Windows
Analysis Report
KMSPico.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
KMSPico.exe (PID: 3648 cmdline:
C:\Users\u ser\Deskto p\KMSPico. exe MD5: E46FCDE17771922059B7A826EC4E4CA3) WerFault.exe (PID: 5276 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 648 -s 164 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{
"C2 url": [
"associationokeo.shop",
"turkeyunlikelyofw.shop",
"pooreveningfuseor.pw",
"detectordiscusser.shop",
"problemregardybuiwo.fun",
"technologyenterdo.shop"
]
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
Timestamp: | 02/29/24-01:47:53.832376 |
SID: | 2051001 |
Source Port: | 49705 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 02/29/24-01:48:00.206830 |
SID: | 2051001 |
Source Port: | 49710 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 02/29/24-01:47:59.419425 |
SID: | 2051001 |
Source Port: | 49709 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 02/29/24-01:47:53.145475 |
SID: | 2050998 |
Source Port: | 64821 |
Destination Port: | 53 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 02/29/24-01:48:01.392463 |
SID: | 2051001 |
Source Port: | 49711 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 02/29/24-01:47:53.047409 |
SID: | 2050955 |
Source Port: | 58632 |
Destination Port: | 53 |
Protocol: | UDP |
Classtype: | A Network Trojan was detected |
Timestamp: | 02/29/24-01:47:53.254875 |
SID: | 2051001 |
Source Port: | 49704 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 02/29/24-01:47:55.834473 |
SID: | 2051001 |
Source Port: | 49707 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 02/29/24-01:47:56.787043 |
SID: | 2051001 |
Source Port: | 49708 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 02/29/24-01:47:54.800926 |
SID: | 2051001 |
Source Port: | 49706 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_3_04B14C30 | |
Source: | Code function: | 0_3_04B14C30 | |
Source: | Code function: | 0_3_04B14C30 | |
Source: | Code function: | 0_3_04B14C21 | |
Source: | Code function: | 0_3_04B14C21 | |
Source: | Code function: | 0_3_04B14C21 | |
Source: | Code function: | 0_3_04B14E68 | |
Source: | Code function: | 0_3_04B14E68 | |
Source: | Code function: | 0_3_04B14E68 | |
Source: | Code function: | 0_3_04B14C30 | |
Source: | Code function: | 0_3_04B14C30 | |
Source: | Code function: | 0_3_04B14C30 | |
Source: | Code function: | 0_3_04B14C21 | |
Source: | Code function: | 0_3_04B14C21 | |
Source: | Code function: | 0_3_04B14C21 | |
Source: | Code function: | 0_3_04B14E68 | |
Source: | Code function: | 0_3_04B14E68 | |
Source: | Code function: | 0_3_04B14E68 | |
Source: | Code function: | 0_3_04B14C30 | |
Source: | Code function: | 0_3_04B14C30 | |
Source: | Code function: | 0_3_04B14C30 | |
Source: | Code function: | 0_3_04B14C21 | |
Source: | Code function: | 0_3_04B14C21 | |
Source: | Code function: | 0_3_04B14C21 | |
Source: | Code function: | 0_3_04B14E68 | |
Source: | Code function: | 0_3_04B14E68 | |
Source: | Code function: | 0_3_04B14E68 |
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | File opened: | Jump to behavior |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 22 Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
37% | ReversingLabs | Win32.Trojan.CrypterX | ||
46% | Virustotal | Browse | ||
100% | Avira | HEUR/AGEN.1352498 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
16% | Virustotal | Browse | ||
18% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
18% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
14% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
16% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
20% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
20% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
19% | Virustotal | Browse | ||
15% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
15% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
19% | Virustotal | Browse | ||
14% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
technologyenterdo.shop | 104.21.80.118 | true | true |
| unknown |
problemregardybuiwo.fun | unknown | unknown | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.80.118 | technologyenterdo.shop | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1400640 |
Start date and time: | 2024-02-29 01:47:03 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 32s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | KMSPico.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@2/5@2/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe, We rFault.exe, WMIADAP.exe, SIHCl ient.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 20.189.173.20 - Excluded domains from analysis
(whitelisted): ocsp.digicert. com, login.live.com, slscr.upd ate.microsoft.com, blobcollect or.events.data.trafficmanager. net, onedsblobprdwus15.westus. cloudapp.azure.com, ctldl.wind owsupdate.com, umwatson.events .data.microsoft.com, fe3cr.del ivery.mp.microsoft.com - Execution Graph export aborted
for target KMSPico.exe, PID 3 648 because there are no execu ted function - HTTPS proxy raw data packets h
ave been limited to 10 per ses sion. Please view the PCAPs fo r the complete data. - Report size getting too big, t
oo many NtCreateFile calls fou nd. - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
01:47:52 | API Interceptor | |
01:48:16 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
technologyenterdo.shop | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, PureLog Stealer | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | TechSupportScam | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | TechSupportScam | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HtmlDropper, HTMLPhisher | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | DarkGate, MailPassView | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9820825137729422 |
Encrypted: | false |
SSDEEP: | 96:6TSeREou+Eszx1Yzjv9fDUQXIDcQNc67cElcw38N+HbHg/8BRTf3o8Fa9SAOyPut:sdyv+EVb0D/fTjtdFDzuiFUZ24IO8ym |
MD5: | 0EC54C15C30E2F00A1B3275E5F6A7FE3 |
SHA1: | B28EC411DD0AA3CD7BCB65931B7DC8C0DA0C2AF2 |
SHA-256: | 4870FEE31EF70A6B9B6145E7662D3684366CBF661CD39862D699818AFC96133A |
SHA-512: | 18605ADD00FF7616C80281C538FD496E436F504D5F9B136B8F420961FB64C658677AAEEE777189534D60D68E961F046C54EE5BCE4351586967A6CCC682A11CC5 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 51830 |
Entropy (8bit): | 2.869063610021232 |
Encrypted: | false |
SSDEEP: | 192:eRMZXXBiLwIG0OLBcP6P64R4tw6PUaJvjU54zPOFQLygtnJGIzs4RtpjUMeqH9+Z:AGBiLwLLBPP6tGMoefLttJGS5tpjqqQZ |
MD5: | F3DF7807CE9A3F051B810AFCA10AADE9 |
SHA1: | 28CFF110D497D21340950B286FDB30B26A33C1EE |
SHA-256: | 4C4C73B30CCCA65563BDB08003EF62E6D26F4152833A941004C74E1E83FEF3FA |
SHA-512: | DB75936DAD993A483B5C58CB3130137A23BAC374BC900FC808BD2FAB04FD10EBFFFBD31843F8FA83211EDEF64E89F10DA9F58BF76B441BD5920D32A6767179AD |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8320 |
Entropy (8bit): | 3.697692850713784 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJYA61Ab6YEICSULz4gmfvj4+pDv89bePsfpKm:R6lXJn6126YE9SUn4gmfL4De0fl |
MD5: | 1FBB925EBADE91DD96876474E4D152C3 |
SHA1: | 3290B09A41DF8D5611CD2F21E0B1C3AE6C05B89B |
SHA-256: | 9EBD112BEDA7FF06D28D1FE9DFA3EBDF1EC0F392B211482BF7B3171DDBD1D273 |
SHA-512: | 50903F0EE54437047BA3FF7CFF7461A48924247178F231DCBD0F345AA0C6FD60A58FAD358ACB72BF13E8E13D833E7D3DB6A6FAF4A5B820807F4B743A52AD1B1E |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4562 |
Entropy (8bit): | 4.459653068252717 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsEJg77aI9SNWpW8VYpYm8M4JvtFjnm+q8gZTwiuId:uIjfCI7I87V1JjnmrUiuId |
MD5: | CA370F97A001C5D25982C9D2103B80EF |
SHA1: | DACE386F84188F0BCCACB3C506EAA8CE176CE59F |
SHA-256: | 696D69EBA6D53A9085A29D552C1EDC19C39D87A0D246F8B523C74267BFFD4841 |
SHA-512: | 0616A6112C975400BE8C334B8AF4468D93B2A1EE129F9B386D3F4D5E5DDF6001C5480A88072047D2C82B0FDBBF7E976F08C919CB9391159769F936897C209907 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.421508203105066 |
Encrypted: | false |
SSDEEP: | 6144:MSvfpi6ceLP/9skLmb0OT5WSPHaJG8nAgeMZMMhA2fX4WABlEnN10uhiTw:3vloT5W+EZMM6DFyL03w |
MD5: | CD9476B23A8101AF09D3290D696821C5 |
SHA1: | B92CFB4957BA1D4DEE99B3829ADD53348849906E |
SHA-256: | 9B101C94834BE91D6F449086D25B16E6509D92AFFBADBE28E4318FA4D95644BE |
SHA-512: | 6EAFC2CF1CB88A79CDB7BBFC17CB57ABD00313F00A6AE50FBF087498B22B6D311FE5CB11AA2E7A945AF85075DE59E6FB48129F39E9EF5E3B024AA5C5D4349913 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.331170903296359 |
TrID: |
|
File name: | KMSPico.exe |
File size: | 287'744 bytes |
MD5: | e46fcde17771922059b7a826ec4e4ca3 |
SHA1: | c7ade612e6053c7652698d431f59c7ed43a57f19 |
SHA256: | e2e733137df2e1a7d726335f8ae4d1b4ce83ef2d1d3db2651c23db1a24c918f0 |
SHA512: | e510e2d16920e077dc55da1c20a176d8a7147c28ca828635f8c6c5ad0083f6b64c4b794ec4c4c7408f1cbfc65fcf6744f7ce8cef9ee9b90e57c630ca7a8cd1d1 |
SSDEEP: | 6144:1Y3DCZutB4lBjV9d1aZJzuQSoXCbreMbi5N7R397:1Y2Zuf4lf3kJzu9oX8LiP7 |
TLSH: | 2E54F02633D0C839D4A621319862DBB54A7BFCA12D35858B77A03B3F9E212C19A3575A |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................M.......x.......L.......u...............I.......|.......{.....Rich............PE..L...WI.d................... |
Icon Hash: | 1319712306413347 |
Entrypoint: | 0x401637 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x64F24957 [Fri Sep 1 20:28:07 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 3e9a9cf66c4a31d33ef1279b5d62e5f6 |
Instruction |
---|
call 00007F4608C11B56h |
jmp 00007F4608C0E9BEh |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 00000328h |
mov dword ptr [00440258h], eax |
mov dword ptr [00440254h], ecx |
mov dword ptr [00440250h], edx |
mov dword ptr [0044024Ch], ebx |
mov dword ptr [00440248h], esi |
mov dword ptr [00440244h], edi |
mov word ptr [00440270h], ss |
mov word ptr [00440264h], cs |
mov word ptr [00440240h], ds |
mov word ptr [0044023Ch], es |
mov word ptr [00440238h], fs |
mov word ptr [00440234h], gs |
pushfd |
pop dword ptr [00440268h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [0044025Ch], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [00440260h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [0044026Ch], eax |
mov eax, dword ptr [ebp-00000320h] |
mov dword ptr [004401A8h], 00010001h |
mov eax, dword ptr [00440260h] |
mov dword ptr [0044015Ch], eax |
mov dword ptr [00440150h], C0000409h |
mov dword ptr [00440154h], 00000001h |
mov eax, dword ptr [0043E004h] |
mov dword ptr [ebp-00000328h], eax |
mov eax, dword ptr [0043E008h] |
mov dword ptr [ebp-00000324h], eax |
call dword ptr [000000CCh] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3d25c | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1ee7000 | 0x75c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3b000 | 0x19c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x3916b | 0x39200 | 5877f4d9d3d75f2d0e68f955c984cda7 | False | 0.8708971553610503 | data | 7.7446509642308685 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3b000 | 0x2bd0 | 0x2c00 | 791bfb0d303e561e778d755e2ed7cd98 | False | 0.36665482954545453 | data | 4.969085311343728 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x3e000 | 0x1ea812c | 0x2c00 | b313328d111fa566ef4c77fbed6c84c2 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x1ee7000 | 0x75c8 | 0x7600 | 0fcca62874bb692c787b19fb33d7b772 | False | 0.5990466101694916 | data | 5.31913405116205 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x1eecbc8 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | English | United States | 0.4276315789473684 |
RT_CURSOR | 0x1eecd10 | 0x134 | Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001" | English | United States | 0.75 |
RT_CURSOR | 0x1eece60 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | United States | 0.31023454157782515 |
RT_ICON | 0x1ee7420 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.69136460554371 |
RT_ICON | 0x1ee82c8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.7292418772563177 |
RT_ICON | 0x1ee8b70 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | English | United States | 0.6394009216589862 |
RT_ICON | 0x1ee9238 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.5852601156069365 |
RT_ICON | 0x1ee97a0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | English | United States | 0.6434647302904565 |
RT_ICON | 0x1eebd48 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | English | United States | 0.7553278688524591 |
RT_ICON | 0x1eec6d0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | English | United States | 0.8351063829787234 |
RT_STRING | 0x1eeded8 | 0xe0 | data | English | United States | 0.5491071428571429 |
RT_STRING | 0x1eedfb8 | 0x610 | data | English | United States | 0.43427835051546393 |
RT_ACCELERATOR | 0x1eecba0 | 0x28 | data | English | United States | 1.0 |
RT_GROUP_CURSOR | 0x1eeccf8 | 0x14 | data | English | United States | 1.15 |
RT_GROUP_CURSOR | 0x1eece48 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x1eedd08 | 0x14 | data | English | United States | 1.25 |
RT_GROUP_ICON | 0x1eecb38 | 0x68 | data | English | United States | 0.7115384615384616 |
RT_VERSION | 0x1eedd20 | 0x1b4 | data | English | United States | 0.573394495412844 |
DLL | Import |
---|---|
KERNEL32.dll | HeapAlloc, SystemTimeToFileTime, GetUserDefaultLCID, WideCharToMultiByte, GetConsoleAliasExesLengthW, GetTimeZoneInformation, ReleaseSemaphore, ReplaceFileA, GetStdHandle, GetCurrentDirectoryW, SetLastError, CreateNamedPipeA, CreateTimerQueueTimer, BuildCommDCBW, LoadLibraryA, SystemTimeToTzSpecificLocalTime, LocalAlloc, GetFileType, AddAtomW, GetModuleFileNameA, lstrcatW, FreeEnvironmentStringsW, VirtualProtect, FatalAppExitA, EndUpdateResourceA, GetVolumeInformationW, CreateFileW, WriteConsoleW, ReadFile, GetProcessHeap, GetLocaleInfoA, MoveFileExA, InterlockedExchangeAdd, WriteConsoleOutputCharacterW, SetEndOfFile, SetStdHandle, GetLastError, HeapFree, EncodePointer, DecodePointer, GetCommandLineW, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, HeapCreate, Sleep, HeapSize, GetProcAddress, GetModuleHandleW, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, RtlUnwind, WriteFile, GetModuleFileNameW, GetEnvironmentStringsW, SetHandleCount, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, HeapReAlloc, LoadLibraryW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringW, MultiByteToWideChar, GetStringTypeW, SetFilePointer |
USER32.dll | SetActiveWindow, SetKeyboardState, CreateIcon, GetClassLongA |
GDI32.dll | GetCharWidthW |
ADVAPI32.dll | GetAce |
ole32.dll | CoTaskMemFree |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
02/29/24-01:47:53.832376 | TCP | 2051001 | ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
02/29/24-01:48:00.206830 | TCP | 2051001 | ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
02/29/24-01:47:59.419425 | TCP | 2051001 | ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) | 49709 | 443 | 192.168.2.5 | 104.21.80.118 |
02/29/24-01:47:53.145475 | UDP | 2050998 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (technologyenterdo .shop) | 64821 | 53 | 192.168.2.5 | 1.1.1.1 |
02/29/24-01:48:01.392463 | TCP | 2051001 | ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
02/29/24-01:47:53.047409 | UDP | 2050955 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (problemregardybuiwo .fun) | 58632 | 53 | 192.168.2.5 | 1.1.1.1 |
02/29/24-01:47:53.254875 | TCP | 2051001 | ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
02/29/24-01:47:55.834473 | TCP | 2051001 | ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
02/29/24-01:47:56.787043 | TCP | 2051001 | ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
02/29/24-01:47:54.800926 | TCP | 2051001 | ET TROJAN Observed Lumma Stealer Related Domain (technologyenterdo .shop in TLS SNI) | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
- Total Packets: 102
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 29, 2024 01:47:53.252562046 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.252661943 CET | 443 | 49704 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.252751112 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.254874945 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.254911900 CET | 443 | 49704 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.448390961 CET | 443 | 49704 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.448472023 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.451306105 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.451328993 CET | 443 | 49704 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.451603889 CET | 443 | 49704 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.493557930 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.531466007 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.531502962 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.531619072 CET | 443 | 49704 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.825448990 CET | 443 | 49704 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.825717926 CET | 443 | 49704 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.825798035 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.828275919 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.828310013 CET | 443 | 49704 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.828330994 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.828337908 CET | 443 | 49704 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.831789970 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.831821918 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:53.831907988 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.832376003 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:53.832387924 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.019648075 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.019717932 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.020916939 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.020925999 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.021169901 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.022381067 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.022404909 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.022444963 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.575508118 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.575805902 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.575875044 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.575891972 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.576625109 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.576673985 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.576680899 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.577045918 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.577090025 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.577095985 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.577255011 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.577300072 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.577306032 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.577545881 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.577594042 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.577600002 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.577753067 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.577795982 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.577801943 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.577903032 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.577945948 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.577951908 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.578035116 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.578079939 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.587133884 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.587146997 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.587174892 CET | 49705 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.587178946 CET | 443 | 49705 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.800396919 CET | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.800440073 CET | 443 | 49706 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.800529003 CET | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.800925970 CET | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.800966024 CET | 443 | 49706 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.987303019 CET | 443 | 49706 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.987478018 CET | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.988651037 CET | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.988660097 CET | 443 | 49706 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.988893986 CET | 443 | 49706 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:54.990272045 CET | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.990436077 CET | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:54.990469933 CET | 443 | 49706 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:55.463917971 CET | 443 | 49706 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:55.464035988 CET | 443 | 49706 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:55.464255095 CET | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:55.464255095 CET | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:55.774780989 CET | 49706 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:55.774811983 CET | 443 | 49706 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:55.833693027 CET | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:55.833745956 CET | 443 | 49707 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:55.833820105 CET | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:55.834472895 CET | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:55.834486008 CET | 443 | 49707 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.020973921 CET | 443 | 49707 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.021049976 CET | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.022722960 CET | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.022731066 CET | 443 | 49707 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.022922993 CET | 443 | 49707 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.024590015 CET | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.024884939 CET | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.024924040 CET | 443 | 49707 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.024986029 CET | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.024992943 CET | 443 | 49707 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.506326914 CET | 443 | 49707 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.506648064 CET | 443 | 49707 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.506788015 CET | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.507476091 CET | 49707 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.507522106 CET | 443 | 49707 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.786261082 CET | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.786367893 CET | 443 | 49708 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.786492109 CET | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.787043095 CET | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.787075996 CET | 443 | 49708 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.977895975 CET | 443 | 49708 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.978259087 CET | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.980424881 CET | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.980456114 CET | 443 | 49708 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.980731010 CET | 443 | 49708 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.982371092 CET | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.982575893 CET | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.982614040 CET | 443 | 49708 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:56.982707024 CET | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:56.982723951 CET | 443 | 49708 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:57.513959885 CET | 443 | 49708 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:57.514065027 CET | 443 | 49708 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:57.514156103 CET | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:57.514420033 CET | 49708 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:57.514467001 CET | 443 | 49708 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:59.418437958 CET | 49709 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:59.418467045 CET | 443 | 49709 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:59.418586969 CET | 49709 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:59.419425011 CET | 49709 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:59.419436932 CET | 443 | 49709 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:59.617680073 CET | 443 | 49709 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:59.617785931 CET | 49709 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:59.619257927 CET | 49709 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:59.619265079 CET | 443 | 49709 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:59.619501114 CET | 443 | 49709 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:47:59.620587111 CET | 49709 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:59.620742083 CET | 49709 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:47:59.620769978 CET | 443 | 49709 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.099730015 CET | 443 | 49709 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.099982023 CET | 443 | 49709 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.100002050 CET | 49709 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:00.100049019 CET | 49709 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:00.206186056 CET | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:00.206252098 CET | 443 | 49710 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.206356049 CET | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:00.206830025 CET | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:00.206860065 CET | 443 | 49710 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.399436951 CET | 443 | 49710 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.399538040 CET | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:00.402555943 CET | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:00.402586937 CET | 443 | 49710 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.402863026 CET | 443 | 49710 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.404074907 CET | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:00.404216051 CET | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:00.404227018 CET | 443 | 49710 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.873116016 CET | 443 | 49710 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.873361111 CET | 443 | 49710 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:00.873475075 CET | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:00.873476028 CET | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.181049109 CET | 49710 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.181078911 CET | 443 | 49710 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.391927958 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.392013073 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.392083883 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.392462969 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.392482042 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.588665009 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.588838100 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.590015888 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.590034962 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.590264082 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.591500044 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.592488050 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.592516899 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.592613935 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.592643976 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.592753887 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.592782974 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.592904091 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.592938900 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.593089104 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.593122959 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.593301058 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.593327999 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.593338013 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.593353033 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.593491077 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.593518019 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.593544960 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.593678951 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.593713045 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.633915901 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.634490013 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.634524107 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.634553909 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.634572029 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.634605885 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.634620905 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:01.634710073 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:01.634727955 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:03.200050116 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:03.200330973 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Feb 29, 2024 01:48:03.200400114 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:03.200459003 CET | 49711 | 443 | 192.168.2.5 | 104.21.80.118 |
Feb 29, 2024 01:48:03.200483084 CET | 443 | 49711 | 104.21.80.118 | 192.168.2.5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 29, 2024 01:47:53.047409058 CET | 58632 | 53 | 192.168.2.5 | 1.1.1.1 |
Feb 29, 2024 01:47:53.140845060 CET | 53 | 58632 | 1.1.1.1 | 192.168.2.5 |
Feb 29, 2024 01:47:53.145474911 CET | 64821 | 53 | 192.168.2.5 | 1.1.1.1 |
Feb 29, 2024 01:47:53.243330956 CET | 53 | 64821 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Feb 29, 2024 01:47:53.047409058 CET | 192.168.2.5 | 1.1.1.1 | 0xf0d8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Feb 29, 2024 01:47:53.145474911 CET | 192.168.2.5 | 1.1.1.1 | 0xdaa2 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Feb 29, 2024 01:47:53.140845060 CET | 1.1.1.1 | 192.168.2.5 | 0xf0d8 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Feb 29, 2024 01:47:53.243330956 CET | 1.1.1.1 | 192.168.2.5 | 0xdaa2 | No error (0) | 104.21.80.118 | A (IP address) | IN (0x0001) | false | ||
Feb 29, 2024 01:47:53.243330956 CET | 1.1.1.1 | 192.168.2.5 | 0xdaa2 | No error (0) | 172.67.180.132 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.5 | 49704 | 104.21.80.118 | 443 | 3648 | C:\Users\user\Desktop\KMSPico.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-02-29 00:47:53 UTC | 269 | OUT | |
2024-02-29 00:47:53 UTC | 8 | OUT | |
2024-02-29 00:47:53 UTC | 812 | IN | |
2024-02-29 00:47:53 UTC | 7 | IN | |
2024-02-29 00:47:53 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.5 | 49705 | 104.21.80.118 | 443 | 3648 | C:\Users\user\Desktop\KMSPico.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-02-29 00:47:54 UTC | 270 | OUT | |
2024-02-29 00:47:54 UTC | 52 | OUT | |
2024-02-29 00:47:54 UTC | 806 | IN | |
2024-02-29 00:47:54 UTC | 563 | IN | |
2024-02-29 00:47:54 UTC | 1369 | IN | |
2024-02-29 00:47:54 UTC | 1369 | IN | |
2024-02-29 00:47:54 UTC | 1369 | IN | |
2024-02-29 00:47:54 UTC | 1369 | IN | |
2024-02-29 00:47:54 UTC | 1369 | IN | |
2024-02-29 00:47:54 UTC | 1369 | IN | |
2024-02-29 00:47:54 UTC | 1369 | IN | |
2024-02-29 00:47:54 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.5 | 49706 | 104.21.80.118 | 443 | 3648 | C:\Users\user\Desktop\KMSPico.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-02-29 00:47:54 UTC | 288 | OUT | |
2024-02-29 00:47:54 UTC | 13678 | OUT | |
2024-02-29 00:47:55 UTC | 804 | IN | |
2024-02-29 00:47:55 UTC | 23 | IN | |
2024-02-29 00:47:55 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.5 | 49707 | 104.21.80.118 | 443 | 3648 | C:\Users\user\Desktop\KMSPico.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-02-29 00:47:56 UTC | 288 | OUT | |
2024-02-29 00:47:56 UTC | 15331 | OUT | |
2024-02-29 00:47:56 UTC | 890 | OUT | |
2024-02-29 00:47:56 UTC | 808 | IN | |
2024-02-29 00:47:56 UTC | 23 | IN | |
2024-02-29 00:47:56 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.5 | 49708 | 104.21.80.118 | 443 | 3648 | C:\Users\user\Desktop\KMSPico.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-02-29 00:47:56 UTC | 288 | OUT | |
2024-02-29 00:47:56 UTC | 15331 | OUT | |
2024-02-29 00:47:56 UTC | 5234 | OUT | |
2024-02-29 00:47:57 UTC | 810 | IN | |
2024-02-29 00:47:57 UTC | 23 | IN | |
2024-02-29 00:47:57 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.5 | 49709 | 104.21.80.118 | 443 | 3648 | C:\Users\user\Desktop\KMSPico.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-02-29 00:47:59 UTC | 287 | OUT | |
2024-02-29 00:47:59 UTC | 7086 | OUT | |
2024-02-29 00:48:00 UTC | 806 | IN | |
2024-02-29 00:48:00 UTC | 23 | IN | |
2024-02-29 00:48:00 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.5 | 49710 | 104.21.80.118 | 443 | 3648 | C:\Users\user\Desktop\KMSPico.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-02-29 00:48:00 UTC | 287 | OUT | |
2024-02-29 00:48:00 UTC | 1256 | OUT | |
2024-02-29 00:48:00 UTC | 806 | IN | |
2024-02-29 00:48:00 UTC | 23 | IN | |
2024-02-29 00:48:00 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.5 | 49711 | 104.21.80.118 | 443 | 3648 | C:\Users\user\Desktop\KMSPico.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-02-29 00:48:01 UTC | 289 | OUT | |
2024-02-29 00:48:01 UTC | 15331 | OUT | |
2024-02-29 00:48:01 UTC | 15331 | OUT | |
2024-02-29 00:48:01 UTC | 15331 | OUT | |
2024-02-29 00:48:01 UTC | 15331 | OUT | |
2024-02-29 00:48:01 UTC | 15331 | OUT | |
2024-02-29 00:48:01 UTC | 15331 | OUT | |
2024-02-29 00:48:01 UTC | 15331 | OUT | |
2024-02-29 00:48:01 UTC | 15331 | OUT | |
2024-02-29 00:48:01 UTC | 15331 | OUT | |
2024-02-29 00:48:01 UTC | 15331 | OUT | |
2024-02-29 00:48:03 UTC | 810 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 01:47:48 |
Start date: | 29/02/2024 |
Path: | C:\Users\user\Desktop\KMSPico.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 287'744 bytes |
MD5 hash: | E46FCDE17771922059B7A826EC4E4CA3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 01:48:03 |
Start date: | 29/02/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xea0000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |