Edit tour
Windows
Analysis Report
mJXdkcP4Wx.exe
Overview
General Information
| Sample name: | mJXdkcP4Wx.exerenamed because original name is a hash value |
| Original sample name: | be89dddee1630cde41b95d2df6070bd3.exe |
| Analysis ID: | 1529199 |
| MD5: | be89dddee1630cde41b95d2df6070bd3 |
| SHA1: | bceb2f765aad912ea1e1e3d324f215baece7fcb5 |
| SHA256: | e3cd6c9514e46e4bd1e42240e6ec7a82322fe4792a270312ff1ae096b3c4e16f |
| Tags: | exeStealcuser-abuse_ch |
| Infos: |  |
 | |
Detection
Stealc
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for sample
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
mJXdkcP4Wx.exe (PID: 3496 cmdline: "C:\Users\ user\Deskt op\mJXdkcP 4Wx.exe" MD5: BE89DDDEE1630CDE41B95D2DF6070BD3) 
WerFault.exe (PID: 1996 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 496 -s 804 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 4744 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 496 -s 804 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 3680 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 496 -s 828 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 6728 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 496 -s 860 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 2796 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 496 -s 884 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7104 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 496 -s 110 4 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 360 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 496 -s 106 0 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
{"C2 url": "http://62.122.184.144/f88d87a7e087e100.php", "Botnet": "default5_pal"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc_1 | Yara detected Stealc | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-08T18:48:09.342481+0200 | 2044243 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49704 | 62.122.184.144 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_0040C820 | |
| Source: | Code function: | 0_2_00407240 | |
| Source: | Code function: | 0_2_00409AC0 | |
| Source: | Code function: | 0_2_00418EA0 | |
| Source: | Code function: | 0_2_00409B60 | |
| Source: | Code function: | 0_2_022CCA87 | |
| Source: | Code function: | 0_2_022C74A7 | |
| Source: | Code function: | 0_2_022C9D27 | |
| Source: | Code function: | 0_2_022D9107 | |
| Source: | Code function: | 0_2_022C9DC7 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040E430 | |
| Source: | Code function: | 0_2_004138B0 | |
| Source: | Code function: | 0_2_00414570 | |
| Source: | Code function: | 0_2_00414910 | |
| Source: | Code function: | 0_2_0040ED20 | |
| Source: | Code function: | 0_2_0040BE70 | |
| Source: | Code function: | 0_2_0040DE10 | |
| Source: | Code function: | 0_2_004016D0 | |
| Source: | Code function: | 0_2_0040DA80 | |
| Source: | Code function: | 0_2_00413EA0 | |
| Source: | Code function: | 0_2_0040F6B0 | |
| Source: | Code function: | 0_2_022CE697 | |
| Source: | Code function: | 0_2_022D3B17 | |
| Source: | Code function: | 0_2_022D4B77 | |
| Source: | Code function: | 0_2_022CEF87 | |
| Source: | Code function: | 0_2_022D47D7 | |
| Source: | Code function: | 0_2_022CE077 | |
| Source: | Code function: | 0_2_022CDCE7 | |
| Source: | Code function: | 0_2_022CF8F1 | |
| Source: | Code function: | 0_2_022CC0D7 | |
| Source: | Code function: | 0_2_022C1937 | |
| Source: | Code function: | 0_2_022D4107 | |
| Source: | Code function: | 0_2_022CF917 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00404880 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00419600 | |
| Source: | Code function: | 0_2_00413720 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_2_00419860 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0041B048 | |
| Source: | Code function: | 0_2_00400211 | |
| Source: | Code function: | 0_2_0076B5EC | |
| Source: | Code function: | 0_2_0076E5C9 | |
| Source: | Code function: | 0_2_0076E5C9 | |
| Source: | Code function: | 0_2_0076AAD8 | |
| Source: | Code function: | 0_2_022DB2AF | |
| Source: | Code function: | 0_2_022C1078 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00419860 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_0-26388 | ||
| Source: | Evaded block: | graph_0-27549 | ||
| Source: | API coverage: | ||
| Source: | Code function: | 0_2_0040E430 | |
| Source: | Code function: | 0_2_004138B0 | |
| Source: | Code function: | 0_2_00414570 | |
| Source: | Code function: | 0_2_00414910 | |
| Source: | Code function: | 0_2_0040ED20 | |
| Source: | Code function: | 0_2_0040BE70 | |
| Source: | Code function: | 0_2_0040DE10 | |
| Source: | Code function: | 0_2_004016D0 | |
| Source: | Code function: | 0_2_0040DA80 | |
| Source: | Code function: | 0_2_00413EA0 | |
| Source: | Code function: | 0_2_0040F6B0 | |
| Source: | Code function: | 0_2_022CE697 | |
| Source: | Code function: | 0_2_022D3B17 | |
| Source: | Code function: | 0_2_022D4B77 | |
| Source: | Code function: | 0_2_022CEF87 | |
| Source: | Code function: | 0_2_022D47D7 | |
| Source: | Code function: | 0_2_022CE077 | |
| Source: | Code function: | 0_2_022CDCE7 | |
| Source: | Code function: | 0_2_022CF8F1 | |
| Source: | Code function: | 0_2_022CC0D7 | |
| Source: | Code function: | 0_2_022C1937 | |
| Source: | Code function: | 0_2_022D4107 | |
| Source: | Code function: | 0_2_022CF917 | |
| Source: | Code function: | 0_2_00401160 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-26373 | ||
| Source: | API call chain: | graph_0-26261 | ||
| Source: | API call chain: | graph_0-26376 | ||
| Source: | API call chain: | graph_0-26416 | ||
| Source: | API call chain: | graph_0-26395 | ||
| Source: | API call chain: | graph_0-27802 | ||
| Source: | API call chain: | graph_0-26387 | ||
| Source: | API call chain: | graph_0-26215 | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_004045C0 | |
| Source: | Code function: | 0_2_0041AD48 | |
| Source: | Code function: | 0_2_004045C0 | |
| Source: | Code function: | 0_2_00419860 | |
| Source: | Code function: | 0_2_00419750 | |
| Source: | Code function: | 0_2_007698AB | |
| Source: | Code function: | 0_2_022C092B | |
| Source: | Code function: | 0_2_022D99B7 | |
| Source: | Code function: | 0_2_022C0D90 | |
| Source: | Code function: | 0_2_00417850 | |
| Source: | Code function: | 0_2_0041AD48 | |
| Source: | Code function: | 0_2_0041CEEA | |
| Source: | Code function: | 0_2_0041B33A | |
| Source: | Code function: | 0_2_022DAFAF | |
| Source: | Code function: | 0_2_022DD151 | |
| Source: | Code function: | 0_2_022DB5A1 | |
| Source: | Memory protected: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_00419600 | |
| Source: | Code function: | 0_2_022D9867 | |
| Source: | Code function: | 0_2_00417B90 | |
| Source: | Code function: | 0_2_022D7DF7 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00416920 | |
| Source: | Code function: | 0_2_00417850 | |
| Source: | Code function: | 0_2_00417A30 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Native API | 1 DLL Side-Loading | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 2 System Time Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Disable or Modify Tools | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | 11 Process Discovery | Distributed Component Object Model | Input Capture | 12 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 3 Obfuscated Files or Information | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 22 Software Packing | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | 123 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| true | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 62.122.184.144 | unknown | unknown | 49120 | GORSET-ASRU | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1529199 |
| Start date and time: | 2024-10-08 18:47:04 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 59s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 20 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | mJXdkcP4Wx.exerenamed because original name is a hash value |
| Original Sample Name: | be89dddee1630cde41b95d2df6070bd3.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@8/29@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.89.179.12
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: mJXdkcP4Wx.exe
| Time | Type | Description |
|---|---|---|
| 12:48:24 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 62.122.184.144 | Get hash | malicious | Stealc | Browse |
| |
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| GORSET-ASRU | Get hash | malicious | Stealc | Browse |
| |
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GoBrut | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Pushdo | Browse |
| ||
| Get hash | malicious | Pushdo | Browse |
|
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mJXdkcP4Wx.exe_2ead317adfca7a5c885730d9b5366fa3ef6_40a8189a_4f133548-9dba-471c-b0b7-8ea9e8a09d06\Report.wer 
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9572176936284631 |
| Encrypted: | false |
| SSDEEP: | 192:2+/VBhuXhs0xu6c2juSZr+dozuiFLZ24IO8rc:JVBhuBx9c2jOqzuiFLY4IO8rc |
| MD5: | 5A884BEF32191EDEFA4FF33F9F2056B7 |
| SHA1: | F6AFC677FFD13AB47FB60D300A859FABA308E08C |
| SHA-256: | 4EAFD84C5D285FF283EE583573BF3BD35ED13B9A93DF01EA149590E7CF6453F9 |
| SHA-512: | BA8AEF8A0C0214FF1DA1B84743B8DD8CB03132C756167A5D5741988D533B9DCB7B44BC68CDF5E1153EFB256C34441A8BB13A34C671B623F422375A12ADCA5553 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mJXdkcP4Wx.exe_8bc0bd58a882d2b43234d4a4b56536fa1470e7_40a8189a_13c0dadb-6c2a-422b-89a2-c3122401e890\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9181876934580382 |
| Encrypted: | false |
| SSDEEP: | 192:PVBhYXs056rgjuSZr+dwzuiFwZ24IO8+c:PVBhYX56rgjOizuiFwY4IO8+c |
| MD5: | 869296268638F7F6C9E19723037B2DF8 |
| SHA1: | DA17EF2C9F6F1E3B99E60495861CFD8CB59DAABE |
| SHA-256: | ED6A438A597906F6E64434E1C22C2D7FA10E166F5F9B1F5EB9F6DF28D4EFFEA3 |
| SHA-512: | 5E0E4AA506400FCAB83FEAB5FC3584E457EEA422340769562962BC95F92DC2716B581EA17DC51AD4AD101B4AC5B4FDB7354CFACFEDA09A3DBF63B00C213F4554 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mJXdkcP4Wx.exe_8bc0bd58a882d2b43234d4a4b56536fa1470e7_40a8189a_3f74de5f-6871-4df1-b2f8-1d585f241dad\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.889429992371612 |
| Encrypted: | false |
| SSDEEP: | 192:tVBhwXs056rgjuSZr+3zuiFwZ24IO8+c:tVBhwX56rgjO3zuiFwY4IO8+c |
| MD5: | EADAC2813041808609B3029BCFC5AB69 |
| SHA1: | BBFE61BA106C2A0DA42DED82934989FA0824FB50 |
| SHA-256: | E07E741F6375673CD004A91FA5EB25174D175C9FE26416463EBDB10AF71E5E63 |
| SHA-512: | 56A0FBE16D62ED55C040119AF1DED4C4C3679B2607E4B2655CF75D389496AF140095DA4158E445410390BE4763E87B06D47D39FFBFCB524FFCF08A68B6C36B23 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mJXdkcP4Wx.exe_8bc0bd58a882d2b43234d4a4b56536fa1470e7_40a8189a_404bf104-b55e-4e90-9546-8a0571655491\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8898625407804479 |
| Encrypted: | false |
| SSDEEP: | 192:DpVBhJXs056rgjuSZr+3zuiFwZ24IO8+c:DpVBhJX56rgjO3zuiFwY4IO8+c |
| MD5: | 2528E7DF8AED5DC1161B6F4D7E85E47E |
| SHA1: | 2C11BB2A1A6D79413D0CAA72D76C9E75A41F1BE4 |
| SHA-256: | CCC02343C0A7CF7E904FC5B0D7AA3C565A44F53EAD7BDDE1582BECFCF740B1F7 |
| SHA-512: | 89689BCCA5F9243B3EEEFED399C29B0B323AA443676116BB0D72E5AFB8574AD0A09241EAB045A731556711A8AF83A1F0FD2F5AC737BE8104BBE3D3DE47B257B1 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mJXdkcP4Wx.exe_8bc0bd58a882d2b43234d4a4b56536fa1470e7_40a8189a_4e2f5a10-ead3-496c-986f-915636f27724\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9116315361364012 |
| Encrypted: | false |
| SSDEEP: | 192:flVBh8Xs056rgjuSZr+duzuiFwZ24IO8+c:flVBh8X56rgjO8zuiFwY4IO8+c |
| MD5: | BA7841E9709EB2AB2190E84344AEDF48 |
| SHA1: | 7F5486BFA3E99792A9D6CB6ABAF5D1097CAFA6FA |
| SHA-256: | C20F210463707213A05B4BF7D690D7B59D07E89AB0CE8AE90383DF834753BB79 |
| SHA-512: | 8E39AC6072CE4D02412765C9F2A9987EA7A476811A31490D86889E8C7C94F73EB0453A26ED9C4D2F453D6D2946FF908AF9D7D8BC2FEAAE9EB16F55D47E2256D6 |
| Malicious: | true |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mJXdkcP4Wx.exe_8bc0bd58a882d2b43234d4a4b56536fa1470e7_40a8189a_c24633ef-bfbf-41fd-820d-70b124cc9185\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8894235648542228 |
| Encrypted: | false |
| SSDEEP: | 192:b/mVBhVXs056rgjuSZr+3zuiFwZ24IO8+c:aVBhVX56rgjO3zuiFwY4IO8+c |
| MD5: | 81EDA43FE9B06F5BC36FCE94D1D609EC |
| SHA1: | 516C1A6345FAA01172B10B062D0135E6B1379A28 |
| SHA-256: | 44748B5F660D6F5653DDDF5230ED5981B7E917ABC5F2B1EEFAEB704755D9B75B |
| SHA-512: | FA49F9295DA27332502C9478BDDC523BF3494D9CDF53FF3C58A2081910D23DC462180EA0758108A467BA79BF5A77FE0AC3B44D91C8420366E09348B6A90E9D38 |
| Malicious: | true |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mJXdkcP4Wx.exe_8bc0bd58a882d2b43234d4a4b56536fa1470e7_40a8189a_f1c726e3-c137-42b0-8c9a-332146f876d0\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8895525282493634 |
| Encrypted: | false |
| SSDEEP: | 192:R0VBhIXs056rgjuSZr+3zuiFwZ24IO8+c:R0VBhIX56rgjO3zuiFwY4IO8+c |
| MD5: | 6BD9BFD0C769C7875950F9B04D9FA24D |
| SHA1: | 1C2961EEDC257CB34E87BE4EF2FC23B3B9864FFE |
| SHA-256: | 94138283FD146371417984723234104A29B09F2ADACC3B9170D59DE212D79EA0 |
| SHA-512: | BCF3A2839F0261CC1402793FD9F60BD231D8FF20EEC4363DC4971D5F32B54120F436529421AC48875B77839FCA2782C858C945B4F6BAF0FCA5FB3BE7C6DEADDB |
| Malicious: | true |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 85424 |
| Entropy (8bit): | 1.8219968202188 |
| Encrypted: | false |
| SSDEEP: | 384:+jXR0V1o/AEWeH2uo3HjePiURcCF9MQiNZQYVP8shRNnbbKqnXAAkN6UK:uqVK/AEWq2uoaPOCF9ApP8ezbKqnL8 |
| MD5: | EEE28FF9019BE7E2ECEBBA05BA643A7B |
| SHA1: | 390D66FDCEA157022545002144E99D9409CAA655 |
| SHA-256: | 8657E88ABEAF19642CA5A68563849C7C6A7B49D7B9739026517CE34DE170B7CE |
| SHA-512: | AA7870B4B1D4B3024A9DD3C2848286FB33E6A67C71D8AC5ECB458B61B9A1951D5993A9EA143461D6A8EF572E5BE627F060D96F93C4A550F0D40FC764BB55526C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8442 |
| Entropy (8bit): | 3.702889274914131 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJBA6Yn6YEI7SU9qqgmfI9mpBC89bNzsfTvm:R6lXJm6Yn6YE0SU9qqgmfGiNYfC |
| MD5: | 84C24B7588C5D356AAD802D85CB8C697 |
| SHA1: | 17181F8229E875A3C5392599317E5F4FC63ED6B0 |
| SHA-256: | 6D8FADEAEF36F3ED83BBC490DB63805FC006DB9FC1373884B1E42083A8E1C3A5 |
| SHA-512: | 78A7AB8FC547650EDF6425B7B9A3DD2027954982AAB6BF9B75DAED9B02434EE1DD1612E220BC88EA8AE3961CD83EA084DABF4D89B3903CE16F12461D02F4E078 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.485428248457072 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs2Jg77aI93wnWpW8VY3Ym8M4JLFWHFv+q8v4WWqhtN91tdd:uIjfMI79wW7VPJLFiK4FqhtN91tdd |
| MD5: | 0F3BC3D2BBAC98F31C70DCE3DE9ED71E |
| SHA1: | 50962E9070A1C830363EE3B5EEACD387A9D38BCE |
| SHA-256: | D633B950640E112AEE3A2F5CDFB13148004F51544277C929D61D705662A18284 |
| SHA-512: | 4EC953982E13A2B85F520D43356D0057BDD984CF4D0914CD36DF79D6BC85284BA8EB839464CD8386322B663938A849113A263F6B40BEB22D35F1F2701D5E6EE8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 85316 |
| Entropy (8bit): | 1.8458703614095686 |
| Encrypted: | false |
| SSDEEP: | 768:RVKtAEDV1ScaL5ICFP5P8ezbKqnLmGn4:RweFtJ8sGqnyG |
| MD5: | 73ED3DBBF9CAE009716B1D2F081CEF81 |
| SHA1: | E800CC049E0BB87429D4CD5D4EEBCB60677B514E |
| SHA-256: | C2C0B819ECA6DA8C4F77E36A6E2AB8B63A908B917B4739ED08648E13E372574F |
| SHA-512: | B28B617D62F2C7D02F9B7041A42D7449F5792597F603FAEE9965F00AE6F730CDDC3137236E31A85A00FF79088212162769C8DE193A807273F54BF2F1B77D7E6A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8440 |
| Entropy (8bit): | 3.70142334473985 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJBo6+6YEInpSU9c4xgmfI9mpBT89b2zsfrSm:R6lXJu6+6YEYpSU9c4xgmfGV2Yff |
| MD5: | 6A76A0586582B265749D836AC573BB11 |
| SHA1: | 97D227A89A1F6C7179A2E2F4F2E8F3E8755421AD |
| SHA-256: | 595C1839B2EA51B975D4F2AF13464F490A4B6845EE67B45B648C7BC776AA0EE4 |
| SHA-512: | 2FD809BF4D0150355AB03961F6CEE54D6186F016522D32CA13985EEAD9C71F8B8C574610D44B48A6050255615185BAC953443A55B091602D5549010BBC75AD0B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.4859364529269214 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs2Jg77aI93wnWpW8VY2Ym8M4JLFWHFH4+q8v4WWqhtN91tdd:uIjfMI79wW7VSJLFdK4FqhtN91tdd |
| MD5: | 35FC5DCC834DFDBB2A48088F4E302C31 |
| SHA1: | F65718EDB41040B75E37291F837217106259D05E |
| SHA-256: | 859AB5E123462BDD27BBE6C5D14F07C49ECB8C8861F24D2F4A0EB8C621216EBB |
| SHA-512: | AE4A094F4DBA2E60C2F9F97A37B4B557C57938C173BC652DE45AFB2A29AE2EA0C3870122CA2E691E1FD9F7D467D5325E0F9AC4BB0032E663826BC3AB9E788FA4 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 94988 |
| Entropy (8bit): | 1.6933722628451016 |
| Encrypted: | false |
| SSDEEP: | 384:oJCLiU2BoAEPy8zjetQURcCF+9RYWVIRnbbKqnXAAuCcBpZUVO2RNsRv:/LP2BoAEq8OtUCFAR5IBbKqnLeBpMsx |
| MD5: | 8F8B8CD80F403936F86E0DCEB7A68983 |
| SHA1: | 7859205AC4BDEA7CCA235CAE7FC2731EEEBBEFB1 |
| SHA-256: | 2B2ED144D26FE96F6339D860C51F58A2EEE23C0062522E75C353CBCA1A0BD5EC |
| SHA-512: | 953AB42C5483EB25AB15943D5AF388348F46EB76422B9E3BC9BEF8200624844384645D1189924CE983D8CFC73D6D1EC915EBEE8A0245E7E1BFF1DA1D4B6DD6D0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8440 |
| Entropy (8bit): | 3.7022430609704005 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJBV6z6YEIKSU9FxgmfI9mpB089b/zsfBVm:R6lXJz6z6YEVSU9FxgmfGg/YfK |
| MD5: | 5A0EEBFE3592C0625C9B481249598EF5 |
| SHA1: | BCC2A5EC2F7A0900C20F5A62DF62FD758FCF5407 |
| SHA-256: | B1D22945519518BEB06A747433655909FBCD018CF52C62C066A6CB2B295E1DFE |
| SHA-512: | CFF25B2AF22E08A09657BCCBACA78F3F9174AE5DCB314FCF3ED031B968606D7DAC431EF6C0A58AB357663ED8461801BCAF8D5C6EC19C3DE05D4B43EF729DBE9B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.482736844538554 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs2Jg77aI93wnWpW8VY4Ym8M4JLFWHFUOI+q8v4WWqhtN91tdd:uIjfMI79wW7VQJLF5OIK4FqhtN91tdd |
| MD5: | CA0965F5F65FB108160565044CAA8A98 |
| SHA1: | 763DB8266CC413836C4D78A7E4F929355C59F0F1 |
| SHA-256: | 62A86608A154CCE36DD5A8263C0C0347E004BAD60807FFB8C343EBB5FBCF39FC |
| SHA-512: | 3ABD78B95F49AE6C786FB322E6C6D40E2AE49444397C9681EECBC80FE0B2B0C980DE8AF6A30F8D86318992EAE47D35FD28E36A3DD43C669B58700EB3C140123C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 94564 |
| Entropy (8bit): | 1.7048855361805355 |
| Encrypted: | false |
| SSDEEP: | 768:AP2BAEvSO5vCFkWd0H5IBbKqnLcEs0kI8:eDOJgGqn/sRI8 |
| MD5: | 778D46488C671441845F840ADC563205 |
| SHA1: | 03804C12C383CECE532221FAF434B704DCDE73D1 |
| SHA-256: | 071E5CAE7629A5B6E4BAB668869F0EFC28D21DCF21B7B7B60AD520A8C6B57556 |
| SHA-512: | 650D8CDE8DD8B22772C0B8D457DEDDB44B1F8D4430BAD6AC76110AEE92A722D395C0B33DF7F6A9990EAE83B784DEEA2E959819A9B0C1084DEDE524F2737793AD |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8440 |
| Entropy (8bit): | 3.7031313464631936 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJB46Yns6YEILSU9FxgmfI9mpBa89bgzsfdgm:R6lXJ+6J6YEESU9FxgmfGSgYfv |
| MD5: | A0175B0CDE292FF0EEA53BD8051F28A4 |
| SHA1: | 766500C14FE5E75106E183E31E3A76DEF8F0F540 |
| SHA-256: | C1B4C64F110B29C651D22663C5F7859F9BE7A28AE21548FF92DC4A6C95F9D8AD |
| SHA-512: | C99E62FC617362423A84B130D68D4C38F11701369A29453F8DE56875AAB9EB02BA8C916A0116D8EB787D5B3B93E804C64A1F6DA6DA9E0D04B098A1A2AB20865B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.484873293571453 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs2Jg77aI93wnWpW8VYxYm8M4JLFWHF2Mu+q8v4WWqhtN91tdd:uIjfMI79wW7VtJLF9K4FqhtN91tdd |
| MD5: | 8B2B9940B9EB90256AD23193413AC22A |
| SHA1: | 3BD12D01CB20EE313E86F0B15ECAC93087FC4433 |
| SHA-256: | B77BBD1F69F890A1A950AD683D49A50595425279140FF5914D9287BD8E75DCE9 |
| SHA-512: | 4C6B76F1EE9CC6213E5A58BF24782E7B527D449005D03DD33D79F0D7F476C7CCFB54380E86C22DDF77C40C41713F970AE82C0AD1B3F3F3E65E94F12A881BC9F6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 101954 |
| Entropy (8bit): | 1.700545839103819 |
| Encrypted: | false |
| SSDEEP: | 384:CqxScuJRBAEyx/zCMD02e6MoUIcCF+iFYWVfcbKH1XAAc34wEHtHHhvo:4JRBAEGeMDK6MHCFNF5fcbKH1Lc6HHF |
| MD5: | E821C79564134EEB86FE564CFC1A17CA |
| SHA1: | F7793CAD16D6102A8D41969CAA3B51D08E3F1B98 |
| SHA-256: | 01CE8C9052B5715D1602CF38FBF7974E60B3FA992C5C95804733FE6463CC9435 |
| SHA-512: | 6E59183747946C5F485D5B305ED5B40802292B385AB19DA1DAF49B5601F8679768DD609C911204B005CB9E54EBF613A0A99768C76633396C4919943C6B1A926B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8440 |
| Entropy (8bit): | 3.7031994166539075 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJBF6+aQ6YEIOSU9FEgmfI9mpBP89bpzsfljm:R6lXJD6k6YEBSU9FEgmfGhpYfc |
| MD5: | EAED74AE0978E242CDC48AFA04E553D4 |
| SHA1: | 539DB4E69576C5B2D7D122CA8DB5B76067813D6F |
| SHA-256: | 4168FA24C9CF3D0285E652136EF78B4E84525B9916F8D85A1CE0397B6F277FD1 |
| SHA-512: | CC839466213597A5A5F3FC0B14D47EAC40532DD41FA91EB76459B62CD18725D76B8462ECAF3E77BA0458D6C7231877249E72533A840BDC7C8B832589712BD50F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.4856303547496745 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs2Jg77aI93wnWpW8VYiYm8M4JLFWHFzU+q8v4WWqhtN91tdd:uIjfMI79wW7VmJLFUUK4FqhtN91tdd |
| MD5: | 1AF6EA4549697865D295BA6DBFEB3401 |
| SHA1: | 50E869ABBA6E8C1CC1E44617EAE096FD84A2C38E |
| SHA-256: | 8F18E17CA1980EF43D434DA22FCB54539703CF35D0120158ACB6A019D99E7A07 |
| SHA-512: | C75C5F5F09159EA3C4D539ECB4840947609F2DF7FAED910467B4018C92937C4ADBE890B416D7B86D79AAB85FB4ADAA690459ECAB8E38B2D37B97D1CECB2A3824 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 110048 |
| Entropy (8bit): | 1.7428622697180756 |
| Encrypted: | false |
| SSDEEP: | 384:PUSS2/vlAEysHuBLxzLnplNe1OUtcCF+iTYWVfcbKH1XAAcH4gcvbv0PvX:OSNAE9uBtXplg1GCFNT5fcbKH1Lc8sn |
| MD5: | B013410E67D18A33E553C120B808CA38 |
| SHA1: | B5B486BC181F2723D3718BC130785068A1F79A19 |
| SHA-256: | DC400E3A1ED7A4C1AEABF3EF64B0B050B5AD036698061244A17849C83F571212 |
| SHA-512: | 84DFA3A07AC67C2E2E92C3B532AA93BB85C5AE1089673771F824F02E5706DCCE7FAF5C2BEAE6E2308BA73D3406D46C57FEC078FEAE4DF6F4BC556CF3268DA1B2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8442 |
| Entropy (8bit): | 3.7028306107079656 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJBd6+6YEIDSU9DagmfI9mpBw89bSzsfLGm:R6lXJL6+6YEcSU9DagmfGMSYfT |
| MD5: | 97CF830E8046EC2B2DE093B9E267B604 |
| SHA1: | D1400765E3AE9E48C52CAA0C8D5DD1EB548DB164 |
| SHA-256: | 7F75588B32B3039DE16332B0513E455C74722309B3CC8D747B28798DB9C6B7F8 |
| SHA-512: | 77FCFD0B44B7087378F0DEA34E22397F16D1052AD3267D4970554572482CC647CD1BB164BC6332FFB0576FD123F4D98561B844D77A228177C404A14B1AC091C4 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4720 |
| Entropy (8bit): | 4.484615732408488 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs2Jg77aI93wnWpW8VYmYm8M4JLFWHFtP+q8v4WWqhtN91tdd:uIjfMI79wW7VGJLFoK4FqhtN91tdd |
| MD5: | 0E00D7A09A0287589B0A2AF46E10B080 |
| SHA1: | E67A4602E79AAE7E498FC7679F1F3F5350D8BCE7 |
| SHA-256: | 2A774946712232AFB2744003FEBFBCC63CC726A80E5AFCC7B332E65E1A10C092 |
| SHA-512: | 29C3F462EDE4C0CFFE9EA2DAB79912D3597EC4B7D722EA9EAC3891ECC11929DA37D55D4A5C7F41B263B1299D62EA76CDC0C59C332329A8FCB74ED6C832799E45 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 60356 |
| Entropy (8bit): | 1.8058557749444835 |
| Encrypted: | false |
| SSDEEP: | 192:m2mrnFMNXrWOAOJw8k2MQUqTDcAEPV9hRM760Yxcb5vGeDTPO+3jk9tam/VzzQac:mN7FMRhAEFkWUqTDcAAvMLLb5K+gt3Ar |
| MD5: | 1623D3B664236C9B74A01487AE068097 |
| SHA1: | 90DE21954C0F765B6BFDFB59DA297B4DB9AFACFA |
| SHA-256: | 24C74C67D2D42A2477ED2CDF5C78BEABE71BCD164CA7672837D94F1309C8CA92 |
| SHA-512: | 7668FA3D0647FA90FF4961B2C7C4C9B829F2AFDC286C40EFC973F993CF6E4263F171F757E81407F1B102A1E6071C10A7248D28B16724DBE88581D145578BA5D3 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8336 |
| Entropy (8bit): | 3.700590469472151 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJB06s6YEILSU9v+GgmfHhcYOGpDv89bFzsfasXm:R6lXJi6s6YE0SU9vPgmf2BFYfC |
| MD5: | 992DB74280BCEA71F8A0242BB0DBDCEF |
| SHA1: | 7F24D07DBEC04143FE162401CB588916394441D9 |
| SHA-256: | DAB0F168A059CDE7CE202ECCCEDAF3758B5E1578B2A7E17C74F11949DF949815 |
| SHA-512: | E0B82E1D7A4514BB7EB3226441DBF9E0CE98B497773868F897F0D31397805FCC1F0315EB3BC6FA66457D9D65A1E0E098A62605B4F14EDFF0336CB5230637E1EE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4579 |
| Entropy (8bit): | 4.469150334006464 |
| Encrypted: | false |
| SSDEEP: | 96:uIjfMI79wW7VUJLFpGu3b5gaqhtN91tdd:uI4Y9wW7CVqvHT |
| MD5: | 611ED0D9D7E984C245F838709D851867 |
| SHA1: | 3D937AD72D954E94A9D0CB88696C89BB862665DE |
| SHA-256: | 3757C7A84C7A29815A65FEBBEA00D81EF573E4C8F45B4144A28A4313F7EFB85A |
| SHA-512: | 2AA2E11A20CEAF8846DA27D84DDA1EEA236E1374E60481EADE1CE2B129B7561495C87E04A9654FE1AFEBAE355528533F94BDABF697EF0328572260CE2EAB33EE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.421573994299397 |
| Encrypted: | false |
| SSDEEP: | 6144:lSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNv0uhiTw:svloTMW+EZMM6DFyd03w |
| MD5: | 864EE3A0AD4BD67DAB5A5FFAA6DD9FAF |
| SHA1: | F1E86E60E009E8A9DD83CFC00E52197890555541 |
| SHA-256: | 46E97C1D259651FE6F8D0DE6E7A4C47352FA46EB4F03E929B13B2F9E90BA29E2 |
| SHA-512: | 01219878A57EF885D69580BF7F0AA1B8B5C56B0E0F58A53D6A3B585B4EB60A607DDC8F68E82746252320FFC80ED353683A35E969E4CA00256C2B02ABA7FEAB06 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.919289593273248 |
| TrID: |
|
| File name: | mJXdkcP4Wx.exe |
| File size: | 342'528 bytes |
| MD5: | be89dddee1630cde41b95d2df6070bd3 |
| SHA1: | bceb2f765aad912ea1e1e3d324f215baece7fcb5 |
| SHA256: | e3cd6c9514e46e4bd1e42240e6ec7a82322fe4792a270312ff1ae096b3c4e16f |
| SHA512: | d4bf75d3c7b175634719a6b1ad2bfa04615161e147fa6bccfb599f9c3f2068ff649895507d66ad763f3a62aab61a420276d089b5aa59cb6d8f1ebb52f2113317 |
| SSDEEP: | 6144:ZYLlLOl9gwCowOlf0VuW+GZCBK4LLvcogole:KBLOlCwBwOlKCvco2 |
| TLSH: | 0174381361F57C12F2B2073A4F2D9AEC3B2EF9665E24D3090118AECE5971AB1C51F71A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@.....................................h......................................Rich............PE..L......e................... |
 | |
| Icon Hash: | 73a733b183838be4 |
| Entrypoint: | 0x401667 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x65A09FAD [Fri Jan 12 02:10:53 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 73f75479e2c39cbb9472d61ec92fd436 |
| Instruction |
|---|
| call 00007F33111AA0E4h |
| jmp 00007F33111A74EEh |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| sub esp, 00000328h |
| mov dword ptr [004353C8h], eax |
| mov dword ptr [004353C4h], ecx |
| mov dword ptr [004353C0h], edx |
| mov dword ptr [004353BCh], ebx |
| mov dword ptr [004353B8h], esi |
| mov dword ptr [004353B4h], edi |
| mov word ptr [004353E0h], ss |
| mov word ptr [004353D4h], cs |
| mov word ptr [004353B0h], ds |
| mov word ptr [004353ACh], es |
| mov word ptr [004353A8h], fs |
| mov word ptr [004353A4h], gs |
| pushfd |
| pop dword ptr [004353D8h] |
| mov eax, dword ptr [ebp+00h] |
| mov dword ptr [004353CCh], eax |
| mov eax, dword ptr [ebp+04h] |
| mov dword ptr [004353D0h], eax |
| lea eax, dword ptr [ebp+08h] |
| mov dword ptr [004353DCh], eax |
| mov eax, dword ptr [ebp-00000320h] |
| mov dword ptr [00435318h], 00010001h |
| mov eax, dword ptr [004353D0h] |
| mov dword ptr [004352CCh], eax |
| mov dword ptr [004352C0h], C0000409h |
| mov dword ptr [004352C4h], 00000001h |
| mov eax, dword ptr [00434008h] |
| mov dword ptr [ebp-00000328h], eax |
| mov eax, dword ptr [0043400Ch] |
| mov dword ptr [ebp-00000324h], eax |
| call dword ptr [000000CCh] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x336e4 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x112000 | 0x1e840 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x33410 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x32000 | 0x184 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3099f | 0x30a00 | d641737f49dccffcfd23372260332ebf | False | 0.9262481924807198 | data | 7.877215506573334 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x32000 | 0x1fc0 | 0x2000 | fc405b89763810a8b173ae15f3f548f1 | False | 0.369384765625 | data | 5.601515124366471 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x34000 | 0xda67c | 0x1400 | 3a1191708adf0fe4d491938b7f38f3ab | False | 0.1681640625 | data | 1.8222227042599355 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .notiza | 0x10f000 | 0x400 | 0x400 | 0f343b0931126a20f133d67c2b018a3b | False | 0.0166015625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x110000 | 0x51d | 0x600 | 53e979547d8c2ea86560ac45de08ae25 | False | 0.013020833333333334 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .vumob | 0x111000 | 0x400 | 0x400 | 0f343b0931126a20f133d67c2b018a3b | False | 0.0166015625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x112000 | 0x14e840 | 0x1ea00 | 626a7e210c9d61e92ba0aef95432462d | False | 0.35115593112244897 | data | 4.665453737852969 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x12ba58 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | 0.4276315789473684 | ||
| RT_ICON | 0x112a30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Turkish | Turkey | 0.5711620469083155 |
| RT_ICON | 0x1138d8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Turkish | Turkey | 0.641245487364621 |
| RT_ICON | 0x114180 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Turkish | Turkey | 0.6941244239631337 |
| RT_ICON | 0x114848 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Turkish | Turkey | 0.7514450867052023 |
| RT_ICON | 0x114db0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | Turkish | Turkey | 0.5196058091286307 |
| RT_ICON | 0x117358 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | Turkish | Turkey | 0.62406191369606 |
| RT_ICON | 0x118400 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | Turkish | Turkey | 0.6311475409836066 |
| RT_ICON | 0x118d88 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | Turkish | Turkey | 0.7659574468085106 |
| RT_ICON | 0x119268 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Turkish | Turkey | 0.337953091684435 |
| RT_ICON | 0x11a110 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Turkish | Turkey | 0.5284296028880866 |
| RT_ICON | 0x11a9b8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Turkish | Turkey | 0.6019585253456221 |
| RT_ICON | 0x11b080 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Turkish | Turkey | 0.6488439306358381 |
| RT_ICON | 0x11b5e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Turkish | Turkey | 0.4276970954356846 |
| RT_ICON | 0x11db90 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Turkish | Turkey | 0.509016393442623 |
| RT_ICON | 0x11e518 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Turkish | Turkey | 0.5097517730496454 |
| RT_ICON | 0x11e9e8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Turkish | Turkey | 0.3315565031982942 |
| RT_ICON | 0x11f890 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Turkish | Turkey | 0.39981949458483756 |
| RT_ICON | 0x120138 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Turkish | Turkey | 0.402073732718894 |
| RT_ICON | 0x120800 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Turkish | Turkey | 0.398121387283237 |
| RT_ICON | 0x120d68 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Turkish | Turkey | 0.13713692946058093 |
| RT_ICON | 0x123310 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Turkish | Turkey | 0.15924015009380862 |
| RT_ICON | 0x1243b8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Turkish | Turkey | 0.1942622950819672 |
| RT_ICON | 0x124d40 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Turkish | Turkey | 0.225177304964539 |
| RT_ICON | 0x125220 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Turkish | Turkey | 0.3315565031982942 |
| RT_ICON | 0x1260c8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Turkish | Turkey | 0.39981949458483756 |
| RT_ICON | 0x126970 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Turkish | Turkey | 0.402073732718894 |
| RT_ICON | 0x127038 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Turkish | Turkey | 0.398121387283237 |
| RT_ICON | 0x1275a0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Turkish | Turkey | 0.13713692946058093 |
| RT_ICON | 0x129b48 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Turkish | Turkey | 0.15924015009380862 |
| RT_ICON | 0x12abf0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Turkish | Turkey | 0.1942622950819672 |
| RT_ICON | 0x12b578 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Turkish | Turkey | 0.225177304964539 |
| RT_STRING | 0x12bd60 | 0x476 | data | 0.44921190893169877 | ||
| RT_STRING | 0x12c1d8 | 0x504 | data | 0.45794392523364486 | ||
| RT_STRING | 0x12c6e0 | 0x6b4 | data | 0.4324009324009324 | ||
| RT_STRING | 0x12cd98 | 0x760 | data | 0.4253177966101695 | ||
| RT_STRING | 0x12d4f8 | 0x706 | data | 0.42880978865406005 | ||
| RT_STRING | 0x12dc00 | 0x8b8 | data | 0.4211469534050179 | ||
| RT_STRING | 0x12e4b8 | 0x6d2 | data | 0.4306987399770905 | ||
| RT_STRING | 0x12eb90 | 0x4a4 | data | 0.46380471380471383 | ||
| RT_STRING | 0x12f038 | 0x62e | data | 0.4361567635903919 | ||
| RT_STRING | 0x12f668 | 0x520 | data | 0.45198170731707316 | ||
| RT_STRING | 0x12fb88 | 0x722 | data | 0.4244249726177437 | ||
| RT_STRING | 0x1302b0 | 0x560 | data | 0.438953488372093 | ||
| RT_STRING | 0x130810 | 0x2e | data | 0.6304347826086957 | ||
| RT_GROUP_CURSOR | 0x12bb88 | 0x14 | data | 1.15 | ||
| RT_GROUP_ICON | 0x11e980 | 0x68 | data | Turkish | Turkey | 0.7019230769230769 |
| RT_GROUP_ICON | 0x1251a8 | 0x76 | data | Turkish | Turkey | 0.6694915254237288 |
| RT_GROUP_ICON | 0x12b9e0 | 0x76 | data | Turkish | Turkey | 0.6694915254237288 |
| RT_GROUP_ICON | 0x1191f0 | 0x76 | data | Turkish | Turkey | 0.6610169491525424 |
| RT_VERSION | 0x12bba0 | 0x1bc | data | 0.581081081081081 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SearchPathW, WriteConsoleOutputCharacterA, GetCommState, ReadConsoleA, InterlockedDecrement, QueryDosDeviceA, InterlockedCompareExchange, GetComputerNameW, GetTimeFormatA, ConnectNamedPipe, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, FormatMessageA, SetCommState, LoadLibraryW, GetConsoleMode, CopyFileW, ReadConsoleOutputW, GetConsoleAliasExesLengthW, GetSystemTimeAdjustment, DeleteVolumeMountPointW, HeapDestroy, GetFileAttributesW, GetBinaryTypeW, ReleaseSemaphore, GetLastError, GetLongPathNameW, GetProcAddress, SetStdHandle, BuildCommDCBW, GetNumaHighestNodeNumber, ResetEvent, LoadLibraryA, LocalAlloc, SetCalendarInfoW, FindAtomA, GetModuleFileNameA, GetDefaultCommConfigA, FatalAppExitA, GetShortPathNameW, GlobalReAlloc, GetVolumeInformationW, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, WideCharToMultiByte, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW |
| USER32.dll | SetFocus |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Turkish | Turkey |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-08T18:48:09.342481+0200 | 2044243 | ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in | 1 | 192.168.2.5 | 49704 | 62.122.184.144 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 8, 2024 18:48:08.281151056 CEST | 49704 | 80 | 192.168.2.5 | 62.122.184.144 |
| Oct 8, 2024 18:48:08.286207914 CEST | 80 | 49704 | 62.122.184.144 | 192.168.2.5 |
| Oct 8, 2024 18:48:08.286293030 CEST | 49704 | 80 | 192.168.2.5 | 62.122.184.144 |
| Oct 8, 2024 18:48:08.286413908 CEST | 49704 | 80 | 192.168.2.5 | 62.122.184.144 |
| Oct 8, 2024 18:48:08.291239023 CEST | 80 | 49704 | 62.122.184.144 | 192.168.2.5 |
| Oct 8, 2024 18:48:08.992774963 CEST | 80 | 49704 | 62.122.184.144 | 192.168.2.5 |
| Oct 8, 2024 18:48:08.992849112 CEST | 49704 | 80 | 192.168.2.5 | 62.122.184.144 |
| Oct 8, 2024 18:48:08.996458054 CEST | 49704 | 80 | 192.168.2.5 | 62.122.184.144 |
| Oct 8, 2024 18:48:09.002341032 CEST | 80 | 49704 | 62.122.184.144 | 192.168.2.5 |
| Oct 8, 2024 18:48:09.342236996 CEST | 80 | 49704 | 62.122.184.144 | 192.168.2.5 |
| Oct 8, 2024 18:48:09.342480898 CEST | 49704 | 80 | 192.168.2.5 | 62.122.184.144 |
| Oct 8, 2024 18:48:14.347692966 CEST | 80 | 49704 | 62.122.184.144 | 192.168.2.5 |
| Oct 8, 2024 18:48:14.347786903 CEST | 49704 | 80 | 192.168.2.5 | 62.122.184.144 |
| Oct 8, 2024 18:48:27.453022957 CEST | 49704 | 80 | 192.168.2.5 | 62.122.184.144 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49704 | 62.122.184.144 | 80 | 3496 | C:\Users\user\Desktop\mJXdkcP4Wx.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Oct 8, 2024 18:48:08.286413908 CEST | 89 | OUT | |
| Oct 8, 2024 18:48:08.992774963 CEST | 203 | IN | |
| Oct 8, 2024 18:48:08.996458054 CEST | 420 | OUT | |
| Oct 8, 2024 18:48:09.342236996 CEST | 210 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:47:55 |
| Start date: | 08/10/2024 |
| Path: | C:\Users\user\Desktop\mJXdkcP4Wx.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 342'528 bytes |
| MD5 hash: | BE89DDDEE1630CDE41B95D2DF6070BD3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 12:48:01 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa50000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 12:48:02 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa50000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 12:48:02 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa50000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 12:48:04 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa50000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 12:48:05 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa50000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 12:48:06 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa50000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 12:48:09 |
| Start date: | 08/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa50000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 6.5% |
| Dynamic/Decrypted Code Coverage: | 4.9% |
| Signature Coverage: | 12.3% |
| Total number of Nodes: | 1417 |
| Total number of Limit Nodes: | 28 |
Graph
Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419860 Relevance: 89.5, APIs: 33, Strings: 18, Instructions: 212libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404880 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479networkstringfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419C10 Relevance: 256.2, APIs: 112, Strings: 34, Instructions: 684libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00415510 Relevance: 28.4, APIs: 7, Strings: 9, Instructions: 383sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004169F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022C003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00769FCE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022C0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00769C8D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004138B0 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 250filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BE70 Relevance: 39.2, APIs: 17, Strings: 5, Instructions: 675fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D3B17 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 250filestringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CC0D7 Relevance: 32.2, APIs: 17, Strings: 1, Instructions: 675fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D4B77 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D47D7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040DE10 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 370fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040ED20 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 369fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D4107 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CEF87 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CE077 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E430 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 514fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CDCE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416920 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 67timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CF917 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CE697 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022C1937 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CCA87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D7DF7 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D9867 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022C092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CF8F1 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022DD151 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041CEEA Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 007698AB Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022C0D90 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D99B7 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419750 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D9AC7 Relevance: 87.7, APIs: 33, Strings: 17, Instructions: 212libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00410250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00405960 Relevance: 44.2, APIs: 19, Strings: 6, Instructions: 493networkstringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CD157 Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 374stringmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CEF0 Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 374stringmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022C5BC7 Relevance: 35.5, APIs: 19, Strings: 1, Instructions: 493networkstringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CCBF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022C4AE7 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 479networkstringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004152C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004060A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D0CC7 Relevance: 18.2, APIs: 12, Instructions: 205stringprocesssynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D0CB6 Relevance: 18.2, APIs: 12, Instructions: 185stringprocesssynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D5777 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 383sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D9277 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D7767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BA80 Relevance: 13.8, APIs: 4, Strings: 5, Instructions: 284stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CD9E7 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 221filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D780 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 221filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D6C57 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D8367 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022C7837 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022C5217 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CD667 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 252filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D400 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 252filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D6B87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022C4A17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D78F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D5527 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D7337 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CA4C7 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 370filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A260 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 370filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D7167 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004069B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D49E7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414F40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CB757 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 397stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B4F0 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 397stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CBCE7 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 284stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CA077 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00410D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022DCDA0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D51A7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004187C0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 64memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414BB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CA307 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A0A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D8A27 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00415050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D7B47 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D7AB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022CB497 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 205stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B230 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 205stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D9737 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D88E7 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D1A07 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D3880 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D9547 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D6D5A Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 022D94C7 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|