Edit tour
Windows
Analysis Report
TS-240622-Lumma4.exe
Overview
General Information
| Sample name: | TS-240622-Lumma4.exe |
| Analysis ID: | 1461071 |
| MD5: | 1a2a26995d43c4ad2f2c9e9e9373d5c8 |
| SHA1: | bc9592e1846b06b6e770d443c3802a887fb92987 |
| SHA256: | e5fd7cc5b7c23ab6d037e40cd141d49cffe8fdec8c9ce691b6689dfe6222982c |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
TS-240622-Lumma4.exe (PID: 4024 cmdline: "C:\Users\ user\Deskt op\TS-2406 22-Lumma4. exe" MD5: 1A2A26995D43C4AD2F2C9E9E9373D5C8) - RegAsm.exe (PID: 7132 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["facilitycoursedw.shop", "doughtdrillyksow.shop", "disappointcredisotw.shop", "bargainnygroandjwk.shop", "injurypiggyoewirog.shop", "leafcalfconflcitw.shop", "computerexcudesp.shop", "publicitycharetew.shop", "composepayyersellew.shop"], "Build id": "LPnhqo--@Kulaytr"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_00416EFA | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00D0F352 | |
| Source: | Code function: | 0_2_00D3A150 | |
| Source: | Code function: | 0_2_00D3C119 | |
| Source: | Code function: | 0_2_00D3C119 | |
| Source: | Code function: | 0_2_00D2E218 | |
| Source: | Code function: | 0_2_00D3A54D | |
| Source: | Code function: | 0_2_00D4A601 | |
| Source: | Code function: | 0_2_00D60748 | |
| Source: | Code function: | 0_2_00D60748 | |
| Source: | Code function: | 0_2_00D328E8 | |
| Source: | Code function: | 0_2_00D4E976 | |
| Source: | Code function: | 0_2_00D36A03 | |
| Source: | Code function: | 0_2_00D4AA03 | |
| Source: | Code function: | 0_2_00D4AA03 | |
| Source: | Code function: | 0_2_00D3CBAC | |
| Source: | Code function: | 0_2_00D5EB1E | |
| Source: | Code function: | 0_2_00D4CCD7 | |
| Source: | Code function: | 0_2_00D4CCD7 | |
| Source: | Code function: | 0_2_00D3AD98 | |
| Source: | Code function: | 0_2_00D44D88 | |
| Source: | Code function: | 0_2_00D48D2E | |
| Source: | Code function: | 0_2_00D28E38 | |
| Source: | Code function: | 0_2_00D4CFD9 | |
| Source: | Code function: | 0_2_00D4CFD9 | |
| Source: | Code function: | 0_2_00D46F14 | |
| Source: | Code function: | 0_2_00D410F8 | |
| Source: | Code function: | 0_2_00D470B8 | |
| Source: | Code function: | 0_2_00D4D032 | |
| Source: | Code function: | 0_2_00D4D032 | |
| Source: | Code function: | 0_2_00D4D023 | |
| Source: | Code function: | 0_2_00D4D023 | |
| Source: | Code function: | 0_2_00D3B189 | |
| Source: | Code function: | 0_2_00D5F18F | |
| Source: | Code function: | 0_2_00D35139 | |
| Source: | Code function: | 0_2_00D412C8 | |
| Source: | Code function: | 0_2_00D4B2B8 | |
| Source: | Code function: | 0_2_00D5F214 | |
| Source: | Code function: | 0_2_00D39368 | |
| Source: | Code function: | 0_2_00D294C8 | |
| Source: | Code function: | 0_2_00D574E8 | |
| Source: | Code function: | 0_2_00D5F405 | |
| Source: | Code function: | 0_2_00D278FF | |
| Source: | Code function: | 0_2_00D5F9A8 | |
| Source: | Code function: | 0_2_00D2FCF8 | |
| Source: | Code function: | 0_2_00D2FCF8 | |
| Source: | Code function: | 0_2_00D2FCF8 | |
| Source: | Code function: | 0_2_00D4DC84 | |
| Source: | Code function: | 0_2_00D3BC4B | |
| Source: | Code function: | 0_2_00D5FC78 | |
| Source: | Code function: | 0_2_00D4DC84 | |
| Source: | Code function: | 0_2_00D5FE48 | |
| Source: | Code function: | 0_2_00D49E27 | |
| Source: | Code function: | 0_2_00D45FB6 | |
| Source: | Code function: | 0_2_00D43F68 | |
| Source: | Code function: | 2_2_0041B100 | |
| Source: | Code function: | 2_2_004239F0 | |
| Source: | Code function: | 2_2_004399B0 | |
| Source: | Code function: | 2_2_00420BC0 | |
| Source: | Code function: | 2_2_00420BC0 | |
| Source: | Code function: | 2_2_00426CDF | |
| Source: | Code function: | 2_2_00426CDF | |
| Source: | Code function: | 2_2_00439C80 | |
| Source: | Code function: | 2_2_00427C8C | |
| Source: | Code function: | 2_2_00409D00 | |
| Source: | Code function: | 2_2_00409D00 | |
| Source: | Code function: | 2_2_00409D00 | |
| Source: | Code function: | 2_2_0041ED19 | |
| Source: | Code function: | 2_2_00415ED0 | |
| Source: | Code function: | 2_2_00415ED0 | |
| Source: | Code function: | 2_2_0042702B | |
| Source: | Code function: | 2_2_0042702B | |
| Source: | Code function: | 2_2_0042703A | |
| Source: | Code function: | 2_2_0042703A | |
| Source: | Code function: | 2_2_0040F141 | |
| Source: | Code function: | 2_2_00414158 | |
| Source: | Code function: | 2_2_00415191 | |
| Source: | Code function: | 2_2_00408220 | |
| Source: | Code function: | 2_2_004252C0 | |
| Source: | Code function: | 2_2_0041B2D0 | |
| Source: | Code function: | 2_2_00413370 | |
| Source: | Code function: | 2_2_00439370 | |
| Source: | Code function: | 2_2_004034D0 | |
| Source: | Code function: | 2_2_004314F0 | |
| Source: | Code function: | 2_2_00414555 | |
| Source: | Code function: | 2_2_0041D5A1 | |
| Source: | Code function: | 2_2_00438670 | |
| Source: | Code function: | 2_2_00438670 | |
| Source: | Code function: | 2_2_00438670 | |
| Source: | Code function: | 2_2_00438670 | |
| Source: | Code function: | 2_2_00424609 | |
| Source: | Code function: | 2_2_0043A750 | |
| Source: | Code function: | 2_2_0043A750 | |
| Source: | Code function: | 2_2_004387E0 | |
| Source: | Code function: | 2_2_004387E0 | |
| Source: | Code function: | 2_2_004387E0 | |
| Source: | Code function: | 2_2_004387E0 | |
| Source: | Code function: | 2_2_0040C8F0 | |
| Source: | Code function: | 2_2_0042897E | |
| Source: | Code function: | 2_2_00401907 | |
| Source: | Code function: | 2_2_00422920 | |
| Source: | Code function: | 2_2_004389D0 | |
| Source: | Code function: | 2_2_004389D0 | |
| Source: | Code function: | 2_2_004389D0 | |
| Source: | Code function: | 2_2_004389D0 | |
| Source: | Code function: | 2_2_00424A0B | |
| Source: | Code function: | 2_2_00424A0B | |
| Source: | Code function: | 2_2_00410A0B | |
| Source: | Code function: | 2_2_00438B40 | |
| Source: | Code function: | 2_2_00438B40 | |
| Source: | Code function: | 2_2_00438B40 | |
| Source: | Code function: | 2_2_00415C53 | |
| Source: | Code function: | 2_2_00420C30 | |
| Source: | Code function: | 2_2_00438CA0 | |
| Source: | Code function: | 2_2_00438CA0 | |
| Source: | Code function: | 2_2_00438CA0 | |
| Source: | Code function: | 2_2_00427C8C | |
| Source: | Code function: | 2_2_0041FD97 | |
| Source: | Code function: | 2_2_00414DA0 | |
| Source: | Code function: | 2_2_00402E40 | |
| Source: | Code function: | 2_2_00439E50 | |
| Source: | Code function: | 2_2_00423E20 | |
| Source: | Code function: | 2_2_00426FE1 | |
| Source: | Code function: | 2_2_00426FE1 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_0042D810 | |
| Source: | Code function: | 2_2_0042D810 | |
| Source: | Code function: | 2_2_0042DA00 | |
| Source: | Code function: | 0_2_00D2E218 | |
| Source: | Code function: | 0_2_00D2A458 | |
| Source: | Code function: | 0_2_00D60428 | |
| Source: | Code function: | 0_2_00CFC6CD | |
| Source: | Code function: | 0_2_00CFE670 | |
| Source: | Code function: | 0_2_00D60748 | |
| Source: | Code function: | 0_2_00D2C733 | |
| Source: | Code function: | 0_2_00D34B18 | |
| Source: | Code function: | 0_2_00D0CB1F | |
| Source: | Code function: | 0_2_00D48B07 | |
| Source: | Code function: | 0_2_00D00C5A | |
| Source: | Code function: | 0_2_00D2CC68 | |
| Source: | Code function: | 0_2_00D58DE8 | |
| Source: | Code function: | 0_2_00D0AEF8 | |
| Source: | Code function: | 0_2_00D2AE18 | |
| Source: | Code function: | 0_2_00D4CFD9 | |
| Source: | Code function: | 0_2_00D00FA2 | |
| Source: | Code function: | 0_2_00D4D032 | |
| Source: | Code function: | 0_2_00D475E8 | |
| Source: | Code function: | 0_2_00D4B558 | |
| Source: | Code function: | 0_2_00D3D6E7 | |
| Source: | Code function: | 0_2_00D13682 | |
| Source: | Code function: | 0_2_00D117BA | |
| Source: | Code function: | 0_2_00CF98A0 | |
| Source: | Code function: | 0_2_00D299D8 | |
| Source: | Code function: | 2_2_004215F0 | |
| Source: | Code function: | 2_2_00417B18 | |
| Source: | Code function: | 2_2_00420BC0 | |
| Source: | Code function: | 2_2_00404E20 | |
| Source: | Code function: | 2_2_00416EFA | |
| Source: | Code function: | 2_2_0042703A | |
| Source: | Code function: | 2_2_00408220 | |
| Source: | Code function: | 2_2_00423323 | |
| Source: | Code function: | 2_2_00404460 | |
| Source: | Code function: | 2_2_0043A430 | |
| Source: | Code function: | 2_2_004014CE | |
| Source: | Code function: | 2_2_00425560 | |
| Source: | Code function: | 2_2_0041D5A1 | |
| Source: | Code function: | 2_2_00438670 | |
| Source: | Code function: | 2_2_004176E1 | |
| Source: | Code function: | 2_2_00406680 | |
| Source: | Code function: | 2_2_0043A750 | |
| Source: | Code function: | 2_2_004387E0 | |
| Source: | Code function: | 2_2_0040191C | |
| Source: | Code function: | 2_2_00422920 | |
| Source: | Code function: | 2_2_004389D0 | |
| Source: | Code function: | 2_2_004039E0 | |
| Source: | Code function: | 2_2_00401A63 | |
| Source: | Code function: | 2_2_0041DAF2 | |
| Source: | Code function: | 2_2_00438B40 | |
| Source: | Code function: | 2_2_0040EB20 | |
| Source: | Code function: | 2_2_00401BB8 | |
| Source: | Code function: | 2_2_00401C48 | |
| Source: | Code function: | 2_2_00406C70 | |
| Source: | Code function: | 2_2_00420C30 | |
| Source: | Code function: | 2_2_00401CD2 | |
| Source: | Code function: | 2_2_0041DCF2 | |
| Source: | Code function: | 2_2_00438CA0 | |
| Source: | Code function: | 2_2_00421D47 | |
| Source: | Code function: | 2_2_00432DF0 | |
| Source: | Code function: | 2_2_0041FD97 | |
| Source: | Code function: | 2_2_00401E17 | |
| Source: | Code function: | 2_2_00401F30 | |
| Source: | Code function: | 2_2_00426FE1 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_0042A52F | |
| Source: | Command line argument: | 0_2_00CE6E60 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00CF7218 | |
| Source: | Code function: | 2_2_0043F0FD | |
| Source: | Code function: | 2_2_00440635 | |
| Source: | Code function: | 2_2_0043F961 | |
| Source: | Code function: | 2_2_0043FC18 | |
| Source: | Code function: | 2_2_0043EE71 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-37356 | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00D0F352 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00436EA0 | |
| Source: | Code function: | 0_2_00CF7823 | |
| Source: | Code function: | 0_2_00D0AD74 | |
| Source: | Code function: | 0_2_00D052A4 | |
| Source: | Code function: | 0_2_00D0FF4C | |
| Source: | Code function: | 0_2_00CF75F4 | |
| Source: | Code function: | 0_2_00CF7823 | |
| Source: | Code function: | 0_2_00CF79B0 | |
| Source: | Code function: | 0_2_00D03947 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 0_2_0144018D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00CF73E5 | |
| Source: | Code function: | 0_2_00D12091 | |
| Source: | Code function: | 0_2_00D1211C | |
| Source: | Code function: | 0_2_00D1236F | |
| Source: | Code function: | 0_2_00D12498 | |
| Source: | Code function: | 0_2_00D1259E | |
| Source: | Code function: | 0_2_00D1266D | |
| Source: | Code function: | 0_2_00D095F3 | |
| Source: | Code function: | 0_2_00D09ABC | |
| Source: | Code function: | 0_2_00D11D09 | |
| Source: | Code function: | 0_2_00D11FF6 | |
| Source: | Code function: | 0_2_00D11FAB | |
| Source: | Code function: | 0_2_00D11F04 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00CF6BEB | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 411 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 411 Process Injection | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 Native API | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 4 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | 1 PowerShell | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 45% | ReversingLabs | Win32.Trojan.Generic | ||
| 50% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 2% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 2% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 12% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 9% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 2% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 9% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 13% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 9% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 9% | Virustotal | Browse | ||
| 9% | Virustotal | Browse | ||
| 9% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 9% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| composepayyersellew.shop | 104.21.49.90 | true | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.49.90 | composepayyersellew.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1461071 |
| Start date and time: | 2024-06-22 10:16:08 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 8s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 17 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | TS-240622-Lumma4.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 04:17:05 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.49.90 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | Unknown | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| composepayyersellew.shop | Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | DCRat | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Bazar Loader, BruteRatel, Latrodectus | Browse |
| ||
| Get hash | malicious | Bazar Loader, BruteRatel, Latrodectus | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | DBatLoader, FormBook | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.518137729193079 |
| TrID: |
|
| File name: | TS-240622-Lumma4.exe |
| File size: | 611'368 bytes |
| MD5: | 1a2a26995d43c4ad2f2c9e9e9373d5c8 |
| SHA1: | bc9592e1846b06b6e770d443c3802a887fb92987 |
| SHA256: | e5fd7cc5b7c23ab6d037e40cd141d49cffe8fdec8c9ce691b6689dfe6222982c |
| SHA512: | b7138aaef1d2e98c898983fdc5e2255f965e6c1a03fd8b01fe22197f23f61c8e237ce15b582f50d28e64e312a6f565c0d8a13efeeb83a898bd2f2b75165d9743 |
| SSDEEP: | 12288:y58K1Ff7F68gwFVUHWtOhYQ6YtQRkl904F2VHCU8MAwWoTVLiPgsFEO:y51bCYUHR/j0kzUVHCBwhTkt |
| TLSH: | 01D4E1017680A036FCB315778FFF966D967CF9600B1925DBA3C8196ECF619E1BA30606 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h.R.,.<.,.<.,.<...?.>.<...9...<...8.:.<.. 8.>.<...=.%.<.,.=...<.. 9.r.<.. ?.4.<..#5.-.<..#<.-.<..#>.-.<.Rich,.<................ |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x4171fb |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6675E9D9 [Fri Jun 21 21:00:09 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 9a3c5d45d0f2beee4c21552d9339bf74 |
| Signature Valid: | false |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 5F1B6B6C408DB2B4D60BAA489E9A0E5A |
| Thumbprint SHA-1: | 15F760D82C79D22446CC7D4806540BF632B1E104 |
| Thumbprint SHA-256: | 28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D |
| Serial: | 0997C56CAA59055394D9A9CDB8BEEB56 |
| Instruction |
|---|
| call 00007FBB04FDE6B7h |
| jmp 00007FBB04FDDC7Fh |
| mov ecx, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], ecx |
| pop ecx |
| pop edi |
| pop edi |
| pop esi |
| pop ebx |
| mov esp, ebp |
| pop ebp |
| push ecx |
| ret |
| mov ecx, dword ptr [ebp-10h] |
| xor ecx, ebp |
| call 00007FBB04FDD822h |
| jmp 00007FBB04FDDDE2h |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [00446140h] |
| xor eax, ebp |
| push eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [00446140h] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [00446140h] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], esp |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x451b0 | 0x50 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x45200 | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x92e00 | 0x2628 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x94000 | 0x2680 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x41e98 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x41ec0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x41dd8 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x39000 | 0x180 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x374bd | 0x37600 | 3457d1e1a1fd97682c3b76d13b831f95 | False | 0.5099552059819413 | data | 6.491881070409321 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x39000 | 0xcb06 | 0xcc00 | 9b680e5995caafb6bbbe1ce71ee11084 | False | 0.41877297794117646 | data | 4.953306315436443 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x46000 | 0x4cbcc | 0x4ba00 | 56d6ed0ff6f65fd635e37bc3285a326f | False | 0.9821248708677686 | data | 7.986375387711636 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .BSs | 0x93000 | 0x543 | 0x600 | d1c6db39d5ab441c243318096ed67857 | False | 0.5579427083333334 | data | 5.5916098274429205 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x94000 | 0x2680 | 0x2800 | 0704750ef21c3c45eb1e5c1179cc5d28 | False | 0.7287109375 | data | 6.4339307454096994 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| GDI32.dll | Polyline |
| USER32.dll | OffsetRect |
| ADVAPI32.dll | DeleteAce, GetNumberOfEventLogRecords |
| KERNEL32.dll | WriteConsoleW, SetStdHandle, CreateFileW, HeapSize, VirtualAlloc, WaitForSingleObject, CreateThread, RaiseException, GetCurrentThreadId, IsProcessorFeaturePresent, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, MultiByteToWideChar, WakeAllConditionVariable, SleepConditionVariableSRW, InitOnceComplete, InitOnceBeginInitialize, GetStringTypeW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WideCharToMultiByte, CloseHandle, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetFileSizeEx, SetFilePointerEx, GetFileType, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetEndOfFile |
| Name | Ordinal | Address |
|---|---|---|
| IUAhsiuchniuohAIU | 1 | 0x406da0 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 22, 2024 10:17:04.799828053 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:04.799870968 CEST | 443 | 49703 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:04.799949884 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:04.801796913 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:04.801811934 CEST | 443 | 49703 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:05.285140991 CEST | 443 | 49703 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:05.285295963 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.289350986 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.289361000 CEST | 443 | 49703 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:05.289562941 CEST | 443 | 49703 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:05.332566023 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.332994938 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.333024025 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.333081007 CEST | 443 | 49703 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:05.724387884 CEST | 443 | 49703 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:05.724474907 CEST | 443 | 49703 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:05.724523067 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.742774963 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.742799997 CEST | 443 | 49703 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:05.742813110 CEST | 49703 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.742819071 CEST | 443 | 49703 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:05.747729063 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.747750998 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:05.747808933 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.748100996 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:05.748111010 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.224363089 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.224520922 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.230519056 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.230530977 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.230801105 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.233187914 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.233202934 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.233247042 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.620337009 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.620374918 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.620408058 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.620425940 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.620451927 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.620493889 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.620496035 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.620503902 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.620553017 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.620558977 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.620733023 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.620767117 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.620770931 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.621023893 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.621057034 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.621061087 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.625045061 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.625098944 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.625111103 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.676593065 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.715965986 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.716170073 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.716245890 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.716259003 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.716289043 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.716345072 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.716376066 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.716676950 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.716732979 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.716782093 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.716800928 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.716810942 CEST | 49704 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.716815948 CEST | 443 | 49704 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.798633099 CEST | 49705 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.798733950 CEST | 443 | 49705 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:06.798918009 CEST | 49705 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.805536985 CEST | 49705 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:06.805572033 CEST | 443 | 49705 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:07.272959948 CEST | 443 | 49705 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:07.273191929 CEST | 49705 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:07.274158955 CEST | 49705 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:07.274185896 CEST | 443 | 49705 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:07.274499893 CEST | 443 | 49705 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:07.275635004 CEST | 49705 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:07.275770903 CEST | 49705 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:07.275799990 CEST | 443 | 49705 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:07.688291073 CEST | 443 | 49705 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:07.688390970 CEST | 443 | 49705 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:07.688457012 CEST | 49705 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:07.688551903 CEST | 49705 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:07.688585997 CEST | 443 | 49705 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:07.713570118 CEST | 49706 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:07.713613987 CEST | 443 | 49706 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:07.713692904 CEST | 49706 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:07.713998079 CEST | 49706 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:07.714037895 CEST | 443 | 49706 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:08.173768997 CEST | 443 | 49706 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:08.173860073 CEST | 49706 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:08.175348997 CEST | 49706 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:08.175379992 CEST | 443 | 49706 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:08.175636053 CEST | 443 | 49706 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:08.177180052 CEST | 49706 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:08.177344084 CEST | 49706 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:08.177388906 CEST | 443 | 49706 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:08.177449942 CEST | 49706 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:08.177463055 CEST | 443 | 49706 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:08.609790087 CEST | 443 | 49706 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:08.609901905 CEST | 443 | 49706 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:08.609963894 CEST | 49706 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:08.610089064 CEST | 49706 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:08.610136032 CEST | 443 | 49706 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:08.680067062 CEST | 49707 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:08.680104017 CEST | 443 | 49707 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:08.680285931 CEST | 49707 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:08.680568933 CEST | 49707 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:08.680584908 CEST | 443 | 49707 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:09.157336950 CEST | 443 | 49707 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:09.158593893 CEST | 49707 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:09.203210115 CEST | 49707 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:09.203244925 CEST | 443 | 49707 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:09.203521013 CEST | 443 | 49707 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:09.211502075 CEST | 49707 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:09.211683989 CEST | 49707 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:09.211710930 CEST | 443 | 49707 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:09.218599081 CEST | 49707 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:09.218610048 CEST | 443 | 49707 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:09.741184950 CEST | 443 | 49707 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:09.741303921 CEST | 443 | 49707 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:09.741353035 CEST | 49707 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:09.741431952 CEST | 49707 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:09.741445065 CEST | 443 | 49707 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:09.905391932 CEST | 49708 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:09.905450106 CEST | 443 | 49708 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:09.905514002 CEST | 49708 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:09.905883074 CEST | 49708 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:09.905900955 CEST | 443 | 49708 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:10.363270998 CEST | 443 | 49708 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:10.363368034 CEST | 49708 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:10.364872932 CEST | 49708 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:10.364906073 CEST | 443 | 49708 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:10.365166903 CEST | 443 | 49708 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:10.366436958 CEST | 49708 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:10.366574049 CEST | 49708 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:10.366616964 CEST | 443 | 49708 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:10.784053087 CEST | 443 | 49708 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:10.784154892 CEST | 443 | 49708 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:10.784267902 CEST | 49708 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:10.784607887 CEST | 49708 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:10.784634113 CEST | 443 | 49708 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:10.798305988 CEST | 49709 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:10.798346043 CEST | 443 | 49709 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:10.798619986 CEST | 49709 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:10.798718929 CEST | 49709 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:10.798732042 CEST | 443 | 49709 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:11.254102945 CEST | 443 | 49709 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:11.254242897 CEST | 49709 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:11.255739927 CEST | 49709 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:11.255750895 CEST | 443 | 49709 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:11.255990028 CEST | 443 | 49709 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:11.257663965 CEST | 49709 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:11.258090973 CEST | 49709 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:11.258096933 CEST | 443 | 49709 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:11.636612892 CEST | 443 | 49709 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:11.636751890 CEST | 443 | 49709 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:11.636820078 CEST | 49709 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:11.637001038 CEST | 49709 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:11.637017965 CEST | 443 | 49709 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.439536095 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.439578056 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.439655066 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.440057993 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.440073013 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.900670052 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.900744915 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.902806044 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.902816057 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.903148890 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.904696941 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.905683041 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.905715942 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.905792952 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.905823946 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.905917883 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.905971050 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.906099081 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.906112909 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.906240940 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.906254053 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.906393051 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.906404972 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.906414986 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.906781912 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.906804085 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.916265011 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.916455030 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.916472912 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.916492939 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.916503906 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.916515112 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.916627884 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.916661978 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.916683912 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.921009064 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:12.921149015 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:12.921159983 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:14.306961060 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:14.307085037 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:14.308670044 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:14.315037012 CEST | 49710 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:14.315053940 CEST | 443 | 49710 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:14.317457914 CEST | 49711 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:14.317550898 CEST | 443 | 49711 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:14.317646027 CEST | 49711 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:14.317956924 CEST | 49711 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:14.317995071 CEST | 443 | 49711 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:14.776371956 CEST | 443 | 49711 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:14.776520967 CEST | 49711 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:14.788187027 CEST | 49711 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:14.788223028 CEST | 443 | 49711 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:14.788589954 CEST | 443 | 49711 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:14.789891005 CEST | 49711 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:14.789948940 CEST | 49711 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:14.789995909 CEST | 443 | 49711 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:15.453807116 CEST | 443 | 49711 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:15.453917027 CEST | 443 | 49711 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:15.454015017 CEST | 49711 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:15.454176903 CEST | 49711 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:15.454217911 CEST | 443 | 49711 | 104.21.49.90 | 192.168.2.7 |
| Jun 22, 2024 10:17:15.454246998 CEST | 49711 | 443 | 192.168.2.7 | 104.21.49.90 |
| Jun 22, 2024 10:17:15.454263926 CEST | 443 | 49711 | 104.21.49.90 | 192.168.2.7 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 22, 2024 10:17:04.784574032 CEST | 56187 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jun 22, 2024 10:17:04.795172930 CEST | 53 | 56187 | 1.1.1.1 | 192.168.2.7 |
| Jun 22, 2024 10:17:25.917974949 CEST | 53 | 60422 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jun 22, 2024 10:17:04.784574032 CEST | 192.168.2.7 | 1.1.1.1 | 0x2f8b | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jun 22, 2024 10:17:04.795172930 CEST | 1.1.1.1 | 192.168.2.7 | 0x2f8b | No error (0) | 104.21.49.90 | A (IP address) | IN (0x0001) | false | ||
| Jun 22, 2024 10:17:04.795172930 CEST | 1.1.1.1 | 192.168.2.7 | 0x2f8b | No error (0) | 172.67.189.112 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49703 | 104.21.49.90 | 443 | 7132 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-22 08:17:05 UTC | 271 | OUT | |
| 2024-06-22 08:17:05 UTC | 8 | OUT | |
| 2024-06-22 08:17:05 UTC | 820 | IN | |
| 2024-06-22 08:17:05 UTC | 7 | IN | |
| 2024-06-22 08:17:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49704 | 104.21.49.90 | 443 | 7132 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-22 08:17:06 UTC | 272 | OUT | |
| 2024-06-22 08:17:06 UTC | 57 | OUT | |
| 2024-06-22 08:17:06 UTC | 810 | IN | |
| 2024-06-22 08:17:06 UTC | 559 | IN | |
| 2024-06-22 08:17:06 UTC | 1369 | IN | |
| 2024-06-22 08:17:06 UTC | 1369 | IN | |
| 2024-06-22 08:17:06 UTC | 1369 | IN | |
| 2024-06-22 08:17:06 UTC | 1369 | IN | |
| 2024-06-22 08:17:06 UTC | 1369 | IN | |
| 2024-06-22 08:17:06 UTC | 1369 | IN | |
| 2024-06-22 08:17:06 UTC | 1369 | IN | |
| 2024-06-22 08:17:06 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49705 | 104.21.49.90 | 443 | 7132 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-22 08:17:07 UTC | 290 | OUT | |
| 2024-06-22 08:17:07 UTC | 12847 | OUT | |
| 2024-06-22 08:17:07 UTC | 812 | IN | |
| 2024-06-22 08:17:07 UTC | 19 | IN | |
| 2024-06-22 08:17:07 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 49706 | 104.21.49.90 | 443 | 7132 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-22 08:17:08 UTC | 290 | OUT | |
| 2024-06-22 08:17:08 UTC | 15079 | OUT | |
| 2024-06-22 08:17:08 UTC | 814 | IN | |
| 2024-06-22 08:17:08 UTC | 19 | IN | |
| 2024-06-22 08:17:08 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.7 | 49707 | 104.21.49.90 | 443 | 7132 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-22 08:17:09 UTC | 290 | OUT | |
| 2024-06-22 08:17:09 UTC | 15331 | OUT | |
| 2024-06-22 08:17:09 UTC | 5073 | OUT | |
| 2024-06-22 08:17:09 UTC | 816 | IN | |
| 2024-06-22 08:17:09 UTC | 19 | IN | |
| 2024-06-22 08:17:09 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.7 | 49708 | 104.21.49.90 | 443 | 7132 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-22 08:17:10 UTC | 289 | OUT | |
| 2024-06-22 08:17:10 UTC | 7087 | OUT | |
| 2024-06-22 08:17:10 UTC | 818 | IN | |
| 2024-06-22 08:17:10 UTC | 19 | IN | |
| 2024-06-22 08:17:10 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.7 | 49709 | 104.21.49.90 | 443 | 7132 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-22 08:17:11 UTC | 289 | OUT | |
| 2024-06-22 08:17:11 UTC | 1244 | OUT | |
| 2024-06-22 08:17:11 UTC | 808 | IN | |
| 2024-06-22 08:17:11 UTC | 19 | IN | |
| 2024-06-22 08:17:11 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.7 | 49710 | 104.21.49.90 | 443 | 7132 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-22 08:17:12 UTC | 291 | OUT | |
| 2024-06-22 08:17:12 UTC | 15331 | OUT | |
| 2024-06-22 08:17:12 UTC | 15331 | OUT | |
| 2024-06-22 08:17:12 UTC | 15331 | OUT | |
| 2024-06-22 08:17:12 UTC | 15331 | OUT | |
| 2024-06-22 08:17:12 UTC | 15331 | OUT | |
| 2024-06-22 08:17:12 UTC | 15331 | OUT | |
| 2024-06-22 08:17:12 UTC | 15331 | OUT | |
| 2024-06-22 08:17:12 UTC | 15331 | OUT | |
| 2024-06-22 08:17:12 UTC | 15331 | OUT | |
| 2024-06-22 08:17:12 UTC | 15331 | OUT | |
| 2024-06-22 08:17:14 UTC | 810 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.7 | 49711 | 104.21.49.90 | 443 | 7132 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-06-22 08:17:14 UTC | 272 | OUT | |
| 2024-06-22 08:17:14 UTC | 92 | OUT | |
| 2024-06-22 08:17:15 UTC | 810 | IN | |
| 2024-06-22 08:17:15 UTC | 54 | IN | |
| 2024-06-22 08:17:15 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 04:17:03 |
| Start date: | 22/06/2024 |
| Path: | C:\Users\user\Desktop\TS-240622-Lumma4.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xce0000 |
| File size: | 611'368 bytes |
| MD5 hash: | 1A2A26995D43C4AD2F2C9E9E9373D5C8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 04:17:03 |
| Start date: | 22/06/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x600000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 2.9% |
| Dynamic/Decrypted Code Coverage: | 1.1% |
| Signature Coverage: | 4.1% |
| Total number of Nodes: | 557 |
| Total number of Limit Nodes: | 16 |
Graph
Function 0144018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0AD74 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D052A4 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D15673 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D097BC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE69A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE62F0 Relevance: 6.1, APIs: 4, Instructions: 139COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE6418 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE6AA0 Relevance: 3.0, APIs: 2, Instructions: 18synchronizationthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE6F4B Relevance: 3.0, APIs: 2, Instructions: 17COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF42D5 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0E618 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF3470 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D44D88 Relevance: 14.2, Strings: 11, Instructions: 462COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D13682 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2FCF8 Relevance: 9.2, Strings: 7, Instructions: 442COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D12498 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D11D09 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF7823 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D1211C Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3D6E7 Relevance: 4.1, Strings: 3, Instructions: 311COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4B558 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2AE18 Relevance: 2.9, Strings: 2, Instructions: 396COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D49E27 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D5F9A8 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D410F8 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4DC84 Relevance: 1.7, Strings: 1, Instructions: 450COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4CFD9 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4D032 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF73E5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4D023 Relevance: 1.6, Strings: 1, Instructions: 381COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0F352 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4CCD7 Relevance: 1.6, Strings: 1, Instructions: 350COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D1236F Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D60748 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D1259E Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D11F04 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D60428 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2CC68 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF79B0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3BC4B Relevance: 1.4, Strings: 1, Instructions: 161COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D5FC78 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D5FE48 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3A150 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D43F68 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0FF4C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2E218 Relevance: .8, Instructions: 829COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D299D8 Relevance: .7, Instructions: 709COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2A458 Relevance: .6, Instructions: 598COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D2C733 Relevance: .4, Instructions: 420COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D412C8 Relevance: .4, Instructions: 396COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D475E8 Relevance: .4, Instructions: 370COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D117BA Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4A601 Relevance: .3, Instructions: 275COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4AA03 Relevance: .3, Instructions: 270COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D48B07 Relevance: .2, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3CBAC Relevance: .2, Instructions: 191COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D58DE8 Relevance: .2, Instructions: 179COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D28E38 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4E976 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D470B8 Relevance: .2, Instructions: 159COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CFC6CD Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D294C8 Relevance: .2, Instructions: 156COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D39368 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D34B18 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3C119 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D45FB6 Relevance: .1, Instructions: 104COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D35139 Relevance: .1, Instructions: 99COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3AD98 Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D5F214 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D48D2E Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF98A0 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3B189 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D574E8 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D4B2B8 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D36A03 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D3A54D Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D5F405 Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D46F14 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D328E8 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D278FF Relevance: .0, Instructions: 9COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D5EB1E Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D5F18F Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE2370 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF6BA6 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CFA632 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF4EBA Relevance: 10.6, APIs: 7, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE7500 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF06A0 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D052C6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D0EB5A Relevance: 7.7, APIs: 5, Instructions: 202COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE9E40 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF62E9 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE4580 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEE060 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEF1A0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEF5C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CED810 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CEDF90 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE41F0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF4C3D Relevance: 7.5, APIs: 5, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF3FA5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CFB3C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE65A0 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CF2D30 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CFA9D7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00CE3EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 15.2% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 10.9% |
| Total number of Nodes: | 330 |
| Total number of Limit Nodes: | 26 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436EA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 12libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A52F Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A3A0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 286libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418D90 Relevance: 3.1, APIs: 2, Instructions: 131COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428FBD Relevance: 1.6, APIs: 1, Instructions: 88memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043676F Relevance: 1.6, APIs: 1, Instructions: 69libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436DB4 Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435304 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435212 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433193 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D810 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|