Edit tour
Windows
Analysis Report
uxnkmJzTjK.exe
Overview
General Information
| Sample name: | uxnkmJzTjK.exerenamed because original name is a hash value |
| Original sample name: | ac6cfd8f94d80a7655d146d3f4bf8f26.exe |
| Analysis ID: | 1543996 |
| MD5: | ac6cfd8f94d80a7655d146d3f4bf8f26 |
| SHA1: | dc504fb438874808a1c31b3df328d2c430e7d051 |
| SHA256: | 9c3e8022d4d7d382394e1e62fac2d0df1bf545797397288ebe6655c62df78844 |
| Tags: | exeStealcuser-abuse_ch |
| Infos: |  |
 | |
Detection
Stealc
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for sample
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
uxnkmJzTjK.exe (PID: 6444 cmdline: "C:\Users\ user\Deskt op\uxnkmJz TjK.exe" MD5: AC6CFD8F94D80A7655D146D3F4BF8F26) 
WerFault.exe (PID: 5988 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 444 -s 133 6 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
{"C2 url": "http://194.15.46.65/7e57db3b864b30f1.php", "Botnet": "LogsDiller"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 7_2_00419030 | |
| Source: | Code function: | 7_2_0040C920 | |
| Source: | Code function: | 7_2_0040A210 | |
| Source: | Code function: | 7_2_004072A0 | |
| Source: | Code function: | 7_2_0040A2B0 | |
| Source: | Code function: | 7_2_024A9297 | |
| Source: | Code function: | 7_2_0249A477 | |
| Source: | Code function: | 7_2_02497507 | |
| Source: | Code function: | 7_2_0249A517 | |
| Source: | Code function: | 7_2_0249CB87 | |
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 7_2_004140F0 | |
| Source: | Code function: | 7_2_0040E530 | |
| Source: | Code function: | 7_2_0040BE40 | |
| Source: | Code function: | 7_2_0040EE20 | |
| Source: | Code function: | 7_2_00414B60 | |
| Source: | Code function: | 7_2_00413B00 | |
| Source: | Code function: | 7_2_0040DF10 | |
| Source: | Code function: | 7_2_00401710 | |
| Source: | Code function: | 7_2_004147C0 | |
| Source: | Code function: | 7_2_0040DB80 | |
| Source: | Code function: | 7_2_0040F7B0 | |
| Source: | Code function: | 7_2_024A4357 | |
| Source: | Code function: | 7_2_0249F087 | |
| Source: | Code function: | 7_2_0249C0A7 | |
| Source: | Code function: | 7_2_0249E177 | |
| Source: | Code function: | 7_2_0249E797 | |
| Source: | Code function: | 7_2_0249FA17 | |
| Source: | Code function: | 7_2_024A4A27 | |
| Source: | Code function: | 7_2_02491977 | |
| Source: | Code function: | 7_2_024A3D67 | |
| Source: | Code function: | 7_2_024A4DC7 | |
| Source: | Code function: | 7_2_0249DDE7 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | HTTP traffic detected: | ||
| Source: | ASN Name: | ||
| Source: | DNS traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 7_2_00405000 | |
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 7_2_00409E30 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 7_2_024D82DF | |
| Source: | Code function: | 7_2_0250134F | |
| Source: | Code function: | 7_2_024F8040 | |
| Source: | Code function: | 7_2_0250A08F | |
| Source: | Code function: | 7_2_024EB1CF | |
| Source: | Code function: | 7_2_024C11DF | |
| Source: | Code function: | 7_2_024FA19F | |
| Source: | Code function: | 7_2_024D36EF | |
| Source: | Code function: | 7_2_0251A76F | |
| Source: | Code function: | 7_2_024CF4FF | |
| Source: | Code function: | 7_2_024EA5FF | |
| Source: | Code function: | 7_2_024C159F | |
| Source: | Code function: | 7_2_024FCA0F | |
| Source: | Code function: | 7_2_024D3A0F | |
| Source: | Code function: | 7_2_02509AAF | |
| Source: | Code function: | 7_2_02518B64 | |
| Source: | Code function: | 7_2_024D5B2F | |
| Source: | Code function: | 7_2_0250C805 | |
| Source: | Code function: | 7_2_024BD9AB | |
| Source: | Code function: | 7_2_024FFFEF | |
| Source: | Code function: | 7_2_02505C00 | |
| Source: | Code function: | 7_2_024EAD0F | |
| Source: | Code function: | 7_2_024FED3D | |
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 7_2_00418810 | |
| Source: | Code function: | 7_2_00413970 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 7_2_00419F20 | |
| Source: | Code function: | 7_2_0042A39D | |
| Source: | Code function: | 7_2_0041B348 | |
| Source: | Code function: | 7_2_02519293 | |
| Source: | Code function: | 7_2_024AB5AF | |
| Source: | Static PE information: | ||
| Source: | Code function: | 7_2_00419F20 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_7-46026 | ||
| Source: | API coverage: | ||
| Source: | Code function: | 7_2_004140F0 | |
| Source: | Code function: | 7_2_0040E530 | |
| Source: | Code function: | 7_2_0040BE40 | |
| Source: | Code function: | 7_2_0040EE20 | |
| Source: | Code function: | 7_2_00414B60 | |
| Source: | Code function: | 7_2_00413B00 | |
| Source: | Code function: | 7_2_0040DF10 | |
| Source: | Code function: | 7_2_00401710 | |
| Source: | Code function: | 7_2_004147C0 | |
| Source: | Code function: | 7_2_0040DB80 | |
| Source: | Code function: | 7_2_0040F7B0 | |
| Source: | Code function: | 7_2_024A4357 | |
| Source: | Code function: | 7_2_0249F087 | |
| Source: | Code function: | 7_2_0249C0A7 | |
| Source: | Code function: | 7_2_0249E177 | |
| Source: | Code function: | 7_2_0249E797 | |
| Source: | Code function: | 7_2_0249FA17 | |
| Source: | Code function: | 7_2_024A4A27 | |
| Source: | Code function: | 7_2_02491977 | |
| Source: | Code function: | 7_2_024A3D67 | |
| Source: | Code function: | 7_2_024A4DC7 | |
| Source: | Code function: | 7_2_0249DDE7 | |
| Source: | Code function: | 7_2_00418060 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_7-46014 | ||
| Source: | API call chain: | graph_7-46011 | ||
| Source: | API call chain: | graph_7-46054 | ||
| Source: | API call chain: | graph_7-47195 | ||
| Source: | API call chain: | graph_7-46031 | ||
| Source: | API call chain: | graph_7-46025 | ||
| Source: | API call chain: | graph_7-46032 | ||
| Source: | API call chain: | graph_7-45853 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 7_2_0041B058 | |
| Source: | Code function: | 7_2_00404610 | |
| Source: | Code function: | 7_2_00419F20 | |
| Source: | Code function: | 7_2_00419AA0 | |
| Source: | Code function: | 7_2_02330083 | |
| Source: | Code function: | 7_2_0249092B | |
| Source: | Code function: | 7_2_024A9D07 | |
| Source: | Code function: | 7_2_02490D90 | |
| Source: | Code function: | 7_2_00405000 | |
| Source: | Code function: | 7_2_0041B058 | |
| Source: | Code function: | 7_2_0041D21A | |
| Source: | Code function: | 7_2_0041B63A | |
| Source: | Code function: | 7_2_024AB2BF | |
| Source: | Code function: | 7_2_024AD481 | |
| Source: | Code function: | 7_2_024AB8A1 | |
| Source: | Memory protected: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 7_2_004198E0 | |
| Source: | Code function: | 7_2_00419790 | |
| Source: | Code function: | 7_2_024A9B47 | |
| Source: | Code function: | 7_2_024A99F7 | |
| Source: | Code function: | 7_2_024D6A0F | |
| Source: | Code function: | 7_2_00417D20 | |
| Source: | Code function: | 7_2_024A7F87 | |
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 7_2_00418CF0 | |
| Source: | Code function: | 7_2_004179E0 | |
| Source: | Code function: | 7_2_00417BC0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 11 Native API | 1 Create Account | 11 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Disable or Modify Tools | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 12 Process Discovery | Distributed Component Object Model | Input Capture | 12 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 22 Software Packing | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 143 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 55% | ReversingLabs | Win32.Trojan.CrypterX | ||
| 100% | Avira | HEUR/AGEN.1306956 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| 15.164.165.52.in-addr.arpa | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| true | unknown | |||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 194.15.46.65 | unknown | unknown | 20952 | VENUS-INTERNET-ASGB | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1543996 |
| Start date and time: | 2024-10-28 17:36:07 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 44s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 19 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | uxnkmJzTjK.exerenamed because original name is a hash value |
| Original Sample Name: | ac6cfd8f94d80a7655d146d3f4bf8f26.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@2/5@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.168.117.173, 52.168.117.172
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdeus07.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: uxnkmJzTjK.exe
| Time | Type | Description |
|---|---|---|
| 12:37:30 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 194.15.46.65 | Get hash | malicious | Stealc | Browse |
| |
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| VENUS-INTERNET-ASGB | Get hash | malicious | Stealc | Browse |
| |
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
|
⊘No context
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_uxnkmJzTjK.exe_2758b5a6727ed414df83f22680b3fca6bee45aca_7d3e508a_21fb4e6d-b425-4a5d-96c5-dcfe67d27b2c\Report.wer 
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9640081924063675 |
| Encrypted: | false |
| SSDEEP: | 192:+5DGe6ZL0jFaIjJeZroZlzuiF0+Z24IO8+:kSecYjFaIjzrzuiFrY4IO8+ |
| MD5: | D7A9B0177D73EA04C4A3E02DCB573869 |
| SHA1: | C5D6CE8B18AEC779D9CB3D766049798DB7665488 |
| SHA-256: | 83CC42D336FCE27BDF07E7C7066FE3710B017C9BB176F53403D907BAC9C2419D |
| SHA-512: | 902CD5339D7034F9B8073D9BCBF989BE246143284B8E7568666A4CB475EAE40A177A8908F22143CB6E2D2AEFB1DF3908CDB1AA743830FD8DA176FCF599FFC49F |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 116296 |
| Entropy (8bit): | 1.7340699268597577 |
| Encrypted: | false |
| SSDEEP: | 384:WlTajVHJPRRH2ocCXSjzRvD3VbPPAXJ384DhnyCkQ3sf:WlQVZRRH2PCXSjzRvD3VbeL9vkf |
| MD5: | 5BA722B465216C6837736846026D2BA6 |
| SHA1: | 99B81170E2252362273FB3C785B4495C247F03B8 |
| SHA-256: | 88FBEACCC407CD67EDB6969C75175273C63A1746D590E58536DB36C926D3CCD5 |
| SHA-512: | 1AAD2196AE6507DCD352C52D84EFE2C66A20D73AC6193AADF079C443C9EDD6AD7E2941B7C5E1F62FEFA2875EE221FAABC34A1F4ED98314A680140D51645B0163 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8350 |
| Entropy (8bit): | 3.7024757165830193 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJbX6dc6YWISUM1qGgmfZgpDM89bZcsfObzm:R6lXJ76W6YpSUM5gmfZUZvfOe |
| MD5: | ABC9ACC41B02819F8F7430F98272E171 |
| SHA1: | 6D66A54A04004B4956728F4AB52BB3BBAE4547F8 |
| SHA-256: | 56E054C17E2FDCC0F8C77FFBF7784D74C2B065B304D80BB934517D9E7E12CDB6 |
| SHA-512: | 4FE642F9636F741934BAA20931B946C800DE85913D462C304C2C82A2030DBBBE934D368BB79DA74B2758B2721646F713DDA29428FEECF8EE4E6F0E394D0F7647 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4583 |
| Entropy (8bit): | 4.473616758643659 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsVJg77aI9yZrWpW8VYgYm8M4JfSeFTRFm+q8Gvm1aHrw5wd:uIjfvI7MZa7VgJfhFm7ewHrw5wd |
| MD5: | 954CBC01D5CEA51A2F58BC416856D58E |
| SHA1: | B2CBF5065EC952980818175C91B74D40F72CC262 |
| SHA-256: | B540EB47FE9A5F8972F73FF3B6C04E4E2B8169E5BE781EC305A6864E22583E39 |
| SHA-512: | 6EF6A186A94F84590B9D4F0BDD4D3990BC0D10438DEE142A0E0D73E0F5F8E1F64F7B3A98506A607D7E66931F89FBA4B3421F5A56DA4CCEC3F39A720A41320EE6 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.296003176953034 |
| Encrypted: | false |
| SSDEEP: | 6144:I41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+lamBMZJh1Vjo:l1/YCW2AoQ0NivawMHrVs |
| MD5: | 29D1D59679BFEE76A0BF61A2375CA324 |
| SHA1: | 83CD4AE9CE162EDF613FA86A8BAA17EE62502AF2 |
| SHA-256: | 517F424C0A5C6365DFC7D5A9EFF6A3E1D42431AB61BAE7F68CFD8072A7119AD9 |
| SHA-512: | 2BD956E358EF055ED48FF7725365F72AFEFA5D68E73613C5EF4579FB785AA8A5DF7019CDAB1F9D80D62221C787E3C8E12199CBE9E36800325F8110F3FC554CD9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.271417145997924 |
| TrID: |
|
| File name: | uxnkmJzTjK.exe |
| File size: | 717'824 bytes |
| MD5: | ac6cfd8f94d80a7655d146d3f4bf8f26 |
| SHA1: | dc504fb438874808a1c31b3df328d2c430e7d051 |
| SHA256: | 9c3e8022d4d7d382394e1e62fac2d0df1bf545797397288ebe6655c62df78844 |
| SHA512: | fb5235185dda52f849f3a95183bfe8dd6ac73a3eb2f4cb8efec0a24f607e03b07a039af5c074dbc7a5020df5bbef29c35af87e19f218dfd18ab921f5e037ddfe |
| SSDEEP: | 12288:xy7txobaJtCURbqxDFp+CLdPYu8oAwTrg1X7ihYmoJErKeWyDaVY8hQa9EvF1E:xkt2bu0ObqdFp+CLdPY2HEWY+lWyOVY2 |
| TLSH: | 08E41211F592D4B1CA93453C087AC6FC253ABCA2C626699733683F9F3C70BD3A666315 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b+..&Jj.&Jj.&Jj.8...:Jj.8...8Jj.8...QJj...../Jj.&Jk..Jj.8...'Jj.8...'Jj.8...'Jj.Rich&Jj.........................PE..L...D.De... |
 | |
| Icon Hash: | 63796dc971636e0f |
| Entrypoint: | 0x40614a |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6544AD44 [Fri Nov 3 08:20:20 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 6151e5d379296541f85c9ec931b45e6d |
| Instruction |
|---|
| call 00007FBDB14F4B2Eh |
| jmp 00007FBDB14F00FEh |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| call 00007FBDB14F02BCh |
| xchg cl, ch |
| jmp 00007FBDB14F02A4h |
| call 00007FBDB14F02B3h |
| fxch st(0), st(1) |
| jmp 00007FBDB14F029Bh |
| fabs |
| fld1 |
| mov ch, cl |
| xor cl, cl |
| jmp 00007FBDB14F0291h |
| mov byte ptr [ebp-00000090h], FFFFFFFEh |
| fabs |
| fxch st(0), st(1) |
| fabs |
| fxch st(0), st(1) |
| fpatan |
| or cl, cl |
| je 00007FBDB14F0286h |
| fldpi |
| fsubrp st(1), st(0) |
| or ch, ch |
| je 00007FBDB14F0284h |
| fchs |
| ret |
| fabs |
| fld st(0), st(0) |
| fld st(0), st(0) |
| fld1 |
| fsubrp st(1), st(0) |
| fxch st(0), st(1) |
| fld1 |
| faddp st(1), st(0) |
| fmulp st(1), st(0) |
| ftst |
| wait |
| fstsw word ptr [ebp-000000A0h] |
| wait |
| test byte ptr [ebp-0000009Fh], 00000001h |
| jne 00007FBDB14F0287h |
| xor ch, ch |
| fsqrt |
| ret |
| pop eax |
| jmp 00007FBDB14F08BFh |
| fstp st(0) |
| fld tbyte ptr [0049508Ah] |
| ret |
| fstp st(0) |
| or cl, cl |
| je 00007FBDB14F028Dh |
| fstp st(0) |
| fldpi |
| or ch, ch |
| je 00007FBDB14F0284h |
| fchs |
| ret |
| fstp st(0) |
| fldz |
| or ch, ch |
| je 00007FBDB14F0279h |
| fchs |
| ret |
| fstp st(0) |
| jmp 00007FBDB14F0895h |
| fstp st(0) |
| mov cl, ch |
| jmp 00007FBDB14F0282h |
| call 00007FBDB14F024Eh |
| jmp 00007FBDB14F08A0h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x93e1c | 0x64 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xa7000 | 0x13a98 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2eb000 | 0xb24 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x4928 | 0x40 | .text |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x1b4 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x9381a | 0x93a00 | c4c66e39d50648b07a9ef9cbcc68b323 | False | 0.8646968935224386 | data | 7.614482012952397 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x95000 | 0x11884 | 0x6000 | 8a8ae95e615b9006d50b80b647950682 | False | 0.07816569010416667 | dBase III DBT, next free block index 7565155 | 0.9099523894840397 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xa7000 | 0x243a98 | 0x13c00 | 691b43c4db6de6c08583a099fa2060f2 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x2eb000 | 0x180e | 0x1a00 | b91bca4a31432d02b40dcc57ea1224bd | False | 0.37289663461538464 | data | 3.711466150522236 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| BARUY | 0xb1160 | 0x136f | ASCII text, with very long lines (4975), with no line terminators | Tamil | India | 0.5951758793969849 |
| BARUY | 0xb1160 | 0x136f | ASCII text, with very long lines (4975), with no line terminators | Tamil | Sri Lanka | 0.5951758793969849 |
| BIFETUGIDOSUCIVIK | 0xb24d0 | 0x1e31 | ASCII text, with very long lines (7729), with no line terminators | Tamil | India | 0.5883037909173243 |
| BIFETUGIDOSUCIVIK | 0xb24d0 | 0x1e31 | ASCII text, with very long lines (7729), with no line terminators | Tamil | Sri Lanka | 0.5883037909173243 |
| RT_CURSOR | 0xb4360 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.2953091684434968 | ||
| RT_CURSOR | 0xb5208 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.46705776173285196 | ||
| RT_CURSOR | 0xb5ab0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.5361271676300579 | ||
| RT_CURSOR | 0xb6048 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | 0.4375 | ||
| RT_CURSOR | 0xb6178 | 0xb0 | Device independent bitmap graphic, 16 x 32 x 1, image size 0 | 0.44886363636363635 | ||
| RT_CURSOR | 0xb6250 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.27238805970149255 | ||
| RT_CURSOR | 0xb70f8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.375 | ||
| RT_CURSOR | 0xb79a0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.5057803468208093 | ||
| RT_CURSOR | 0xb7f38 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.30943496801705755 | ||
| RT_CURSOR | 0xb8de0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.427797833935018 | ||
| RT_CURSOR | 0xb9688 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.5469653179190751 | ||
| RT_ICON | 0xa7820 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Tamil | India | 0.5288018433179723 |
| RT_ICON | 0xa7820 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Tamil | Sri Lanka | 0.5288018433179723 |
| RT_ICON | 0xa7ee8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Tamil | India | 0.4109958506224066 |
| RT_ICON | 0xa7ee8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Tamil | Sri Lanka | 0.4109958506224066 |
| RT_ICON | 0xaa490 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Tamil | India | 0.44592198581560283 |
| RT_ICON | 0xaa490 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Tamil | Sri Lanka | 0.44592198581560283 |
| RT_ICON | 0xaa928 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Tamil | India | 0.3699360341151386 |
| RT_ICON | 0xaa928 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Tamil | Sri Lanka | 0.3699360341151386 |
| RT_ICON | 0xab7d0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Tamil | India | 0.5036101083032491 |
| RT_ICON | 0xab7d0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Tamil | Sri Lanka | 0.5036101083032491 |
| RT_ICON | 0xac078 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Tamil | India | 0.5771889400921659 |
| RT_ICON | 0xac078 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Tamil | Sri Lanka | 0.5771889400921659 |
| RT_ICON | 0xac740 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Tamil | India | 0.6466763005780347 |
| RT_ICON | 0xac740 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Tamil | Sri Lanka | 0.6466763005780347 |
| RT_ICON | 0xacca8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Tamil | India | 0.4537344398340249 |
| RT_ICON | 0xacca8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | Tamil | Sri Lanka | 0.4537344398340249 |
| RT_ICON | 0xaf250 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Tamil | India | 0.4643527204502814 |
| RT_ICON | 0xaf250 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | Tamil | Sri Lanka | 0.4643527204502814 |
| RT_ICON | 0xb02f8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Tamil | India | 0.4516393442622951 |
| RT_ICON | 0xb02f8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | Tamil | Sri Lanka | 0.4516393442622951 |
| RT_ICON | 0xb0c80 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Tamil | India | 0.500886524822695 |
| RT_ICON | 0xb0c80 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | Tamil | Sri Lanka | 0.500886524822695 |
| RT_DIALOG | 0xb9e78 | 0x58 | data | 0.8977272727272727 | ||
| RT_STRING | 0xb9ed0 | 0x36e | data | Tamil | India | 0.4612756264236902 |
| RT_STRING | 0xb9ed0 | 0x36e | data | Tamil | Sri Lanka | 0.4612756264236902 |
| RT_STRING | 0xba240 | 0x28c | data | Tamil | India | 0.48619631901840493 |
| RT_STRING | 0xba240 | 0x28c | data | Tamil | Sri Lanka | 0.48619631901840493 |
| RT_STRING | 0xba4d0 | 0x3bc | data | Tamil | India | 0.4686192468619247 |
| RT_STRING | 0xba4d0 | 0x3bc | data | Tamil | Sri Lanka | 0.4686192468619247 |
| RT_STRING | 0xba890 | 0x208 | data | Tamil | India | 0.5192307692307693 |
| RT_STRING | 0xba890 | 0x208 | data | Tamil | Sri Lanka | 0.5192307692307693 |
| RT_ACCELERATOR | 0xb4308 | 0x58 | data | Tamil | India | 0.7954545454545454 |
| RT_ACCELERATOR | 0xb4308 | 0x58 | data | Tamil | Sri Lanka | 0.7954545454545454 |
| RT_GROUP_CURSOR | 0xb6018 | 0x30 | data | 0.9375 | ||
| RT_GROUP_CURSOR | 0xb6228 | 0x22 | data | 1.0588235294117647 | ||
| RT_GROUP_CURSOR | 0xb7f08 | 0x30 | data | 0.9375 | ||
| RT_GROUP_CURSOR | 0xb9bf0 | 0x30 | data | 0.9375 | ||
| RT_GROUP_ICON | 0xaa8f8 | 0x30 | data | Tamil | India | 0.9375 |
| RT_GROUP_ICON | 0xaa8f8 | 0x30 | data | Tamil | Sri Lanka | 0.9375 |
| RT_GROUP_ICON | 0xb10e8 | 0x76 | data | Tamil | India | 0.6694915254237288 |
| RT_GROUP_ICON | 0xb10e8 | 0x76 | data | Tamil | Sri Lanka | 0.6694915254237288 |
| RT_VERSION | 0xb9c20 | 0x258 | data | 0.5366666666666666 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GlobalMemoryStatus, TlsGetValue, GlobalCompact, CreateProcessW, InterlockedIncrement, InterlockedDecrement, GetCurrentProcess, GetLogicalDriveStringsW, CreateJobObjectW, SetComputerNameW, GetComputerNameW, FreeEnvironmentStringsA, GetTickCount, GetCommConfig, CreateNamedPipeW, GetNumberFormatA, ClearCommBreak, GetConsoleAliasExesW, EnumTimeFormatsW, SetFileShortNameW, LoadLibraryW, ReadConsoleInputA, EnumResourceNamesW, SetVolumeMountPointA, GetVersionExW, GetFileAttributesA, GetTimeFormatW, GetModuleFileNameW, LCMapStringA, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, DefineDosDeviceW, SetFileAttributesA, GetDiskFreeSpaceW, LoadLibraryA, OpenJobObjectW, SetEnvironmentVariableA, GetModuleFileNameA, GetCurrentDirectoryA, OpenEventW, GetShortPathNameW, IsBadCodePtr, GetTempFileNameW, CreateFileA, CloseHandle, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapReAlloc, GetStartupInfoW, RaiseException, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, GetFileType, GetStartupInfoA, TerminateProcess, IsDebuggerPresent, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleHandleA, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, HeapSize, GetLocaleInfoA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW |
| GDI32.dll | GetCharWidth32A |
| ole32.dll | CoSuspendClassObjects |
| WINHTTP.dll | WinHttpOpen |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Tamil | India |  |
| Tamil | Sri Lanka |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 28, 2024 17:37:04.254240036 CET | 49708 | 80 | 192.168.2.10 | 194.15.46.65 |
| Oct 28, 2024 17:37:04.259617090 CET | 80 | 49708 | 194.15.46.65 | 192.168.2.10 |
| Oct 28, 2024 17:37:04.259686947 CET | 49708 | 80 | 192.168.2.10 | 194.15.46.65 |
| Oct 28, 2024 17:37:04.259856939 CET | 49708 | 80 | 192.168.2.10 | 194.15.46.65 |
| Oct 28, 2024 17:37:04.265204906 CET | 80 | 49708 | 194.15.46.65 | 192.168.2.10 |
| Oct 28, 2024 17:37:12.775883913 CET | 80 | 49708 | 194.15.46.65 | 192.168.2.10 |
| Oct 28, 2024 17:37:12.776356936 CET | 49708 | 80 | 192.168.2.10 | 194.15.46.65 |
| Oct 28, 2024 17:37:12.776617050 CET | 49708 | 80 | 192.168.2.10 | 194.15.46.65 |
| Oct 28, 2024 17:37:12.783366919 CET | 80 | 49708 | 194.15.46.65 | 192.168.2.10 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 28, 2024 17:37:50.275929928 CET | 53 | 51220 | 162.159.36.2 | 192.168.2.10 |
| Oct 28, 2024 17:37:50.912720919 CET | 59878 | 53 | 192.168.2.10 | 1.1.1.1 |
| Oct 28, 2024 17:37:50.920857906 CET | 53 | 59878 | 1.1.1.1 | 192.168.2.10 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 28, 2024 17:37:50.912720919 CET | 192.168.2.10 | 1.1.1.1 | 0x201 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 28, 2024 17:37:50.920857906 CET | 1.1.1.1 | 192.168.2.10 | 0x201 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.10 | 49708 | 194.15.46.65 | 80 | 6444 | C:\Users\user\Desktop\uxnkmJzTjK.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Oct 28, 2024 17:37:04.259856939 CET | 87 | OUT |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 7 |
| Start time: | 12:37:01 |
| Start date: | 28/10/2024 |
| Path: | C:\Users\user\Desktop\uxnkmJzTjK.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 717'824 bytes |
| MD5 hash: | AC6CFD8F94D80A7655D146D3F4BF8F26 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 12:37:25 |
| Start date: | 28/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x6a0000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.9% |
| Dynamic/Decrypted Code Coverage: | 47% |
| Signature Coverage: | 4.3% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 34 |
Graph
Function 00419F20 Relevance: 238.7, APIs: 112, Strings: 24, Instructions: 684libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404610 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00405000 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82networkmemoryfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004179E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418060 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419BB0 Relevance: 86.0, APIs: 33, Strings: 16, Instructions: 212libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00405150 Relevance: 61.8, APIs: 22, Strings: 13, Instructions: 569stringnetworkmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004048D0 Relevance: 35.5, APIs: 11, Strings: 9, Instructions: 479networkstringfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004184B0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 196registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004062D0 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 191networkfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00415760 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 383sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411C60 Relevance: 23.6, APIs: 2, Strings: 11, Instructions: 857stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417690 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418290 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041856C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416C90 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004178B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419600 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004081C0 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 023307A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02490E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02330465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BE40 Relevance: 70.7, APIs: 29, Strings: 11, Instructions: 727fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249C0A7 Relevance: 55.0, APIs: 29, Strings: 2, Instructions: 727fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413B00 Relevance: 52.8, APIs: 21, Strings: 9, Instructions: 250filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414B60 Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 172fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A3D67 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 250filestringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004147C0 Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 137stringmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A4A27 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 137stringmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A4DC7 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409E30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157stringsleepprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004140F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 133fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040DF10 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 370fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040EE20 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 369fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E530 Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 514fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040F7B0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401710 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 492fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040DB80 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 255fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A4357 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249F087 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024CF4FF Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249E177 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249FA17 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249E797 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 514fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02491977 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249DDE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249CB87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040C920 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B63A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024FED3D Relevance: 7.6, Strings: 6, Instructions: 123COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A7F87 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A99F7 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418CF0 Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024AD481 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041D21A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024BD9AB Relevance: .8, Instructions: 823COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024FFFEF Relevance: .7, Instructions: 700COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024D82DF Relevance: .6, Instructions: 649COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0250A08F Relevance: .5, Instructions: 501COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024D5B2F Relevance: .4, Instructions: 418COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0251A76F Relevance: .4, Instructions: 415COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024EAD0F Relevance: .4, Instructions: 376COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024EB1CF Relevance: .4, Instructions: 372COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02509AAF Relevance: .3, Instructions: 339COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024F8040 Relevance: .3, Instructions: 302COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024FA19F Relevance: .3, Instructions: 302COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024C11DF Relevance: .3, Instructions: 291COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024D3A0F Relevance: .3, Instructions: 291COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024C159F Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0250134F Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02518B64 Relevance: .3, Instructions: 269COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024EA5FF Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024FCA0F Relevance: .3, Instructions: 258COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0250C805 Relevance: .2, Instructions: 242COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024D36EF Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02505C00 Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02330083 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02490D90 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024D6A0F Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A9D07 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419AA0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A9E17 Relevance: 84.2, APIs: 33, Strings: 15, Instructions: 212libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004103B0 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004059B0 Relevance: 51.2, APIs: 19, Strings: 10, Instructions: 493networkstringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02495C17 Relevance: 39.0, APIs: 19, Strings: 3, Instructions: 493networkstringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249D257 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 374stringmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CFF0 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 374stringmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249CCF7 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 383filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CA90 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 383filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411520 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 308stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414FC0 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 119stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409BE0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 141stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A1862 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 205stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02494B37 Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 479networkstringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A4737 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 202stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004144D0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 202stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249A097 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157stringsleepprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004119F0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02496537 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401310 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 139stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00415510 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 138stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A9407 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A4567 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 124registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414300 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 124registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A78F7 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A59C7 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 383sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02491577 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 139stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249ABF7 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 370filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A990 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 370filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0250F595 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249AA37 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 116libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A7D0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 116libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A84F7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024ACF75 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A090 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 31libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041D7DA Relevance: 12.1, APIs: 8, Instructions: 147COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02497897 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02495267 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004108A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A560 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 155memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02494A67 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A7A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A5777 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A75B7 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004137B0 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A6EF7 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249D767 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 252filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D500 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 252filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249DAE7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 221filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D880 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 221filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A73E7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406A00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A4C37 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00415190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A7D77 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51memorytimeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417B10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51memorytimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249A7C7 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 155memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024ADA41 Relevance: 7.6, APIs: 5, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00410FC0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024AD0D0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A6E27 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A9657 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004193F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414E00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004152A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413E2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16filestringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A5067 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 118stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A98C7 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A8A77 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024ADC46 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041D9DF Relevance: 6.1, APIs: 4, Instructions: 69COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418950 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0250F25E Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A1C57 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A3AD0 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A96D7 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A6FFA Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0250F93A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0249BCB7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 024A53F7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|