Edit tour
Windows
Analysis Report
bfINGx7hvL.exe
Overview
General Information
| Sample name: | bfINGx7hvL.exerenamed because original name is a hash value |
| Original sample name: | 80c2a36e9a14e3edba0b706d2433d9b8.exe |
| Analysis ID: | 1520450 |
| MD5: | 80c2a36e9a14e3edba0b706d2433d9b8 |
| SHA1: | 03ac191b235b3a867539720070a5e6ca1108b4f2 |
| SHA256: | 154dae39845abef889af814bd6ad84283374c90ecece891addc362384afdd882 |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
bfINGx7hvL.exe (PID: 5852 cmdline: "C:\Users\ user\Deskt op\bfINGx7 hvL.exe" MD5: 80C2A36E9A14E3EDBA0B706D2433D9B8) 
WerFault.exe (PID: 5608 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 852 -s 624 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 6520 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 852 -s 176 0 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 6172 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 852 -s 200 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["priooozekw.shop", "surroundeocw.shop", "deallyharvenw.shop", "candleduseiwo.shop", "abortinoiwiam.shop", "racedsuitreow.shop", "covvercilverow.shop", "defenddsouneuw.shop", "pumpkinkwquo.shop"], "Build id": "yJEcaG--rui1222"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-27T11:18:26.194583+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49716 | 188.114.97.3 | 443 | TCP |
| 2024-09-27T11:18:27.331905+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49717 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-27T11:18:26.194583+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49716 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-27T11:18:27.331905+0200 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49717 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-27T11:18:26.025493+0200 | 2056077 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49716 | 188.114.97.3 | 443 | TCP |
| 2024-09-27T11:18:26.917291+0200 | 2056077 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49717 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-27T11:18:25.539643+0200 | 2056076 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 57176 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-27T11:18:25.529280+0200 | 2056078 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 58062 | 1.1.1.1 | 53 | UDP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_0052D130 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00477BE0 | |
| Source: | Code function: | 0_2_00495D80 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00F86013 | |
| Source: | Code function: | 0_2_00F8600C | |
| Source: | Code function: | 0_2_00F811B2 | |
| Source: | Code function: | 0_2_00F9D0CE | |
| Source: | Code function: | 0_2_00F92132 | |
| Source: | Code function: | 0_2_00F9D134 | |
| Source: | Code function: | 0_2_00FB12FC | |
| Source: | Code function: | 0_2_00FB12FC | |
| Source: | Code function: | 0_2_00FB82BB | |
| Source: | Code function: | 0_2_00FBC2B2 | |
| Source: | Code function: | 0_2_00FA429B | |
| Source: | Code function: | 0_2_00FA429B | |
| Source: | Code function: | 0_2_00FAC282 | |
| Source: | Code function: | 0_2_00FB5272 | |
| Source: | Code function: | 0_2_00FA4215 | |
| Source: | Code function: | 0_2_00FA4215 | |
| Source: | Code function: | 0_2_00FB63F2 | |
| Source: | Code function: | 0_2_00FBB3B2 | |
| Source: | Code function: | 0_2_00F8539E | |
| Source: | Code function: | 0_2_00F98312 | |
| Source: | Code function: | 0_2_00F874E1 | |
| Source: | Code function: | 0_2_00F7F4B2 | |
| Source: | Code function: | 0_2_00FA54B5 | |
| Source: | Code function: | 0_2_00FB0432 | |
| Source: | Code function: | 0_2_00F92403 | |
| Source: | Code function: | 0_2_00FA45CB | |
| Source: | Code function: | 0_2_00FA45CB | |
| Source: | Code function: | 0_2_00FA45CB | |
| Source: | Code function: | 0_2_00F925AE | |
| Source: | Code function: | 0_2_00F98582 | |
| Source: | Code function: | 0_2_00F9F577 | |
| Source: | Code function: | 0_2_00F8F6C4 | |
| Source: | Code function: | 0_2_00F766B2 | |
| Source: | Code function: | 0_2_00F9A692 | |
| Source: | Code function: | 0_2_00F9D652 | |
| Source: | Code function: | 0_2_00F9D652 | |
| Source: | Code function: | 0_2_00FBB612 | |
| Source: | Code function: | 0_2_00FA076F | |
| Source: | Code function: | 0_2_00FA076F | |
| Source: | Code function: | 0_2_00F77712 | |
| Source: | Code function: | 0_2_00F858A8 | |
| Source: | Code function: | 0_2_00FB9832 | |
| Source: | Code function: | 0_2_00FB9832 | |
| Source: | Code function: | 0_2_00F8F835 | |
| Source: | Code function: | 0_2_00F859AB | |
| Source: | Code function: | 0_2_00F859AB | |
| Source: | Code function: | 0_2_00F8C952 | |
| Source: | Code function: | 0_2_00F82911 | |
| Source: | Code function: | 0_2_00F87AF3 | |
| Source: | Code function: | 0_2_00F87BF4 | |
| Source: | Code function: | 0_2_00FBBBE2 | |
| Source: | Code function: | 0_2_00F90B95 | |
| Source: | Code function: | 0_2_00F90B95 | |
| Source: | Code function: | 0_2_00F78B72 | |
| Source: | Code function: | 0_2_00FB0B62 | |
| Source: | Code function: | 0_2_00FA4B4C | |
| Source: | Code function: | 0_2_00FB2B02 | |
| Source: | Code function: | 0_2_00F84DDD | |
| Source: | Code function: | 0_2_00FA1DB2 | |
| Source: | Code function: | 0_2_00F99DA7 | |
| Source: | Code function: | 0_2_00F95D92 | |
| Source: | Code function: | 0_2_00FBBD62 | |
| Source: | Code function: | 0_2_00FB8D52 | |
| Source: | Code function: | 0_2_00FB0EF0 | |
| Source: | Code function: | 0_2_00F7BEE2 | |
| Source: | Code function: | 0_2_00F7BEE2 | |
| Source: | Code function: | 0_2_00FA3ED2 | |
| Source: | Code function: | 0_2_00FBBED2 | |
| Source: | Code function: | 0_2_00F9FEC1 | |
| Source: | Code function: | 0_2_00FA4E2D | |
| Source: | Code function: | 0_2_00FB4E22 | |
| Source: | Code function: | 0_2_00FA4E18 | |
| Source: | Code function: | 0_2_00FA0E11 | |
| Source: | Code function: | 0_2_00FBBFE2 | |
| Source: | Code function: | 0_2_00FA3EB7 | |
| Source: | Code function: | 0_2_00FA3F33 | |
| Source: | Code function: | 0_2_0426F7B0 | |
| Source: | Code function: | 0_2_042AA1E0 | |
| Source: | Code function: | 0_2_0429342B | |
| Source: | Code function: | 0_2_042A3420 | |
| Source: | Code function: | 0_2_0428F40F | |
| Source: | Code function: | 0_2_04293419 | |
| Source: | Code function: | 0_2_0426A4E0 | |
| Source: | Code function: | 0_2_0426A4E0 | |
| Source: | Code function: | 0_2_0429F4EE | |
| Source: | Code function: | 0_2_0428E4C2 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00424260 | |
| Source: | Code function: | 0_2_00424260 | |
| Source: | Code function: | 0_2_00422070 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00FCC583 | |
| Source: | Code function: | 0_2_0045D070 | |
| Source: | Code function: | 0_2_0041D0B0 | |
| Source: | Code function: | 0_2_0050E640 | |
| Source: | Code function: | 0_2_0043D090 | |
| Source: | Code function: | 0_2_0050F158 | |
| Source: | Code function: | 0_2_0050715B | |
| Source: | Code function: | 0_2_004E9350 | |
| Source: | Code function: | 0_2_004133B0 | |
| Source: | Code function: | 0_2_0049B470 | |
| Source: | Code function: | 0_2_0050E674 | |
| Source: | Code function: | 0_2_0044B630 | |
| Source: | Code function: | 0_2_0051B680 | |
| Source: | Code function: | 0_2_0045F770 | |
| Source: | Code function: | 0_2_004237D0 | |
| Source: | Code function: | 0_2_004C3850 | |
| Source: | Code function: | 0_2_004C28B0 | |
| Source: | Code function: | 0_2_0050F955 | |
| Source: | Code function: | 0_2_0050F974 | |
| Source: | Code function: | 0_2_0044AB40 | |
| Source: | Code function: | 0_2_004AEBE0 | |
| Source: | Code function: | 0_2_0040FD70 | |
| Source: | Code function: | 0_2_00514E40 | |
| Source: | Code function: | 0_2_00441E60 | |
| Source: | Code function: | 0_2_00FCC583 | |
| Source: | Code function: | 0_2_00F7055F | |
| Source: | Code function: | 0_2_00FA80E2 | |
| Source: | Code function: | 0_2_00F831C2 | |
| Source: | Code function: | 0_2_00FBC2B2 | |
| Source: | Code function: | 0_2_00F75292 | |
| Source: | Code function: | 0_2_00F7A252 | |
| Source: | Code function: | 0_2_00FA8372 | |
| Source: | Code function: | 0_2_00F7C402 | |
| Source: | Code function: | 0_2_00FCD5C4 | |
| Source: | Code function: | 0_2_00F9D652 | |
| Source: | Code function: | 0_2_00FA9792 | |
| Source: | Code function: | 0_2_00F798B2 | |
| Source: | Code function: | 0_2_00F7E802 | |
| Source: | Code function: | 0_2_00F9B99B | |
| Source: | Code function: | 0_2_00F7CAE2 | |
| Source: | Code function: | 0_2_00F7DA82 | |
| Source: | Code function: | 0_2_00FA9A42 | |
| Source: | Code function: | 0_2_00F73A08 | |
| Source: | Code function: | 0_2_00F90B95 | |
| Source: | Code function: | 0_2_00F72CB5 | |
| Source: | Code function: | 0_2_00FAFCA2 | |
| Source: | Code function: | 0_2_00FB9DB2 | |
| Source: | Code function: | 0_2_00F72D5B | |
| Source: | Code function: | 0_2_00F76EFD | |
| Source: | Code function: | 0_2_00F7BEE2 | |
| Source: | Code function: | 0_2_00F76EB2 | |
| Source: | Code function: | 0_2_00F78EB2 | |
| Source: | Code function: | 0_2_00F72E8E | |
| Source: | Code function: | 0_2_00F72E1A | |
| Source: | Code function: | 0_2_00F72FB3 | |
| Source: | Code function: | 0_2_00F7CF72 | |
| Source: | Code function: | 0_2_04261418 | |
| Source: | Code function: | 0_2_042654B0 | |
| Source: | Code function: | 0_2_042674B0 | |
| Source: | Code function: | 0_2_0426148C | |
| Source: | Code function: | 0_2_0426A4E0 | |
| Source: | Code function: | 0_2_042654FB | |
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004030E0 | |
| Source: | Code function: | 0_2_004D3270 | |
| Source: | Code function: | 0_2_0043E991 | |
| Source: | Code function: | 0_2_0041D320 | |
| Source: | Code function: | 0_2_0041CE80 | |
| Source: | Code function: | 0_2_00F70C6F | |
| Source: | Code function: | 0_2_0429F006 | |
| Source: | Code function: | 0_2_004D3220 | |
| Source: | Code function: | 0_2_0041D320 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0050E640 | |
| Source: | Code function: | 0_2_0041E4B6 | |
| Source: | Code function: | 0_2_0041E4F0 | |
| Source: | Code function: | 0_2_004CB572 | |
| Source: | Code function: | 0_2_0041E6F3 | |
| Source: | Code function: | 0_2_004486A2 | |
| Source: | Code function: | 0_2_0041E99C | |
| Source: | Code function: | 0_2_004268B2 | |
| Source: | Code function: | 0_2_004CBA12 | |
| Source: | Code function: | 0_2_0041EC2B | |
| Source: | Code function: | 0_2_00419A34 | |
| Source: | Code function: | 0_2_004ECB42 | |
| Source: | Code function: | 0_2_00486C06 | |
| Source: | Code function: | 0_2_00486C2D | |
| Source: | Code function: | 0_2_00502C61 | |
| Source: | Code function: | 0_2_00506C38 | |
| Source: | Code function: | 0_2_0041BFEB | |
| Source: | Code function: | 0_2_00FB2308 | |
Persistence and Installation Behavior | |
|---|
| Source: | Code function: | 0_2_0045D070 | |
| Source: | Code function: | 0_2_0045CD20 | |
Boot Survival | |
|---|
| Source: | Code function: | 0_2_0045D070 | |
| Source: | Code function: | 0_2_0045CD20 | |
| Source: | Code function: | 0_2_0041CDA0 | |
| Source: | Code function: | 0_2_004CDA40 | |
| Source: | Code function: | 0_2_00489C60 | |
| Source: | Code function: | 0_2_00489C60 | |
| Source: | Code function: | 0_2_00489D10 | |
| Source: | Code function: | 0_2_00489D10 | |
| Source: | Code function: | 0_2_00417E90 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_00477BE0 | |
| Source: | Code function: | 0_2_00495D80 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-72463 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_042A6730 | |
| Source: | Code function: | 0_2_0050E173 | |
| Source: | Code function: | 0_2_0050E173 | |
| Source: | Code function: | 0_2_0050E640 | |
| Source: | Code function: | 0_2_00F7055F | |
| Source: | Code function: | 0_2_00F70B1F | |
| Source: | Code function: | 0_2_00F7116F | |
| Source: | Code function: | 0_2_00F7116E | |
| Source: | Code function: | 0_2_00F70ECF | |
| Source: | Code function: | 0_2_005068B4 | |
| Source: | Code function: | 0_2_0050709C | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00477990 | |
| Source: | Code function: | 0_2_00485BE0 | |
| Source: | Code function: | 0_2_00485D60 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00414200 | |
| Source: | Code function: | 0_2_00476750 | |
| Source: | Code function: | 0_2_004A83C0 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_0040D05C | |
| Source: | Code function: | 0_2_0040D0B0 | |
| Source: | Code function: | 0_2_0040CDF0 | |
| Source: | Code function: | 0_2_0040CEEC | |
| Source: | Code function: | 0_2_0040CF40 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Deobfuscate/Decode Files or Information | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | 12 Windows Service | 1 Access Token Manipulation | 3 Obfuscated Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Input Capture | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 12 Service Execution | 1 Bootkit | 12 Windows Service | 1 DLL Side-Loading | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | 1 PowerShell | Login Hook | 1 Process Injection | 2 Virtualization/Sandbox Evasion | NTDS | 35 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Access Token Manipulation | LSA Secrets | 51 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Process Injection | Cached Domain Credentials | 2 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Bootkit | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 1 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 11% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| defenddsouneuw.shop | 188.114.97.3 | true | true | unknown | |
| racedsuitreow.shop | unknown | unknown | true | unknown | |
| candleduseiwo.shop | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.97.3 | defenddsouneuw.shop | European Union | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1520450 |
| Start date and time: | 2024-09-27 11:17:22 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 49s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 12 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | bfINGx7hvL.exerenamed because original name is a hash value |
| Original Sample Name: | 80c2a36e9a14e3edba0b706d2433d9b8.exe |
| Detection: | MAL |
| Classification: | mal88.troj.evad.winEXE@4/13@3/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.89.179.12
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: bfINGx7hvL.exe
| Time | Type | Description |
|---|---|---|
| 05:18:25 | API Interceptor | |
| 05:18:48 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.97.3 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| defenddsouneuw.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC, Go Injector, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, Go Injector, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, Stealc, Vidar | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Cobalt Strike, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bfINGx7hvL.exe_9323de2f2a6f2f2bf9691b888041d1d3296010_0da6e983_efc1c1f2-ef10-4114-96e4-d1a284fc9b7c\Report.wer 
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 1.0893490661153473 |
| Encrypted: | false |
| SSDEEP: | 192:AdBTAGJ8DfWD0WbkrjZaZr8kF9WzuiFNZ24IO8W8y:GBTNkWwWbkrjCWzuiFNY4IO8W8 |
| MD5: | F290454BBD60B8C65058EABAECC8C30A |
| SHA1: | CE4EEDE59E52AFEA4D6A52AD421E7A8FAF60D67C |
| SHA-256: | 245F5024232DD2D0452C0A0DA5DB8FBC44C0FF2B1148AB5A22EDE2C504BAF838 |
| SHA-512: | 153E73AB47C0D8EAFB03DE3F8169A3759F64A593409F936467CBA62012710013FA1531B2A2DEA95FECA16343FE775E5DBAA3C49E00D80F56ED1847B2C084F2EE |
| Malicious: | true |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bfINGx7hvL.exe_b2c5d0224beae675fda7c01c57cba19d402078_0da6e983_9c4e44b6-c5e5-47b8-8186-b9802dcb5e27\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 1.090824335159926 |
| Encrypted: | false |
| SSDEEP: | 192:hJTAGJ8DfW80Nvw4sjZaZr8kF9WzuiFNZ24IO8W8yE:PTNkW3NvwZjCWzuiFNY4IO8W8P |
| MD5: | E053C0698249D9AD60042A1494F778B1 |
| SHA1: | BD908D03ECCFB3BC5766EF6C3084518667DBF58A |
| SHA-256: | D4286AC297D573B7FB228981996250BA179BD9E36DB65C6112989DFD386493D5 |
| SHA-512: | E13515519556BF880AE70516D162BC31C848A8D530D253E3FFC0B358B8B34DB5229950FD58766FC06B947BA4D11FE510D12BB4C474A13CC08AE146DC1D83A689 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bfINGx7hvL.exe_d6c1667ab283d126154324f80fd21f5eda59e7d_0da6e983_01f5966f-efa9-4ec3-a2c8-5407a75e0685\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 1.0908726752260014 |
| Encrypted: | false |
| SSDEEP: | 192:KzN4TAGJ8DfaZ00tG9jZaZr8kF9WzuiFNZ24IO8W8y:04TNka60tG9jCWzuiFNY4IO8W8 |
| MD5: | 9CE7B3DF254ABE4B731D36F85AA08861 |
| SHA1: | 93647530B7F9D5D053AD7480DE26C9BD822302A0 |
| SHA-256: | 34E3B42832317F339C47C0464DE477DD80B68267EB185DB69FCF4104E00E5869 |
| SHA-512: | 5B577C25C1768C4B33494DC65E96525DAADB3EB0584E0189663D97D2B7CFAA435D0415B3093313D9D81E856C23670226A6CBA8F64728BB27DCA958D4C00AABD3 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 116020 |
| Entropy (8bit): | 2.1959770550796036 |
| Encrypted: | false |
| SSDEEP: | 384:e7KzTJJBmuJzjkkq25y1N4q8SM/UNMYW7+iQ9TgVy:8KzNJBmuyTs5U9MLy |
| MD5: | 46BDC6C6E48A9FA6468DFA06D7C79FD9 |
| SHA1: | 4A6730191C6AA49F373630E7F885D8A18735AD25 |
| SHA-256: | 39A01FB3390CDAC8DF0911B4618417ADA529F24216CE46EFFAA22F937B3CF6F5 |
| SHA-512: | 80D17916A30CE3B2B7286275A7C18937A9286C5EB25B40094B5E58F5C667E512188ACAB4CE8D2F9BD822EFB1386C1B72A4B02A351934FEBDA88B4BE01B72D03E |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8358 |
| Entropy (8bit): | 3.702245252995401 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJSr6JI6YEIbSUZYAgmfdJwQvZBpr589bvmsf1lm:R6lXJG6m6YEkSUZYAgmfdJwTvFfW |
| MD5: | 91C0B06EE62C35C10BF8CC55E2C4E49A |
| SHA1: | E929DC5C862FBEF41851F3AC95B139894BB089F1 |
| SHA-256: | 66F0C77C610B22938BB45208FA7C6ED369F017CF84A751ED5AEEA07AC89421D1 |
| SHA-512: | 71910EDF85A61273438E904449584E489B7D138D0176C2D8ADE305A061605632CDF69B971F1C6C62C807C0DF34CDC8EC40224E51BA016169DA177AC34BD5AADD |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4665 |
| Entropy (8bit): | 4.478896200033494 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zshJg77aI9C9WpW8VYjknYm8M4JnFFP+q8uCm0AvaUd:uIjfzI7UM7VR6JP4m0AvaUd |
| MD5: | FEB1AA1D748F028D4BD44E83F2C16514 |
| SHA1: | EE10EC5FB83570AD47125E7A20564C276E557AAF |
| SHA-256: | ED8B5B95E3CD339BAAA52AF28B0C935D6F5398280D9C2A8AACA1E17B513A6E02 |
| SHA-512: | D48A48B3EF8D2415B827813E93D495796B085A539F0827E0D9337BABCE98F770AD19DF5E73381E683C3A5176C8E8B8B076BAC673F92264A8DB4AA3C7080649B8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 122594 |
| Entropy (8bit): | 2.1568463331579273 |
| Encrypted: | false |
| SSDEEP: | 384:y5d9Pjplb6JB4Lx3r3k12Ry1N4q8a8CFVHQq3aYjc5ag:yHPnb6JB4LZoc0Daslg |
| MD5: | 48CD81C64EEEF47C28F2A99D4C3428EA |
| SHA1: | E4033257F3D64B48B6CC249DDB50669FAAEACE88 |
| SHA-256: | BA3EC80D559AF092CF720889603CC0B2813E2660308CA98B8BF0AD39E8E98ED7 |
| SHA-512: | A68F095921D2E5126CFFC02625C70549A9F2DE598A425BBB0D10A8241FFE7A98D6B189A1BCCC4CC4B462FC8452617A4CC5C4EF63741A973391A3A1BD67F7A2AD |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8344 |
| Entropy (8bit): | 3.7018629473870313 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJS36wd6YEIESU8YZgmfdJvhZBpDG89b3msfPdm:R6lXJ66q6YE7SU8YZgmfdJvj3FfY |
| MD5: | F3664FB7B941E518B0A3DD7A0D6E6407 |
| SHA1: | 5986F02BCC0D1F6802414FC41DCEAFDF054F3505 |
| SHA-256: | 30054088FC0AA8B59C71B9668548A3C85C90E6A8B43069075C033C63A7128F89 |
| SHA-512: | D1167333CD6AB12DDE8D19DA40E1E7C98820B8C28070FFD1A55C81BCABCD5426CD4B76AD019B093AB024A7EAF5588E8861F16AB03C858BD4B9229EF59CDBBDAA |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4665 |
| Entropy (8bit): | 4.47905190113051 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zshJg77aI9C9WpW8VYjkP0Ym8M4JnMFnTY+q8uvm0AvaUd:uIjfzI7UM7VR5J9Vm0AvaUd |
| MD5: | BEE259A03AC67F1F590AC582B9F2D6E1 |
| SHA1: | D3087D286AAD553D798980F877A8A1DBA25983DC |
| SHA-256: | 95BD1CA767CC6B6CCDB7D82BDF4E1505C6F47759135379215ABEA23671453479 |
| SHA-512: | 154FF7C76AD6CABC3AA44641D5B0EFB52342EB31909629A05ED70F535FFF6CC7326D2E57F489B162272876AD38B0D07C39DD37AA715761A0C068DA82C4659493 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 52174 |
| Entropy (8bit): | 2.5931634294226327 |
| Encrypted: | false |
| SSDEEP: | 192:Evs5qm9Va4aaU/IJEeOq+LB0kAm7WYe0pYw7jGhSxnSoQkrfWHpx3KWt3:ssAm9V6/IKJB0krWwGotK8fWHptKWZ |
| MD5: | 24508E5DAEAC9D9BF15547438D9E12EF |
| SHA1: | 8CB45D2E67C3B6563850FB012CF97FC5C4C81CC6 |
| SHA-256: | C482B2A8631F6B9FD4C766EBB76B4CCDF92495D8807AEF700AC85DADA0FF6A89 |
| SHA-512: | 110E1D89638FE0072515932EE5C79F293F9135BB6791423C9A352F28958BB914022057EB22BD10678835FCECA94E259D9876D601E0D6FD5F4F3C8439D6970B62 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8336 |
| Entropy (8bit): | 3.690827908503196 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJS76bO16YEIySU9YJgmfJBZBpDt89bemsf+qm:R6lXJW6C16YE9SU9YJgmfJmeFfa |
| MD5: | 0F38DF3B718E735F71786F9EF1B4D84B |
| SHA1: | 4199042B3BDDEEB48E72A0A4E007C7878B121D7F |
| SHA-256: | 8962CDA06981F4C47D9F251E873BA78DFCDFD160CD6A69DA762C60DC793AAC7B |
| SHA-512: | 4C7824C769BD1FA6CC2F99A67AE8F73418FC5FB887D48B8D7E533BC0DFCF6501251CB37611FE3F669CBCA5D2E5408116A1C160B3C818005CDB85E72144BA9B70 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4655 |
| Entropy (8bit): | 4.483781642776661 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zshJg77aI9C9WpW8VYjkGYm8M4JnEFZl+q8qbm0AvaUd:uIjfzI7UM7VRvJaPm0AvaUd |
| MD5: | DB0F786353A56A059128BB2641DCBEA8 |
| SHA1: | 875B9B7AA0CDCC8B8C73D4D5E53789A969C2EE5F |
| SHA-256: | 05BA74BDD22B1D713E7CEF7E7AA40FAC93E4568589D85F479E8EAC28CE3B7348 |
| SHA-512: | 59E335F9DD34E350E9E9240429EA121DD7E44C5FB973E99E4FC93FC52342A8278B1B9FA3A8AA025F4A37A2051F23D674363E9C73BAA3F17D0600C1C67B650CE9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.422001956142086 |
| Encrypted: | false |
| SSDEEP: | 6144:bSvfpi6ceLP/9skLmb0OTrWSPHaJG8nAgeMZMMhA2fX4WABlEnNL0uhiTw:GvloTrW+EZMM6DFyR03w |
| MD5: | B10564D29A0669756B5AEC6C747236EB |
| SHA1: | 405605CA84D35499410DDEE405CF348AB35B4F6E |
| SHA-256: | 48D54BED390627A1E6D3C4C6F406B493085014A8AE5939CCDAA681521F431A49 |
| SHA-512: | A8DFD2EE672B2CAB11F10300D76D6EBEF124BAA6CE1740436F9753162441ECAE9C9CE3AF586DCF3D672B68D6BBD1E20BEF0FD41E48C009E932ACC32D24322CD1 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.8419429623745796 |
| TrID: |
|
| File name: | bfINGx7hvL.exe |
| File size: | 2'881'672 bytes |
| MD5: | 80c2a36e9a14e3edba0b706d2433d9b8 |
| SHA1: | 03ac191b235b3a867539720070a5e6ca1108b4f2 |
| SHA256: | 154dae39845abef889af814bd6ad84283374c90ecece891addc362384afdd882 |
| SHA512: | ac030656796130a3949e66f537044a27630c43b5827dd252cfab9c215e1b51ddd279f6f82911b1c728b19ac110b0a41d8d5ccef32fee97e07407b77b89728c8b |
| SSDEEP: | 49152:MBjwz++TjZgdXCs6xTqVRoITZE87wajH/Qc9d1OF:yoz37p805cVO |
| TLSH: | 3FD5BF207AD2C17BF9623A71996E9A5F851CAE65072425CFD3C82F3B14B11D30F3B866 |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......g..Y#...#...#...^...'...^.........4.>...........*.o."...e...'.......d...*.h.+...*.x.8...#.......^.........0."...#.|."...^.5.".. |
 | |
| Icon Hash: | 0fbcaaba5e4d3b96 |
| Entrypoint: | 0x5023df |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5DBBA4BA [Fri Nov 1 03:21:30 2019 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 03338d7801a2b5a198bb18f8db55defc |
| Signature Valid: | false |
| Signature Issuer: | CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 92752B174F7C723F0CC41304EC6F2BF5 |
| Thumbprint SHA-1: | A61B43AB9020B370EAF63D363ECEFE93644E7C00 |
| Thumbprint SHA-256: | 456511D983C06A5C4E9D7950FBB8EE0F018B5D0D0ECEC02B5A5779EB1BB62047 |
| Serial: | 6BAFEC00E2A345C442D36011054E9156 |
| Instruction |
|---|
| call 00007F7D284F007Ch |
| jmp 00007F7D284E7AC4h |
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+14h], 0Ah |
| mov eax, dword ptr [ebp+08h] |
| jne 00007F7D284E7C4Ch |
| test eax, eax |
| jns 00007F7D284E7C48h |
| push 00000001h |
| push 0000000Ah |
| jmp 00007F7D284E7C47h |
| push 00000000h |
| push dword ptr [ebp+14h] |
| push dword ptr [ebp+10h] |
| push dword ptr [ebp+0Ch] |
| push eax |
| call 00007F7D284E7C47h |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| mov ecx, dword ptr [ebp+0Ch] |
| push esi |
| test ecx, ecx |
| jne 00007F7D284E7C58h |
| call 00007F7D284EAA6Fh |
| push 00000016h |
| pop esi |
| mov dword ptr [eax], esi |
| call 00007F7D284E8F8Ch |
| mov eax, esi |
| jmp 00007F7D284E7D12h |
| cmp dword ptr [ebp+10h], 00000000h |
| push ebx |
| push edi |
| jnbe 00007F7D284E7C4Fh |
| call 00007F7D284EAA51h |
| push 00000016h |
| pop esi |
| jmp 00007F7D284E7CD0h |
| mov edx, dword ptr [ebp+18h] |
| xor eax, eax |
| test edx, edx |
| mov word ptr [ecx], ax |
| setne al |
| inc eax |
| cmp dword ptr [ebp+10h], eax |
| jnbe 00007F7D284E7C4Bh |
| call 00007F7D284EAA31h |
| push 00000022h |
| jmp 00007F7D284E7C20h |
| mov eax, dword ptr [ebp+14h] |
| push 00000022h |
| add eax, FFFFFFFEh |
| pop esi |
| cmp eax, esi |
| jnbe 00007F7D284E7C0Ch |
| xor eax, eax |
| mov edi, ecx |
| test edx, edx |
| mov dword ptr [ebp+18h], eax |
| mov edx, dword ptr [ebp+08h] |
| je 00007F7D284E7C53h |
| push 0000002Dh |
| pop eax |
| mov word ptr [ecx], ax |
| lea edi, dword ptr [ecx+02h] |
| xor eax, eax |
| inc eax |
| neg edx |
| mov dword ptr [ebp+18h], eax |
| mov ecx, dword ptr [ebp+18h] |
| mov ebx, edi |
| mov eax, edx |
| xor edx, edx |
| div dword ptr [ebp+14h] |
| mov dword ptr [ebp+08h], edx |
| mov edx, eax |
| mov eax, dword ptr [ebp+08h] |
| cmp eax, 09h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1a8bbc | 0xf0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1c1000 | 0x103800 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x2bbe00 | 0x3a88 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x152700 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x187388 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x152000 | 0x670 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x15023b | 0x150400 | a16295d8aabeb815e0c8ce1b49aab5ec | False | 0.41534618959107805 | data | 6.43156073321857 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x152000 | 0x591d4 | 0x59200 | 263f1ff904dcfe7fff4c839714c982b5 | False | 0.34967237903225806 | data | 5.286006215249929 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x1ac000 | 0x14be8 | 0xec00 | d9e6311eecf19ebd8ec7db1fb4601a65 | False | 0.11503575211864407 | data | 5.0524952240728895 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x1c1000 | 0x103800 | 0x103800 | 7adea4981b19683c3b443d69a670beee | False | 0.7638101743135838 | data | 7.279642178060126 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| BIN | 0x20f680 | 0x56c71 | data | English | United States | 1.0003263551475492 |
| RT_CURSOR | 0x2662f8 | 0x134 | data | English | United States | 0.36038961038961037 |
| RT_CURSOR | 0x266448 | 0x138 | data | English | United States | 0.38461538461538464 |
| RT_ICON | 0x1c1630 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 270336 | English | United States | 0.24087936799124182 |
| RT_ICON | 0x203658 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.36401747756258857 |
| RT_ICON | 0x207880 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.3966804979253112 |
| RT_ICON | 0x209e28 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.6053001876172608 |
| RT_ICON | 0x20aed0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.603688524590164 |
| RT_ICON | 0x20b858 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.7056737588652482 |
| RT_ICON | 0x20bcc0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304 | English | United States | 0.5652985074626866 |
| RT_ICON | 0x20cb68 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024 | English | United States | 0.7964801444043321 |
| RT_ICON | 0x20d410 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576 | English | United States | 0.7874423963133641 |
| RT_ICON | 0x20dad8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256 | English | United States | 0.833092485549133 |
| RT_ICON | 0x20e040 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.36585365853658536 |
| RT_ICON | 0x20e6a8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.510752688172043 |
| RT_ICON | 0x20e990 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 288 | English | United States | 0.5532786885245902 |
| RT_ICON | 0x20eb78 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.6554054054054054 |
| RT_ICON | 0x20ed70 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.7056737588652482 |
| RT_ICON | 0x20f1f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.724290780141844 |
| RT_STRING | 0x2668b8 | 0x5c | data | English | United States | 0.6630434782608695 |
| RT_ACCELERATOR | 0x20f670 | 0x10 | data | English | United States | 1.25 |
| RT_GROUP_CURSOR | 0x266430 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x266580 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_ICON | 0x20eca0 | 0xca | data | English | United States | 0.5841584158415841 |
| RT_GROUP_ICON | 0x20f1d8 | 0x14 | data | English | United States | 1.25 |
| RT_GROUP_ICON | 0x20f658 | 0x14 | data | English | United States | 1.25 |
| RT_VERSION | 0x266598 | 0x31c | data | English | United States | 0.46984924623115576 |
| RT_MANIFEST | 0x266918 | 0x359 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (797), with CRLF line terminators | English | United States | 0.5367561260210035 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetWindowsDirectoryW, LoadLibraryW, GetProcAddress, FreeLibrary, CreateDirectoryW, GetDateFormatW, SystemTimeToFileTime, GetLocaleInfoW, GetTimeFormatW, FileTimeToSystemTime, FormatMessageW, ReadConsoleW, GetCurrentThreadId, OpenFileMappingW, OpenMutexW, CreateMutexW, lstrcatW, lstrlenW, lstrcpynW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, OutputDebugStringW, GetDriveTypeW, GetVolumeInformationW, FlushViewOfFile, MapViewOfFile, CreateFileMappingW, GetCurrentProcessId, GetModuleFileNameW, GetModuleHandleW, WaitForMultipleObjects, SetErrorMode, VirtualFree, FlushInstructionCache, VirtualAlloc, GetVersionExA, LoadResource, LockResource, SizeofResource, FindResourceW, VirtualProtect, TryEnterCriticalSection, InitializeCriticalSection, FlushFileBuffers, WriteConsoleW, SetStdHandle, HeapReAlloc, LoadLibraryExW, GetConsoleMode, GetConsoleCP, LeaveCriticalSection, EnterCriticalSection, FreeEnvironmentStringsW, GetEnvironmentStringsW, DeleteCriticalSection, GetFileType, LCMapStringW, GetStringTypeW, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, InitializeCriticalSectionAndSpinCount, SetUnhandledExceptionFilter, UnhandledExceptionFilter, HeapSize, GetStdHandle, AreFileApisANSI, GetModuleHandleExW, ExitProcess, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, RtlUnwind, FindClose, FileTimeToLocalFileTime, FindFirstFileW, LocalFree, SetFilePointerEx, DeleteFileW, GetFileAttributesW, GetDiskFreeSpaceExW, TerminateThread, CreateEventW, SetEvent, Sleep, DeviceIoControl, GetDiskFreeSpaceW, GetVolumePathNameW, MultiByteToWideChar, WideCharToMultiByte, GetVersionExW, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, CreateThread, SetLastError, GetFileSizeEx, ReadFile, GetLastError, WriteFile, GetLocalTime, CloseHandle, SetFilePointer, CreateFileW, RaiseException, GetCommandLineW, GetSystemTimeAsFileTime, IsProcessorFeaturePresent, IsDebuggerPresent, DecodePointer, EncodePointer, GetFileAttributesExW, GetLongPathNameW, GetEnvironmentVariableW, GetFullPathNameW, GetProcessHeap, GetLogicalDrives, HeapFree, GetCurrentProcess, HeapAlloc, SetEndOfFile |
| USER32.dll | SetFocus, IsWindow, IsWindowVisible, SetClipboardData, EmptyClipboard, UpdateLayeredWindow, TrackPopupMenu, AppendMenuW, GetMenuStringW, CreatePopupMenu, GetSystemMenu, EndPaint, BeginPaint, DestroyWindow, UnregisterClassW, TrackMouseEvent, ClientToScreen, SetCapture, ReleaseCapture, GetWindowRect, GetKeyState, EnumDisplayDevicesW, EnumDisplaySettingsW, IsIconic, SetWindowPos, SetActiveWindow, IsWindowEnabled, EnableWindow, SystemParametersInfoW, GetMessageW, TranslateMessage, DispatchMessageW, PostQuitMessage, SetTimer, KillTimer, MoveWindow, GetDC, ReleaseDC, SetWindowLongW, CallWindowProcW, GetWindowLongW, GetDlgItem, DrawTextW, CreateWindowExW, RedrawWindow, GetSystemMetrics, OpenClipboard, GetClipboardData, CloseClipboard, GetWindow, GetPropW, MessageBoxW, ShowWindow, GetDesktopWindow, GetParent, SetCursorPos, mouse_event, PostThreadMessageW, PostMessageA, SetForegroundWindow, SetPropW, LoadIconW, ShowCursor, GetCursorPos, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, PeekMessageW, EnumWindows, EnumChildWindows, GetWindowTextW, GetClassNameW, PostMessageW, SendMessageW, PtInRect, DefWindowProcW, SetMenuDefaultItem, DestroyMenu, EnableMenuItem, DestroyIcon, LoadImageW, RegisterClassExW, RegisterWindowMessageW, EndDialog, GetActiveWindow, IsZoomed, SetWindowPlacement, GetWindowPlacement, UnregisterHotKey, RegisterHotKey |
| GDI32.dll | DeleteObject, EnumFontFamiliesW, SelectObject, GetStockObject, CreateCompatibleDC, DeleteDC, CreateDIBSection |
| COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
| ADVAPI32.dll | RegDeleteValueW, RegSetValueExW, GetUserNameW, GetSidSubAuthority, GetSidSubAuthorityCount, GetSidIdentifierAuthority, LookupAccountNameW, RegEnumKeyW, RegQueryValueExW, RegOpenKeyExW, StartServiceW, ControlService, DeleteService, ChangeServiceConfig2W, CreateServiceW, CloseServiceHandle, QueryServiceStatus, OpenServiceW, OpenSCManagerW, RegDeleteKeyW, RegCloseKey, RegOpenKeyW, RegCreateKeyExW, OpenProcessToken, GetTokenInformation, RegCreateKeyW, RegSetValueW, RegEnumKeyExW, LookupPrivilegeValueW, AdjustTokenPrivileges, AllocateAndInitializeSid, EqualSid, FreeSid, CryptAcquireContextA, CryptReleaseContext, CryptGenRandom |
| SHELL32.dll | ShellExecuteExW, SHFormatDrive, SHGetFileInfoW, SHChangeNotify, SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetFolderPathW, DragQueryFileW, Shell_NotifyIconW, SHFileOperationW, ShellExecuteW, SHAddToRecentDocs, SHGetSpecialFolderPathW |
| ole32.dll | RevokeDragDrop, CoInitializeEx, CoInitializeSecurity, CoUninitialize, CoCreateInstance, CoTaskMemFree, ReleaseStgMedium, OleUninitialize, OleInitialize, RegisterDragDrop, CreateStreamOnHGlobal |
| RPCRT4.dll | NdrClientCall2, RpcBindingFromStringBindingW, RpcBindingFree, RpcEpResolveBinding, RpcStringFreeW, RpcStringBindingComposeW |
| gdiplus.dll | GdipCreatePen1, GdipDeleteStringFormat, GdipSetStringFormatAlign, GdipGetRegionBounds, GdipGetRegionScansI, GdipGetRegionScansCount, GdipClonePen, GdiplusShutdown, GdiplusStartup, GdipAddPathRectangleI, GdipDrawEllipse, GdipDrawPath, GdipFillRectangleI, GdipSetSolidFillColor, GdipSetSmoothingMode, GdipCreateBitmapFromGraphics, GdipSetLineColors, GdipAddPathPath, GdipSetPathMarker, GdipStartPathFigure, GdipAddPathLine, GdipGetPathLastPoint, GdipDrawImageRectRectI, GdipSetImageAttributesColorMatrix, GdipDisposeImageAttributes, GdipCreateImageAttributes, GdipDeleteFont, GdipCreateFontFromLogfontW, GdipCreateFontFromDC, GdipCreateFontFamilyFromName, GdipDeleteFontFamily, GdipGetGenericFontFamilySansSerif, GdipCreateFont, GdipDrawImageI, GdipGetImageGraphicsContext, GdipBitmapSetResolution, GdipGetImageVerticalResolution, GdipGetImageHorizontalResolution, GdipCreateBitmapFromScan0, GdipLoadImageFromStream, GdipGetFontHeightGivenDPI, GdipSetPenDashStyle, GdipBitmapSetPixel, GdipBitmapGetPixel, GdipCloneBitmapAreaI, GdipCloneImage, GdipDisposeImage, GdipSetTextRenderingHint, GdipDeleteGraphics, GdipCreateFromHDC, GdipSetLinePresetBlend, GdipCreateLineBrushI, GdipSetPathGradientCenterColor, GdipCreateTexture, GdipCreateLineBrush, GdipSetPenColor, GdipSetPenDashArray, GdipDeletePen, GdipMeasureCharacterRanges, GdipDrawString, GdipCreateSolidFill, GdipMeasureString, GdipSetStringFormatFlags, GdipSetStringFormatTrimming, GdipAddPathLineI, GdipClosePathFigure, GdipAddPathArcI, GdipResetPath, GdipCreateHatchBrush, GdipSetPathGradientFocusScales, GdipSetPathGradientPresetBlend, GdipCloneBrush, GdipSetStringFormatMeasurableCharacterRanges, GdipCloneStringFormat, GdipSetStringFormatTabStops, GdipFillPie, GdipAlloc, GdipFree, GdipDeleteBrush, GdipCreatePathGradientFromPath, GdipDeleteRegion, GdipCreateRegion, GdipDeletePath, GdipCreatePath, GdipGetImageWidth, GdipGetImageHeight, GdipSetStringFormatLineAlign, GdipGraphicsClear, GdipGetDpiX, GdipGetDpiY, GdipSetClipPath, GdipSetClipRectI, GdipSetClipRegion, GdipGetClip, GdipTranslateWorldTransform, GdipCreateMatrix, GdipDeleteMatrix, GdipDrawLine, GdipSetImageAttributesGamma, GdipDrawImage, GdipDrawRectangle, GdipFillRectangle, GdipFillPath, GdipCreateStringFormat |
| SHLWAPI.dll | PathFileExistsW, SHDeleteKeyW |
| MPR.dll | WNetGetConnectionW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-09-27T11:18:25.529280+0200 | 2056078 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) | 1 | 192.168.2.5 | 58062 | 1.1.1.1 | 53 | UDP |
| 2024-09-27T11:18:25.539643+0200 | 2056076 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (defenddsouneuw .shop) | 1 | 192.168.2.5 | 57176 | 1.1.1.1 | 53 | UDP |
| 2024-09-27T11:18:26.025493+0200 | 2056077 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (defenddsouneuw .shop in TLS SNI) | 1 | 192.168.2.5 | 49716 | 188.114.97.3 | 443 | TCP |
| 2024-09-27T11:18:26.194583+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49716 | 188.114.97.3 | 443 | TCP |
| 2024-09-27T11:18:26.194583+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49716 | 188.114.97.3 | 443 | TCP |
| 2024-09-27T11:18:26.917291+0200 | 2056077 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (defenddsouneuw .shop in TLS SNI) | 1 | 192.168.2.5 | 49717 | 188.114.97.3 | 443 | TCP |
| 2024-09-27T11:18:27.331905+0200 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49717 | 188.114.97.3 | 443 | TCP |
| 2024-09-27T11:18:27.331905+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49717 | 188.114.97.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 27, 2024 11:18:25.560081005 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:25.560136080 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:25.560214996 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:25.561548948 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:25.561563015 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.025357962 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.025492907 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.030638933 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.030659914 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.030916929 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.085370064 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.094005108 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.094028950 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.094151020 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.194608927 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.194654942 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.194680929 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.194705009 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.194772005 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.194900036 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.194900036 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.201015949 CEST | 49716 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.201054096 CEST | 443 | 49716 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.457401037 CEST | 49717 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.457463026 CEST | 443 | 49717 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.457572937 CEST | 49717 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.458206892 CEST | 49717 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.458226919 CEST | 443 | 49717 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.916944981 CEST | 443 | 49717 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.917290926 CEST | 49717 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.919399023 CEST | 49717 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.919420004 CEST | 443 | 49717 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.919742107 CEST | 443 | 49717 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:26.921041012 CEST | 49717 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.921103954 CEST | 49717 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:26.921140909 CEST | 443 | 49717 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:27.331922054 CEST | 443 | 49717 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:27.332034111 CEST | 443 | 49717 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:27.332469940 CEST | 49717 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:27.333312988 CEST | 49717 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:27.333349943 CEST | 443 | 49717 | 188.114.97.3 | 192.168.2.5 |
| Sep 27, 2024 11:18:27.333372116 CEST | 49717 | 443 | 192.168.2.5 | 188.114.97.3 |
| Sep 27, 2024 11:18:27.333380938 CEST | 443 | 49717 | 188.114.97.3 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 27, 2024 11:18:25.518866062 CEST | 58074 | 53 | 192.168.2.5 | 1.1.1.1 |
| Sep 27, 2024 11:18:25.527704000 CEST | 53 | 58074 | 1.1.1.1 | 192.168.2.5 |
| Sep 27, 2024 11:18:25.529279947 CEST | 58062 | 53 | 192.168.2.5 | 1.1.1.1 |
| Sep 27, 2024 11:18:25.537820101 CEST | 53 | 58062 | 1.1.1.1 | 192.168.2.5 |
| Sep 27, 2024 11:18:25.539643049 CEST | 57176 | 53 | 192.168.2.5 | 1.1.1.1 |
| Sep 27, 2024 11:18:25.553301096 CEST | 53 | 57176 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Sep 27, 2024 11:18:25.518866062 CEST | 192.168.2.5 | 1.1.1.1 | 0x84ab | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Sep 27, 2024 11:18:25.529279947 CEST | 192.168.2.5 | 1.1.1.1 | 0x617 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Sep 27, 2024 11:18:25.539643049 CEST | 192.168.2.5 | 1.1.1.1 | 0x3d2 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Sep 27, 2024 11:18:25.527704000 CEST | 1.1.1.1 | 192.168.2.5 | 0x84ab | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Sep 27, 2024 11:18:25.537820101 CEST | 1.1.1.1 | 192.168.2.5 | 0x617 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Sep 27, 2024 11:18:25.553301096 CEST | 1.1.1.1 | 192.168.2.5 | 0x3d2 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
| Sep 27, 2024 11:18:25.553301096 CEST | 1.1.1.1 | 192.168.2.5 | 0x3d2 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49716 | 188.114.97.3 | 443 | 5852 | C:\Users\user\Desktop\bfINGx7hvL.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-09-27 09:18:26 UTC | 266 | OUT | |
| 2024-09-27 09:18:26 UTC | 8 | OUT | |
| 2024-09-27 09:18:26 UTC | 555 | IN | |
| 2024-09-27 09:18:26 UTC | 814 | IN | |
| 2024-09-27 09:18:26 UTC | 1369 | IN | |
| 2024-09-27 09:18:26 UTC | 1369 | IN | |
| 2024-09-27 09:18:26 UTC | 853 | IN | |
| 2024-09-27 09:18:26 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49717 | 188.114.97.3 | 443 | 5852 | C:\Users\user\Desktop\bfINGx7hvL.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-09-27 09:18:26 UTC | 356 | OUT | |
| 2024-09-27 09:18:26 UTC | 49 | OUT | |
| 2024-09-27 09:18:27 UTC | 766 | IN | |
| 2024-09-27 09:18:27 UTC | 15 | IN | |
| 2024-09-27 09:18:27 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:18:16 |
| Start date: | 27/09/2024 |
| Path: | C:\Users\user\Desktop\bfINGx7hvL.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 2'881'672 bytes |
| MD5 hash: | 80C2A36E9A14E3EDBA0B706D2433D9B8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 05:18:27 |
| Start date: | 27/09/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x650000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 05:18:48 |
| Start date: | 27/09/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x650000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 05:18:51 |
| Start date: | 27/09/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x650000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.9% |
| Dynamic/Decrypted Code Coverage: | 72.1% |
| Signature Coverage: | 31.3% |
| Total number of Nodes: | 201 |
| Total number of Limit Nodes: | 31 |
Graph
Function 0050E640 Relevance: 36.9, APIs: 3, Strings: 17, Instructions: 1873librarymemoryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0050E674 Relevance: 36.9, APIs: 3, Strings: 17, Instructions: 1859librarymemoryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0050F158 Relevance: 22.1, APIs: 2, Strings: 10, Instructions: 1143librarymemoryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0050F955 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 615memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0050F974 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 609memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0426F7B0 Relevance: 10.4, Strings: 8, Instructions: 390COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F70B1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F7055F Relevance: 1.9, APIs: 1, Instructions: 399threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0429F006 Relevance: 1.5, APIs: 1, Instructions: 32comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 042A6730 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 042AA1E0 Relevance: .1, Instructions: 139COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0426D3C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0429F073 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCD227 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0429F66B Relevance: 3.1, APIs: 2, Instructions: 88memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCBE45 Relevance: 1.6, APIs: 1, Instructions: 318memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 042A3176 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04272631 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0429F113 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 042A3142 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04272610 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D320 Relevance: 47.5, APIs: 17, Strings: 10, Instructions: 202serviceCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0049B470 Relevance: 46.2, APIs: 8, Strings: 18, Instructions: 650windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045F770 Relevance: 27.0, APIs: 13, Strings: 2, Instructions: 729windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F90B95 Relevance: 26.1, Strings: 20, Instructions: 1129COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004030E0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 279windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424260 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 236clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045D070 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 173fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422070 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121keyboardCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0052D130 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F811B2 Relevance: 9.1, Strings: 7, Instructions: 390COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9F577 Relevance: 9.0, Strings: 7, Instructions: 249COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F72CB5 Relevance: 8.5, Strings: 6, Instructions: 960COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0051B680 Relevance: 8.0, Strings: 6, Instructions: 495COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04261418 Relevance: 7.9, Strings: 6, Instructions: 444COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D090 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 313windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B630 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 313windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F72E1A Relevance: 5.4, Strings: 4, Instructions: 444COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F72D5B Relevance: 5.3, Strings: 4, Instructions: 345COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F72FB3 Relevance: 5.3, Strings: 4, Instructions: 343COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F73A08 Relevance: 5.3, Strings: 4, Instructions: 280COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F7F4B2 Relevance: 5.2, Strings: 4, Instructions: 200COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F82911 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F95D92 Relevance: 5.2, Strings: 4, Instructions: 164COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004A83C0 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA076F Relevance: 4.2, Strings: 3, Instructions: 482COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F7A252 Relevance: 4.1, Strings: 3, Instructions: 394COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA4215 Relevance: 4.0, Strings: 3, Instructions: 220COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA429B Relevance: 4.0, Strings: 3, Instructions: 219COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D05C Relevance: 3.0, APIs: 2, Instructions: 20COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F98582 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA45CB Relevance: 2.9, Strings: 2, Instructions: 408COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA4B4C Relevance: 2.9, Strings: 2, Instructions: 377COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F92132 Relevance: 2.8, Strings: 2, Instructions: 332COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA4E18 Relevance: 2.8, Strings: 2, Instructions: 318COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 04293419 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0429342B Relevance: 2.8, Strings: 2, Instructions: 312COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA4E2D Relevance: 2.8, Strings: 2, Instructions: 312COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0426148C Relevance: 2.8, Strings: 2, Instructions: 293COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA8372 Relevance: 2.7, Strings: 2, Instructions: 245COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F8F6C4 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F7E802 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F75292 Relevance: 1.7, Strings: 1, Instructions: 426COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004E9350 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7C402 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB63F2 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F858A8 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB9832 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB5272 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F92403 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F9A692 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FBB612 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB12FC Relevance: 1.4, Strings: 1, Instructions: 125COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F86013 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 042A3420 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB4E22 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FBBED2 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F9D0CE Relevance: 1.3, Strings: 1, Instructions: 61COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F9FEC1 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0428E4C2 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9D134 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F84DDD Relevance: 1.3, Strings: 1, Instructions: 48COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F925AE Relevance: 1.3, Strings: 1, Instructions: 43COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F8600C Relevance: 1.3, Strings: 1, Instructions: 38COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004133B0 Relevance: .9, Instructions: 896COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7DA82 Relevance: .8, Instructions: 835COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F7CF72 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 042674B0 Relevance: .7, Instructions: 657COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F78EB2 Relevance: .7, Instructions: 657COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F798B2 Relevance: .6, Instructions: 592COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0426A4E0 Relevance: .4, Instructions: 424COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F7BEE2 Relevance: .4, Instructions: 424COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F99DA7 Relevance: .4, Instructions: 406COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F9D652 Relevance: .4, Instructions: 361COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB9DB2 Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F7CAE2 Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F72E8E Relevance: .3, Instructions: 293COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 042654FB Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F76EFD Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FBBFE2 Relevance: .3, Instructions: 260COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FBC2B2 Relevance: .3, Instructions: 258COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA9792 Relevance: .2, Instructions: 249COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F98312 Relevance: .2, Instructions: 247COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0428F40F Relevance: .2, Instructions: 246COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA0E11 Relevance: .2, Instructions: 246COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA80E2 Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 042654B0 Relevance: .2, Instructions: 213COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA9A42 Relevance: .2, Instructions: 213COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F76EB2 Relevance: .2, Instructions: 213COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FAFCA2 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F9B99B Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F77712 Relevance: .2, Instructions: 163COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FBBBE2 Relevance: .1, Instructions: 139COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA3ED2 Relevance: .1, Instructions: 139COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FBBD62 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA3F33 Relevance: .1, Instructions: 133COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F831C2 Relevance: .1, Instructions: 122COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FCD5C4 Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB82BB Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F7116F Relevance: .1, Instructions: 107COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB0432 Relevance: .1, Instructions: 104COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F766B2 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA3EB7 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F874E1 Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F87AF3 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F7116E Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB0EF0 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FAC282 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA1DB2 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F859AB Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB8D52 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F78B72 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F8539E Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F8C952 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FBB3B2 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F70ECF Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB2B02 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F87BF4 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FA54B5 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00F8F835 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00FB0B62 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 042954AC Relevance: 101.6, APIs: 1, Strings: 57, Instructions: 143memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A1E0 Relevance: 51.2, APIs: 34, Instructions: 168COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405100 Relevance: 39.0, APIs: 16, Strings: 6, Instructions: 471filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04297404 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 147memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D770 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 138serviceCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A0210 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 106windowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004183B0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 106windowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004580E0 Relevance: 21.2, APIs: 14, Instructions: 227COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004034A0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 226windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439130 Relevance: 19.7, APIs: 13, Instructions: 191COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D680 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 87serviceCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E510 Relevance: 18.3, APIs: 12, Instructions: 263COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A3510 Relevance: 16.7, APIs: 11, Instructions: 219COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B6F0 Relevance: 16.7, APIs: 11, Instructions: 217COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B3610 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 309fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 175windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004EC350 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 159memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004181B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D5D0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70serviceCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004EF0E0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 25libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E2B0 Relevance: 15.2, APIs: 10, Instructions: 179COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00419760 Relevance: 15.2, APIs: 10, Instructions: 176COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004710E0 Relevance: 15.1, APIs: 10, Instructions: 140COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A6480 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192sleepsynchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E570 Relevance: 13.7, APIs: 9, Instructions: 158COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B550 Relevance: 13.6, APIs: 9, Instructions: 127COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C540 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 80filewindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D4420 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53windowsleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D260 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 29servicesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D2C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 29servicesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004713B0 Relevance: 12.1, APIs: 8, Instructions: 104COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E110 Relevance: 10.7, APIs: 7, Instructions: 185COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E370 Relevance: 10.6, APIs: 7, Instructions: 123COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CB6C0 Relevance: 10.6, APIs: 7, Instructions: 98COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CB190 Relevance: 10.6, APIs: 7, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442770 Relevance: 9.3, APIs: 6, Instructions: 254fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C670 Relevance: 9.2, APIs: 6, Instructions: 188windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A1430 Relevance: 9.1, APIs: 6, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004334D0 Relevance: 9.1, APIs: 6, Instructions: 114windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004195B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B4550 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 220registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B50A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 140registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004302C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433670 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D3530 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004EE390 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CE5E0 Relevance: 7.6, APIs: 5, Instructions: 79COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B41A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00466060 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B0600 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441240 Relevance: 6.5, APIs: 4, Instructions: 471COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A72E0 Relevance: 6.2, APIs: 4, Instructions: 161windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00448370 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CC050 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A45C0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415180 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004CC2E0 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409220 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409330 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004525F0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004081B0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004080B0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D44A0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409630 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00444750 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434750 Relevance: 6.0, APIs: 4, Instructions: 39windowsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004751C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004753C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A4000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|