115 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.669579983 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.669737101 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.669822931 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.670036077 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.670099974 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.670105934 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.670245886 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.670315027 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.670320988 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.674386978 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.674484015 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.674489975 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.724282980 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.757682085 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.758400917 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.758433104 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.758454084 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.758469105 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.758523941 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.758528948 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.758599997 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.758734941 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.758758068 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.758769035 CEST | 49706 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.758774996 CEST | 443 | 49706 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.791977882 CEST | 49709 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.792013884 CEST | 443 | 49709 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:57.792093992 CEST | 49709 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.792494059 CEST | 49709 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:57.792505980 CEST | 443 | 49709 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:58.251637936 CEST | 443 | 49709 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:58.251708984 CEST | 49709 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:58.252680063 CEST | 49709 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:58.252686024 CEST | 443 | 49709 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:58.252882957 CEST | 443 | 49709 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:58.261334896 CEST | 49709 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:58.261460066 CEST | 49709 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:58.261480093 CEST | 443 | 49709 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:58.668775082 CEST | 443 | 49709 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:58.668854952 CEST | 443 | 49709 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:58.669028044 CEST | 49709 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:58.669186115 CEST | 49709 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:58.694732904 CEST | 49713 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:58.694787025 CEST | 443 | 49713 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:58.694910049 CEST | 49713 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:58.695216894 CEST | 49713 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:58.695235968 CEST | 443 | 49713 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:59.177886009 CEST | 443 | 49713 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:59.177952051 CEST | 49713 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:59.178991079 CEST | 49713 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:59.179028988 CEST | 443 | 49713 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:59.179260015 CEST | 443 | 49713 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:59.180406094 CEST | 49713 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:59.180552959 CEST | 49713 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:59.180599928 CEST | 443 | 49713 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:59.180677891 CEST | 49713 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:59.180694103 CEST | 443 | 49713 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:59.884301901 CEST | 443 | 49713 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:59.884387970 CEST | 443 | 49713 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:59.884435892 CEST | 49713 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:59.884615898 CEST | 49713 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:59.884639978 CEST | 443 | 49713 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:59.964586973 CEST | 49715 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:59.964663982 CEST | 443 | 49715 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:48:59.964766979 CEST | 49715 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:59.965065956 CEST | 49715 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:48:59.965111017 CEST | 443 | 49715 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:00.443603039 CEST | 443 | 49715 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:00.443698883 CEST | 49715 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:00.444713116 CEST | 49715 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:00.444736004 CEST | 443 | 49715 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:00.445053101 CEST | 443 | 49715 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:00.452241898 CEST | 49715 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:00.452369928 CEST | 49715 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:00.452409983 CEST | 443 | 49715 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:00.452496052 CEST | 49715 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:00.452512980 CEST | 443 | 49715 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:01.276782990 CEST | 443 | 49715 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:01.276878119 CEST | 443 | 49715 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:01.276967049 CEST | 49715 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:01.277235985 CEST | 49715 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:01.277276993 CEST | 443 | 49715 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:01.362164974 CEST | 49716 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:01.362245083 CEST | 443 | 49716 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:01.362329006 CEST | 49716 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:01.362612963 CEST | 49716 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:01.362648964 CEST | 443 | 49716 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:01.825382948 CEST | 443 | 49716 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:01.825494051 CEST | 49716 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:01.826786995 CEST | 49716 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:01.826808929 CEST | 443 | 49716 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:01.827055931 CEST | 443 | 49716 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:01.828366041 CEST | 49716 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:01.828497887 CEST | 49716 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:01.828541040 CEST | 443 | 49716 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:02.479348898 CEST | 443 | 49716 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:02.479450941 CEST | 443 | 49716 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:02.479511976 CEST | 49716 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:02.479581118 CEST | 49716 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:02.479603052 CEST | 443 | 49716 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:02.494672060 CEST | 49717 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:02.494767904 CEST | 443 | 49717 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:02.494883060 CEST | 49717 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:02.495122910 CEST | 49717 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:02.495157957 CEST | 443 | 49717 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:02.951198101 CEST | 443 | 49717 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:02.951297045 CEST | 49717 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:02.952586889 CEST | 49717 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:02.952610970 CEST | 443 | 49717 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:02.952853918 CEST | 443 | 49717 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:02.954005957 CEST | 49717 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:02.954113007 CEST | 49717 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:02.954128981 CEST | 443 | 49717 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:03.347866058 CEST | 443 | 49717 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:03.347966909 CEST | 443 | 49717 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:03.348059893 CEST | 49717 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:03.348242998 CEST | 49717 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:03.348288059 CEST | 443 | 49717 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:03.804414988 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:03.804553032 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:03.804650068 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:03.805124998 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:03.805164099 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.270253897 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.270546913 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.271665096 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.271687031 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.271919966 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.273073912 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.273752928 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.273796082 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.273895979 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.273935080 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.274059057 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.274104118 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.274266005 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.274316072 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.274494886 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.274543047 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.274760962 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.274801016 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.274826050 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.274847031 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.274981022 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.275016069 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.275054932 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.275151014 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.275194883 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.283998966 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.284215927 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.284259081 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:04.284303904 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.284382105 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:04.285725117 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:06.533356905 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:06.533437967 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Jun 23, 2024 18:49:06.533504963 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:06.533606052 CEST | 49718 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jun 23, 2024 18:49:06.533641100 CEST | 443 | 49718 | 104.21.90.18 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 23, 2024 18:48:55.452292919 CEST | 65355 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jun 23, 2024 18:48:55.467715025 CEST | 53 | 65355 | 1.1.1.1 | 192.168.2.5 |
| Jun 23, 2024 18:49:14.843425989 CEST | 53 | 51241 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jun 23, 2024 18:48:55.452292919 CEST | 192.168.2.5 | 1.1.1.1 | 0x58a7 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jun 23, 2024 18:48:55.467715025 CEST | 1.1.1.1 | 192.168.2.5 | 0x58a7 | No error (0) | 104.21.90.18 | A (IP address) | IN (0x0001) | false | ||
| Jun 23, 2024 18:48:55.467715025 CEST | 1.1.1.1 | 192.168.2.5 | 0x58a7 | No error (0) | 172.67.151.5 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49705 | 104.21.90.18 | 443 | 5592 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-23 16:48:56 UTC | 267 | OUT | |
| 2024-06-23 16:48:56 UTC | 8 | OUT | |
| 2024-06-23 16:48:56 UTC | 812 | IN | |
| 2024-06-23 16:48:56 UTC | 7 | IN | |
| 2024-06-23 16:48:56 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49706 | 104.21.90.18 | 443 | 5592 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-23 16:48:56 UTC | 268 | OUT | |
| 2024-06-23 16:48:56 UTC | 65 | OUT | |
| 2024-06-23 16:48:57 UTC | 806 | IN | |
| 2024-06-23 16:48:57 UTC | 563 | IN | |
| 2024-06-23 16:48:57 UTC | 1369 | IN | |
| 2024-06-23 16:48:57 UTC | 1369 | IN | |
| 2024-06-23 16:48:57 UTC | 1369 | IN | |
| 2024-06-23 16:48:57 UTC | 1369 | IN | |
| 2024-06-23 16:48:57 UTC | 1369 | IN | |
| 2024-06-23 16:48:57 UTC | 1369 | IN | |
| 2024-06-23 16:48:57 UTC | 1369 | IN | |
| 2024-06-23 16:48:57 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49709 | 104.21.90.18 | 443 | 5592 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-23 16:48:58 UTC | 286 | OUT | |
| 2024-06-23 16:48:58 UTC | 12846 | OUT | |
| 2024-06-23 16:48:58 UTC | 816 | IN | |
| 2024-06-23 16:48:58 UTC | 19 | IN | |
| 2024-06-23 16:48:58 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49713 | 104.21.90.18 | 443 | 5592 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-23 16:48:59 UTC | 286 | OUT | |
| 2024-06-23 16:48:59 UTC | 15088 | OUT | |
| 2024-06-23 16:48:59 UTC | 808 | IN | |
| 2024-06-23 16:48:59 UTC | 19 | IN | |
| 2024-06-23 16:48:59 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49715 | 104.21.90.18 | 443 | 5592 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-23 16:49:00 UTC | 286 | OUT | |
| 2024-06-23 16:49:00 UTC | 15331 | OUT | |
| 2024-06-23 16:49:00 UTC | 5247 | OUT | |
| 2024-06-23 16:49:01 UTC | 810 | IN | |
| 2024-06-23 16:49:01 UTC | 19 | IN | |
| 2024-06-23 16:49:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49716 | 104.21.90.18 | 443 | 5592 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-23 16:49:01 UTC | 285 | OUT | |
| 2024-06-23 16:49:01 UTC | 5455 | OUT | |
| 2024-06-23 16:49:02 UTC | 814 | IN | |
| 2024-06-23 16:49:02 UTC | 19 | IN | |
| 2024-06-23 16:49:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49717 | 104.21.90.18 | 443 | 5592 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-23 16:49:02 UTC | 285 | OUT | |
| 2024-06-23 16:49:02 UTC | 1286 | OUT | |
| 2024-06-23 16:49:03 UTC | 808 | IN | |
| 2024-06-23 16:49:03 UTC | 19 | IN | |
| 2024-06-23 16:49:03 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49718 | 104.21.90.18 | 443 | 5592 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-23 16:49:04 UTC | 287 | OUT | |
| 2024-06-23 16:49:04 UTC | 15331 | OUT | |
| 2024-06-23 16:49:04 UTC | 15331 | OUT | |
| 2024-06-23 16:49:04 UTC | 15331 | OUT | |
| 2024-06-23 16:49:04 UTC | 15331 | OUT | |
| 2024-06-23 16:49:04 UTC | 15331 | OUT | |
| 2024-06-23 16:49:04 UTC | 15331 | OUT | |
| 2024-06-23 16:49:04 UTC | 15331 | OUT | |
| 2024-06-23 16:49:04 UTC | 15331 | OUT | |
| 2024-06-23 16:49:04 UTC | 15331 | OUT | |
| 2024-06-23 16:49:04 UTC | 15331 | OUT | |
| 2024-06-23 16:49:06 UTC | 816 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:48:54 |
| Start date: | 23/06/2024 |
| Path: | C:\Users\user\Desktop\setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xae0000 |
| File size: | 536'576 bytes |
| MD5 hash: | 864FB28B0001B98DDD896DBDC604DB30 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 12:48:54 |
| Start date: | 23/06/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xeb0000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 12:48:54 |
| Start date: | 23/06/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x290000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 3% |
| Dynamic/Decrypted Code Coverage: | 1.1% |
| Signature Coverage: | 4.8% |
| Total number of Nodes: | 559 |
| Total number of Limit Nodes: | 5 |
Graph
Function 0147018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AE8EC0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 165synchronizationthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B094F2 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AE83C0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 124memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFC69C Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B020F8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0581C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0508D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFFEFD Relevance: 6.3, APIs: 4, Instructions: 337COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AEC06D Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B054A0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF3AA0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AEBB3C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B02953 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF6926 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B056F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B05922 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B05288 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AEC1FA Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B05C53 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AE5CC0 Relevance: .4, Instructions: 363COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B04B3E Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF1AF3 Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AEC810 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B00C65 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF9680 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AEB4EF Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AEED98 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFF625 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AEB2C8 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFCAA9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AE2990 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF96A2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B01C33 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AEA042 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AE94F0 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AEFB72 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AEF13D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AE3230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 15.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 30.3% |
| Total number of Nodes: | 350 |
| Total number of Limit Nodes: | 23 |
Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A2D0 Relevance: 13.0, Strings: 10, Instructions: 454COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416EDE Relevance: 9.6, Strings: 7, Instructions: 855COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004178F0 Relevance: 5.5, Strings: 4, Instructions: 464COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A180 Relevance: 2.8, Strings: 2, Instructions: 259COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415E52 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004153B5 Relevance: 1.6, Strings: 1, Instructions: 398COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FB90 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004362B0 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439790 Relevance: .3, Instructions: 281COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426B33 Relevance: .1, Instructions: 144COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DFB0 Relevance: .1, Instructions: 84COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D8C5 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417E2E Relevance: 6.1, APIs: 4, Instructions: 129COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B979 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AC10 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 360libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435F65 Relevance: 3.0, APIs: 2, Instructions: 10COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004361FC Relevance: 1.6, APIs: 1, Instructions: 71memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004344D0 Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435E37 Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409E80 Relevance: 11.6, Strings: 9, Instructions: 334COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004270D3 Relevance: 7.8, Strings: 5, Instructions: 1559COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004246A0 Relevance: 3.0, Strings: 2, Instructions: 535COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427124 Relevance: 2.8, Strings: 2, Instructions: 333COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425733 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004255C5 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422DA7 Relevance: 1.3, Strings: 1, Instructions: 6COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434EB0 Relevance: .8, Instructions: 826COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408800 Relevance: .8, Instructions: 788COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439DF0 Relevance: .3, Instructions: 336COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439AA0 Relevance: .3, Instructions: 314COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425280 Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434B10 Relevance: .2, Instructions: 185COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415210 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041061A Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412C82 Relevance: .1, Instructions: 100COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E80 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042692A Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425609 Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430F70 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424400 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437B72 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DAF0 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410840 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410017 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423BB3 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|