Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win64.Malware-gen.24311.29797.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Win64.Malware-gen.24311.29797.exe |
| Analysis ID: | 1467157 |
| MD5: | f308be1162c86c3d72ad06c4c85a67d4 |
| SHA1: | c09e56bde09f752265d8527dd930715ce8e149e2 |
| SHA256: | 842e6467d3f6bddb484929a8dba9757920e0b484d8addf40a8fe69f8b205f174 |
| Tags: | exeLummaStealer |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
SecuriteInfo.com.Win64.Malware-gen.24311.29797.exe (PID: 6660 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Win64.Malw are-gen.24 311.29797. exe" MD5: F308BE1162C86C3D72AD06C4C85A67D4) 
BitLockerToGo.exe (PID: 1868 cmdline: C:\Windows \BitLocker DiscoveryV olumeConte nts\BitLoc kerToGo.ex e MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "willingyhollowsk.shop", "pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "willingyhollowsk.shop"], "Build id": "fuOLMb--palpatine"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 07/03/24-19:31:31.842065 |
| SID: | 2054183 |
| Source Port: | 49743 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/03/24-19:31:21.307377 |
| SID: | 2053384 |
| Source Port: | 58968 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/03/24-19:31:33.722455 |
| SID: | 2054183 |
| Source Port: | 49744 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/03/24-19:31:27.386052 |
| SID: | 2054183 |
| Source Port: | 49740 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/03/24-19:31:25.885422 |
| SID: | 2054183 |
| Source Port: | 49739 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/03/24-19:31:29.390988 |
| SID: | 2054183 |
| Source Port: | 49741 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/03/24-19:31:24.402178 |
| SID: | 2054183 |
| Source Port: | 49737 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/03/24-19:31:22.348758 |
| SID: | 2054183 |
| Source Port: | 49735 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/03/24-19:31:21.319048 |
| SID: | 2054182 |
| Source Port: | 55667 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/03/24-19:31:21.346175 |
| SID: | 2054183 |
| Source Port: | 49732 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/03/24-19:31:30.493459 |
| SID: | 2054183 |
| Source Port: | 49742 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_02447866 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 2_2_02449284 | |
| Source: | Code function: | 2_2_02449284 | |
| Source: | Code function: | 2_2_02447293 | |
| Source: | Code function: | 2_2_02448349 | |
| Source: | Code function: | 2_2_02448349 | |
| Source: | Code function: | 2_2_0246D130 | |
| Source: | Code function: | 2_2_024526F0 | |
| Source: | Code function: | 2_2_024534B0 | |
| Source: | Code function: | 2_2_02469B15 | |
| Source: | Code function: | 2_2_02457BF1 | |
| Source: | Code function: | 2_2_0246980B | |
| Source: | Code function: | 2_2_024518B0 | |
| Source: | Code function: | 2_2_0244FE8B | |
| Source: | Code function: | 2_2_0244FE8B | |
| Source: | Code function: | 2_2_02450E98 | |
| Source: | Code function: | 2_2_02450E98 | |
| Source: | Code function: | 2_2_0244BF50 | |
| Source: | Code function: | 2_2_02446F50 | |
| Source: | Code function: | 2_2_02446F50 | |
| Source: | Code function: | 2_2_02440F3E | |
| Source: | Code function: | 2_2_02438280 | |
| Source: | Code function: | 2_2_0245901A | |
| Source: | Code function: | 2_2_0245901A | |
| Source: | Code function: | 2_2_02446149 | |
| Source: | Code function: | 2_2_02446149 | |
| Source: | Code function: | 2_2_0244C110 | |
| Source: | Code function: | 2_2_0244C110 | |
| Source: | Code function: | 2_2_024571E0 | |
| Source: | Code function: | 2_2_0243161F | |
| Source: | Code function: | 2_2_0243161F | |
| Source: | Code function: | 2_2_02469631 | |
| Source: | Code function: | 2_2_024336F0 | |
| Source: | Code function: | 2_2_024316B3 | |
| Source: | Code function: | 2_2_02457773 | |
| Source: | Code function: | 2_2_0246D710 | |
| Source: | Code function: | 2_2_02469445 | |
| Source: | Code function: | 2_2_0246B40A | |
| Source: | Code function: | 2_2_024694C0 | |
| Source: | Code function: | 2_2_024314E8 | |
| Source: | Code function: | 2_2_02453480 | |
| Source: | Code function: | 2_2_02463560 | |
| Source: | Code function: | 2_2_024515EF | |
| Source: | Code function: | 2_2_024415F7 | |
| Source: | Code function: | 2_2_0243EA20 | |
| Source: | Code function: | 2_2_02433A30 | |
| Source: | Code function: | 2_2_02444A9B | |
| Source: | Code function: | 2_2_02457ABC | |
| Source: | Code function: | 2_2_024568D0 | |
| Source: | Code function: | 2_2_02439970 | |
| Source: | Code function: | 2_2_02439970 | |
| Source: | Code function: | 2_2_0245991D | |
| Source: | Code function: | 2_2_024469A0 | |
| Source: | Code function: | 2_2_02454ED7 | |
| Source: | Code function: | 2_2_02452EF0 | |
| Source: | Code function: | 2_2_02452EF0 | |
| Source: | Code function: | 2_2_02451C30 | |
| Source: | Code function: | 2_2_0244BDD3 | |
| Source: | Code function: | 2_2_02465DD9 | |
| Source: | Code function: | 2_2_02438DA0 | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_02460030 | |
| Source: | Code function: | 2_2_02460030 | |
| Source: | Binary or memory string: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Code function: | 2_2_02448349 | |
| Source: | Code function: | 2_2_024526F0 | |
| Source: | Code function: | 2_2_024534B0 | |
| Source: | Code function: | 2_2_02465E20 | |
| Source: | Code function: | 2_2_02434E30 | |
| Source: | Code function: | 2_2_02450E98 | |
| Source: | Code function: | 2_2_02451C99 | |
| Source: | Code function: | 2_2_02438280 | |
| Source: | Code function: | 2_2_0245901A | |
| Source: | Code function: | 2_2_0246C020 | |
| Source: | Code function: | 2_2_02454148 | |
| Source: | Code function: | 2_2_02440170 | |
| Source: | Code function: | 2_2_0244C110 | |
| Source: | Code function: | 2_2_024366B0 | |
| Source: | Code function: | 2_2_0246D710 | |
| Source: | Code function: | 2_2_02465460 | |
| Source: | Code function: | 2_2_0246D400 | |
| Source: | Code function: | 2_2_02434430 | |
| Source: | Code function: | 2_2_02468580 | |
| Source: | Code function: | 2_2_02433A30 | |
| Source: | Code function: | 2_2_02453AD9 | |
| Source: | Code function: | 2_2_0246BB50 | |
| Source: | Code function: | 2_2_02456B70 | |
| Source: | Code function: | 2_2_02436BE0 | |
| Source: | Code function: | 2_2_02435940 | |
| Source: | Code function: | 2_2_0245D98C | |
| Source: | Code function: | 2_2_02438ED0 | |
| Source: | Code function: | 2_2_02431EF0 | |
| Source: | Code function: | 2_2_02452EF0 | |
| Source: | Code function: | 2_2_0245AFE8 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_0245F96C | |
| Source: | File created: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_02471E95 | |
| Source: | Code function: | 2_2_02472CBA | |
| Source: | Code function: | 2_2_02472CBA | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_02469BC0 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 1 Masquerading | 2 OS Credential Dumping | 111 Security Software Discovery | Remote Services | 21 Input Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | 21 Input Capture | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 311 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 4 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Deobfuscate/Decode Files or Information | NTDS | 12 System Information Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | ReversingLabs | Win32.Trojan.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| potterryisiw.shop | 188.114.96.3 | true | true | unknown | |
| willingyhollowsk.shop | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.96.3 | potterryisiw.shop | European Union | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1467157 |
| Start date and time: | 2024-07-03 19:30:12 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 36s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Win64.Malware-gen.24311.29797.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target SecuriteInfo.com.Win64.Malware-gen.24311.29797.exe, PID 6660 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: SecuriteInfo.com.Win64.Malware-gen.24311.29797.exe
| Time | Type | Description |
|---|---|---|
| 13:31:23 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.96.3 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | DBatLoader, FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| potterryisiw.shop | Get hash | malicious | LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Phisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, PureLog Stealer, RisePro Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | LummaC, Poverty Stealer, SmokeLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Clipboard Hijacker, PureLog Stealer, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | CVE-2024-21412 | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | DBatLoader, FormBook | Browse |
| ||
| Get hash | malicious | DBatLoader, FormBook | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.603041940173322 |
| TrID: |
|
| File name: | SecuriteInfo.com.Win64.Malware-gen.24311.29797.exe |
| File size: | 7'386'624 bytes |
| MD5: | f308be1162c86c3d72ad06c4c85a67d4 |
| SHA1: | c09e56bde09f752265d8527dd930715ce8e149e2 |
| SHA256: | 842e6467d3f6bddb484929a8dba9757920e0b484d8addf40a8fe69f8b205f174 |
| SHA512: | 801d273afcf3994c0b02466e3d5343cbb5ec6665abaf5b9a6e4e376e39e0dec6b572d9b7760f53842e6a65c6314567c85fea9a41833a8c29ed3b0c5d57c1108a |
| SSDEEP: | 49152:EfMhc7XOayJj55BNcU0KA///skFyE6OjBuXVBw5yyk0+fNH4YxVjM5EmOj1Ggdap:Osc7XL4JNgB01XVKkuFEmBhIGFH |
| TLSH: | 7A768D17FDA145E9C4AE9132C5A6A1227A327C482B6227D73F50F7683F32BE05EB5740 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.\'...p................@............................. w.......q...`... ............................ |
 | |
| Icon Hash: | 0731c9cc8cc96307 |
| Entrypoint: | 0x1400014c0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | 0x4026b490, 0x1, 0x4026b460, 0x1, 0x4026eef0, 0x1 |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 5929190c8765f5bc37b052ab5c6c53e7 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [006E79D5h] |
| mov dword ptr [eax], 00000001h |
| call 00007F116886E18Fh |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax] |
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [006E79B5h] |
| mov dword ptr [eax], 00000000h |
| call 00007F116886E16Fh |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax] |
| dec eax |
| sub esp, 28h |
| call 00007F1168AE322Ch |
| dec eax |
| test eax, eax |
| sete al |
| movzx eax, al |
| neg eax |
| dec eax |
| add esp, 28h |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| dec eax |
| lea ecx, dword ptr [00000009h] |
| jmp 00007F116886E4A9h |
| nop dword ptr [eax+00h] |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| jmp dword ptr [eax] |
| inc edi |
| outsd |
| and byte ptr [edx+75h], ah |
| imul ebp, dword ptr [esp+20h], 203A4449h |
| and ch, byte ptr [ecx+esi+4Ch] |
| je 00007F116886E50Ah |
| push eax |
| pop edi |
| dec ebp |
| xor ecx, dword ptr [esi+4Ch] |
| xor byte ptr [eax+74h], ch |
| push esi |
| imul eax, dword ptr [ecx+4Ah], 6Ah |
| das |
| pop edx |
| inc ecx |
| xor al, 58h |
| popad |
| xor dword ptr [ecx+edi*2+69h], ebp |
| je 00007F116886E51Eh |
| jnc 00007F116886E547h |
| dec eax |
| aaa |
| push eax |
| outsb |
| jp 00007F116886E53Eh |
| dec ebx |
| das |
| outsb |
| pop ecx |
| insd |
| inc edi |
| jne 00007F116886E537h |
| inc edi |
| insb |
| dec edx |
| arpl word ptr [ecx+50h], sp |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x759000 | 0x4e | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x75a000 | 0x13d0 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x75e000 | 0x41dc | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x6ea000 | 0xe364 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x763000 | 0xe378 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x6e8800 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x75a47c | 0x440 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x275a20 | 0x275c00 | 57570d21985270df0b9fc874891656ce | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x277000 | 0xc6b50 | 0xc6c00 | 2c071c9882c736db99c75d35bdb325ce | False | 0.1854203518081761 | dBase III DBT, version number 0, next free block index 10, 1st item "" | 5.627259301122143 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x33e000 | 0x3ab630 | 0x3ab800 | a3b8a58bd63dc0c41373eb9ae731b5cb | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .pdata | 0x6ea000 | 0xe364 | 0xe400 | d1ae195922c1c92e5eeaeb8f8a8b034e | False | 0.4123663651315789 | data | 5.539421391597901 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .xdata | 0x6f9000 | 0xc44 | 0xe00 | c7f78595338319b1c0e31929e5f70e19 | False | 0.25613839285714285 | data | 3.977434312015775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x6fa000 | 0x5ee60 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x759000 | 0x4e | 0x200 | 7fe561efa8a39bcf329e20d35a3ccb11 | False | 0.1328125 | data | 0.8223930931624241 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .idata | 0x75a000 | 0x13d0 | 0x1400 | 7ed5138f35ad9ebb1f9b6d134fd6535e | False | 0.3177734375 | data | 4.509867158735791 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0x75c000 | 0x70 | 0x200 | 1a9ed6ca791fbd0d8b3e4f661a478794 | False | 0.08203125 | data | 0.4629014270558708 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x75d000 | 0x10 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x75e000 | 0x41dc | 0x4200 | b15ef107bcea25f514dc2d2f6ca28583 | False | 0.9009232954545454 | data | 7.748891860816981 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x763000 | 0xe378 | 0xe400 | a204328c0f2c9a13f2be1c0702f02d8c | False | 0.24960594846491227 | data | 5.432905065663353 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x75e158 | 0x36a2 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9912054912054912 | ||
| RT_GROUP_ICON | 0x7617fc | 0x14 | data | 1.05 | ||
| RT_VERSION | 0x761810 | 0x36c | data | English | United States | 0.408675799086758 |
| RT_MANIFEST | 0x761b7c | 0x660 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.39767156862745096 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AddAtomA, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler |
| msvcrt.dll | ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen |
| Name | Ordinal | Address |
|---|---|---|
| _cgo_dummy_export | 1 | 0x140758090 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 07/03/24-19:31:31.842065 | TCP | 2054183 | ET TROJAN Observed Lumma Stealer Related Domain (potterryisiw .shop in TLS SNI) | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| 07/03/24-19:31:21.307377 | UDP | 2053384 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (willingyhollowsk .shop) | 58968 | 53 | 192.168.2.4 | 1.1.1.1 |
| 07/03/24-19:31:33.722455 | TCP | 2054183 | ET TROJAN Observed Lumma Stealer Related Domain (potterryisiw .shop in TLS SNI) | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| 07/03/24-19:31:27.386052 | TCP | 2054183 | ET TROJAN Observed Lumma Stealer Related Domain (potterryisiw .shop in TLS SNI) | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| 07/03/24-19:31:25.885422 | TCP | 2054183 | ET TROJAN Observed Lumma Stealer Related Domain (potterryisiw .shop in TLS SNI) | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| 07/03/24-19:31:29.390988 | TCP | 2054183 | ET TROJAN Observed Lumma Stealer Related Domain (potterryisiw .shop in TLS SNI) | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| 07/03/24-19:31:24.402178 | TCP | 2054183 | ET TROJAN Observed Lumma Stealer Related Domain (potterryisiw .shop in TLS SNI) | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| 07/03/24-19:31:22.348758 | TCP | 2054183 | ET TROJAN Observed Lumma Stealer Related Domain (potterryisiw .shop in TLS SNI) | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| 07/03/24-19:31:21.319048 | UDP | 2054182 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (potterryisiw .shop) | 55667 | 53 | 192.168.2.4 | 1.1.1.1 |
| 07/03/24-19:31:21.346175 | TCP | 2054183 | ET TROJAN Observed Lumma Stealer Related Domain (potterryisiw .shop in TLS SNI) | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| 07/03/24-19:31:30.493459 | TCP | 2054183 | ET TROJAN Observed Lumma Stealer Related Domain (potterryisiw .shop in TLS SNI) | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 3, 2024 19:31:21.341953039 CEST | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:21.341981888 CEST | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:21.342055082 CEST | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:21.346174955 CEST | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:21.346193075 CEST | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:21.872925997 CEST | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:21.872998953 CEST | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:21.875818968 CEST | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:21.875828028 CEST | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:21.876032114 CEST | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:21.922610998 CEST | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:21.924526930 CEST | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:21.924556971 CEST | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:21.924588919 CEST | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:22.299480915 CEST | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:22.299555063 CEST | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:22.300297976 CEST | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:22.338182926 CEST | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:22.338188887 CEST | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:22.344454050 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:22.344468117 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:22.348277092 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:22.348757982 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:22.348769903 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:23.536293983 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:23.536360025 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:23.537542105 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:23.537549019 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:23.537820101 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:23.547959089 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:23.547976017 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:23.548024893 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.204579115 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.204654932 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.204694033 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.204827070 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.204843044 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.204890966 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.205184937 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.205532074 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.205563068 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.205591917 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.205601931 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.206348896 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.206398964 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.206407070 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.206442118 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.210391045 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.250731945 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.295124054 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.295162916 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.295186996 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.295213938 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.295296907 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.295306921 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.295456886 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.295540094 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.295588970 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.295819044 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.295828104 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.295836926 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.295840979 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.401309013 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.401340961 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.401424885 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.402178049 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.402189970 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.859950066 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.860044003 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.861392021 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.861403942 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.861634970 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.868369102 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.868520975 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.868550062 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:24.868613958 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:24.868622065 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:25.665945053 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:25.666035891 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:25.666093111 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:25.674978018 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:25.674995899 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:25.884918928 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:25.884948969 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:25.885029078 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:25.885421991 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:25.885432959 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:26.474759102 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:26.474833012 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:26.481478930 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:26.481502056 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:26.481826067 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:26.489021063 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:26.489115000 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:26.489159107 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:27.184689045 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:27.184823990 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:27.184887886 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:27.184916019 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:27.184931040 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:27.385688066 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:27.385726929 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:27.385791063 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:27.386051893 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:27.386064053 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:27.883439064 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:27.883517027 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:27.884583950 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:27.884598017 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:27.884919882 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:27.885978937 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:27.886122942 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:27.886152983 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:27.886212111 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:27.886220932 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:28.438955069 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:28.439084053 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:28.439173937 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:28.440886974 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:28.440905094 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:29.390592098 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:29.390633106 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:29.390706062 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:29.390988111 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:29.391002893 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:29.989974022 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:29.990065098 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:29.991190910 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:29.991197109 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:29.991404057 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:29.992451906 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:29.992562056 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:29.992588997 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:30.399467945 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:30.399561882 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:30.399621010 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:30.399727106 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:30.399735928 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:30.493092060 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:30.493107080 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:30.493187904 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:30.493458986 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:30.493470907 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:30.981406927 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:30.981503010 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:30.982626915 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:30.982633114 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:30.982836008 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:30.983851910 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:30.983937025 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:30.983942986 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:31.382009983 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:31.382091045 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:31.382145882 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:31.382224083 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:31.382232904 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:31.841582060 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:31.841625929 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:31.841712952 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:31.842065096 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:31.842073917 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.304915905 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.304994106 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.307426929 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.307439089 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.307667017 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.309494972 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.310249090 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.310280085 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.310385942 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.310415030 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.310530901 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.310652971 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.310899973 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.310906887 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.310936928 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.311000109 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.311043024 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.311139107 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.311157942 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.311630011 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.311655998 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.311666965 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.311680079 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.311769009 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.311786890 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.311800957 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.311811924 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.311821938 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.311825991 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.311939001 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.311954975 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.311979055 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.311990976 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.312036037 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.312057972 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.312077999 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.312087059 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:32.312110901 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:32.312128067 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:33.714145899 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:33.714236975 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:33.714354038 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:33.714709997 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:33.714731932 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:33.722031116 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:33.722078085 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:33.722162008 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:33.722455025 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:33.722470999 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:34.198184013 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:34.198239088 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:34.199404955 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:34.199415922 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:34.199646950 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:34.200680971 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:34.200700045 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:34.200774908 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:34.626657963 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:34.626749039 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:34.626802921 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:34.626949072 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:34.626967907 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Jul 3, 2024 19:31:34.626980066 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jul 3, 2024 19:31:34.626986027 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 3, 2024 19:31:21.307377100 CEST | 58968 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 3, 2024 19:31:21.316716909 CEST | 53 | 58968 | 1.1.1.1 | 192.168.2.4 |
| Jul 3, 2024 19:31:21.319047928 CEST | 55667 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 3, 2024 19:31:21.335884094 CEST | 53 | 55667 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jul 3, 2024 19:31:21.307377100 CEST | 192.168.2.4 | 1.1.1.1 | 0x2fb6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jul 3, 2024 19:31:21.319047928 CEST | 192.168.2.4 | 1.1.1.1 | 0xcaf | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jul 3, 2024 19:31:21.316716909 CEST | 1.1.1.1 | 192.168.2.4 | 0x2fb6 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jul 3, 2024 19:31:21.335884094 CEST | 1.1.1.1 | 192.168.2.4 | 0xcaf | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
| Jul 3, 2024 19:31:21.335884094 CEST | 1.1.1.1 | 192.168.2.4 | 0xcaf | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49732 | 188.114.96.3 | 443 | 1868 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 17:31:21 UTC | 264 | OUT | |
| 2024-07-03 17:31:21 UTC | 8 | OUT | |
| 2024-07-03 17:31:22 UTC | 810 | IN | |
| 2024-07-03 17:31:22 UTC | 7 | IN | |
| 2024-07-03 17:31:22 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49735 | 188.114.96.3 | 443 | 1868 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 17:31:23 UTC | 265 | OUT | |
| 2024-07-03 17:31:23 UTC | 51 | OUT | |
| 2024-07-03 17:31:24 UTC | 810 | IN | |
| 2024-07-03 17:31:24 UTC | 559 | IN | |
| 2024-07-03 17:31:24 UTC | 693 | IN | |
| 2024-07-03 17:31:24 UTC | 1369 | IN | |
| 2024-07-03 17:31:24 UTC | 1369 | IN | |
| 2024-07-03 17:31:24 UTC | 1369 | IN | |
| 2024-07-03 17:31:24 UTC | 1369 | IN | |
| 2024-07-03 17:31:24 UTC | 1369 | IN | |
| 2024-07-03 17:31:24 UTC | 1369 | IN | |
| 2024-07-03 17:31:24 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49737 | 188.114.96.3 | 443 | 1868 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 17:31:24 UTC | 283 | OUT | |
| 2024-07-03 17:31:24 UTC | 15331 | OUT | |
| 2024-07-03 17:31:24 UTC | 2836 | OUT | |
| 2024-07-03 17:31:25 UTC | 800 | IN | |
| 2024-07-03 17:31:25 UTC | 19 | IN | |
| 2024-07-03 17:31:25 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49739 | 188.114.96.3 | 443 | 1868 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 17:31:26 UTC | 282 | OUT | |
| 2024-07-03 17:31:26 UTC | 8788 | OUT | |
| 2024-07-03 17:31:27 UTC | 814 | IN | |
| 2024-07-03 17:31:27 UTC | 19 | IN | |
| 2024-07-03 17:31:27 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49740 | 188.114.96.3 | 443 | 1868 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 17:31:27 UTC | 283 | OUT | |
| 2024-07-03 17:31:27 UTC | 15331 | OUT | |
| 2024-07-03 17:31:27 UTC | 5110 | OUT | |
| 2024-07-03 17:31:28 UTC | 806 | IN | |
| 2024-07-03 17:31:28 UTC | 19 | IN | |
| 2024-07-03 17:31:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 188.114.96.3 | 443 | 1868 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 17:31:29 UTC | 282 | OUT | |
| 2024-07-03 17:31:29 UTC | 7088 | OUT | |
| 2024-07-03 17:31:30 UTC | 802 | IN | |
| 2024-07-03 17:31:30 UTC | 19 | IN | |
| 2024-07-03 17:31:30 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49742 | 188.114.96.3 | 443 | 1868 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 17:31:30 UTC | 282 | OUT | |
| 2024-07-03 17:31:30 UTC | 1283 | OUT | |
| 2024-07-03 17:31:31 UTC | 806 | IN | |
| 2024-07-03 17:31:31 UTC | 19 | IN | |
| 2024-07-03 17:31:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49743 | 188.114.96.3 | 443 | 1868 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 17:31:32 UTC | 284 | OUT | |
| 2024-07-03 17:31:32 UTC | 15331 | OUT | |
| 2024-07-03 17:31:32 UTC | 15331 | OUT | |
| 2024-07-03 17:31:32 UTC | 15331 | OUT | |
| 2024-07-03 17:31:32 UTC | 15331 | OUT | |
| 2024-07-03 17:31:32 UTC | 15331 | OUT | |
| 2024-07-03 17:31:32 UTC | 15331 | OUT | |
| 2024-07-03 17:31:32 UTC | 15331 | OUT | |
| 2024-07-03 17:31:32 UTC | 15331 | OUT | |
| 2024-07-03 17:31:32 UTC | 15331 | OUT | |
| 2024-07-03 17:31:32 UTC | 15331 | OUT | |
| 2024-07-03 17:31:33 UTC | 804 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49744 | 188.114.96.3 | 443 | 1868 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-03 17:31:34 UTC | 265 | OUT | |
| 2024-07-03 17:31:34 UTC | 86 | OUT | |
| 2024-07-03 17:31:34 UTC | 810 | IN | |
| 2024-07-03 17:31:34 UTC | 54 | IN | |
| 2024-07-03 17:31:34 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 13:31:02 |
| Start date: | 03/07/2024 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24311.29797.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff616160000 |
| File size: | 7'386'624 bytes |
| MD5 hash: | F308BE1162C86C3D72AD06C4C85A67D4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Go lang |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 13:31:20 |
| Start date: | 03/07/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x3f0000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 15.6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 40.1% |
| Total number of Nodes: | 329 |
| Total number of Limit Nodes: | 28 |
Graph
Function 0244FE8B Relevance: 36.8, Strings: 29, Instructions: 505COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02448349 Relevance: 11.9, Strings: 9, Instructions: 660COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024534B0 Relevance: 10.4, Strings: 8, Instructions: 440COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02449284 Relevance: 5.9, Strings: 4, Instructions: 931COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02451C99 Relevance: 5.5, Strings: 4, Instructions: 528COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02440F3E Relevance: 4.1, Strings: 3, Instructions: 384COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02447293 Relevance: 3.9, Strings: 3, Instructions: 125COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0246980B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02434E30 Relevance: 2.9, Strings: 2, Instructions: 437COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024518B0 Relevance: 2.8, Strings: 2, Instructions: 271COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02469B15 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02469BC0 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02450E98 Relevance: .5, Instructions: 499COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024526F0 Relevance: .4, Instructions: 358COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02465E20 Relevance: .3, Instructions: 340COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02446F50 Relevance: .3, Instructions: 273COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0246D130 Relevance: .3, Instructions: 259COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0244BF50 Relevance: .2, Instructions: 154COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0245F96C Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0245BB9C Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 92memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0243A4B0 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 812libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02460859 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02459D61 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024407DB Relevance: 1.5, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02467C52 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024650A9 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02469A51 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02467D92 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02431EF0 Relevance: 10.6, Strings: 8, Instructions: 595COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02452EF0 Relevance: 6.7, Strings: 5, Instructions: 454COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02453480 Relevance: 6.5, Strings: 5, Instructions: 249COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02435940 Relevance: 3.3, Strings: 2, Instructions: 844COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02456B70 Relevance: 3.0, Strings: 2, Instructions: 527COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02453AD9 Relevance: 3.0, Strings: 2, Instructions: 515COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0245901A Relevance: 1.9, Strings: 1, Instructions: 664COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0245AFE8 Relevance: 1.8, APIs: 1, Instructions: 259COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0245D98C Relevance: 1.8, APIs: 1, Instructions: 253COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0244C110 Relevance: 1.7, Strings: 1, Instructions: 480COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02454148 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02438ED0 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02436BE0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02444A9B Relevance: 1.4, Strings: 1, Instructions: 107COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02438280 Relevance: .8, Instructions: 812COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02433A30 Relevance: .7, Instructions: 686COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0246BB50 Relevance: .7, Instructions: 652COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02454ED7 Relevance: .6, Instructions: 624COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02434430 Relevance: .6, Instructions: 616COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02468580 Relevance: .6, Instructions: 605COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024366B0 Relevance: .4, Instructions: 443COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0246C020 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02439970 Relevance: .3, Instructions: 315COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0246D710 Relevance: .3, Instructions: 313COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0246D400 Relevance: .3, Instructions: 283COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02457773 Relevance: .3, Instructions: 273COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024571E0 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02465460 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024469A0 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02440170 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02463560 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024568D0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024415F7 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024336F0 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02457ABC Relevance: .0, Instructions: 40COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02438DA0 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02446149 Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0243EA20 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0246B40A Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02451C30 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0243161F Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024694C0 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0244BDD3 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02469631 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024314E8 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024316B3 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02469445 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02465DD9 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024515EF Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|