Edit tour
Windows
Analysis Report
Setup.exe
Overview
General Information
| Sample name: | Setup.exe |
| Analysis ID: | 1542816 |
| MD5: | b159bfa7381138c176f2cd07b86c4588 |
| SHA1: | 1cf2077676782c8275c480a3e38a1413edc65860 |
| SHA256: | 8ba0468886223bcecdae4375c0d0905cef418a4731e85101f0ce6b3706742325 |
| Tags: | exeuser-aachum |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
Setup.exe (PID: 7100 cmdline: "C:\Users\ user\Deskt op\Setup.e xe" MD5: B159BFA7381138C176F2CD07B86C4588) 
BitLockerToGo.exe (PID: 3848 cmdline: "C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["ostracizez.sbs", "activedomest.sbs", "offybirhtdi.sbs", "definitib.sbs", "fashionablei.sbs", "arenbootk.sbs", "elaboretib.sbs", "strikebripm.sbs", "mediavelk.sbs"], "Build id": "tLYMe5--2"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 8 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 2 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-26T16:00:25.324279+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:00:26.497687+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:00:40.586198+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49745 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-26T16:00:25.324279+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-26T16:00:26.497687+0200 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-26T16:00:29.426425+0200 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49739 | 188.114.97.3 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 1_2_0041D667 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 1_2_00446040 | |
| Source: | Code function: | 1_2_00423330 | |
| Source: | Code function: | 1_2_00423330 | |
| Source: | Code function: | 1_2_004464F0 | |
| Source: | Code function: | 1_2_004309A1 | |
| Source: | Code function: | 1_2_004309A1 | |
| Source: | Code function: | 1_2_004309A1 | |
| Source: | Code function: | 1_2_00426B58 | |
| Source: | Code function: | 1_2_00420D60 | |
| Source: | Code function: | 1_2_00420D60 | |
| Source: | Code function: | 1_2_00446E50 | |
| Source: | Code function: | 1_2_0042EE3D | |
| Source: | Code function: | 1_2_0040FE86 | |
| Source: | Code function: | 1_2_0040FE86 | |
| Source: | Code function: | 1_2_0040DE90 | |
| Source: | Code function: | 1_2_00429FE0 | |
| Source: | Code function: | 1_2_00401000 | |
| Source: | Code function: | 1_2_00401000 | |
| Source: | Code function: | 1_2_00409006 | |
| Source: | Code function: | 1_2_0042C020 | |
| Source: | Code function: | 1_2_004110D7 | |
| Source: | Code function: | 1_2_00422090 | |
| Source: | Code function: | 1_2_00441100 | |
| Source: | Code function: | 1_2_00445120 | |
| Source: | Code function: | 1_2_0040D1F0 | |
| Source: | Code function: | 1_2_0040D1F0 | |
| Source: | Code function: | 1_2_0042F1A2 | |
| Source: | Code function: | 1_2_004012D5 | |
| Source: | Code function: | 1_2_0042D3EA | |
| Source: | Code function: | 1_2_0042D3EA | |
| Source: | Code function: | 1_2_0042C390 | |
| Source: | Code function: | 1_2_00430417 | |
| Source: | Code function: | 1_2_004454D0 | |
| Source: | Code function: | 1_2_00431495 | |
| Source: | Code function: | 1_2_0043D4B8 | |
| Source: | Code function: | 1_2_0043D4B8 | |
| Source: | Code function: | 1_2_004215AD | |
| Source: | Code function: | 1_2_00444640 | |
| Source: | Code function: | 1_2_00444640 | |
| Source: | Code function: | 1_2_004216C0 | |
| Source: | Code function: | 1_2_0041C692 | |
| Source: | Code function: | 1_2_0041C692 | |
| Source: | Code function: | 1_2_00425770 | |
| Source: | Code function: | 1_2_0042C7DC | |
| Source: | Code function: | 1_2_0042A7E2 | |
| Source: | Code function: | 1_2_00405850 | |
| Source: | Code function: | 1_2_00445800 | |
| Source: | Code function: | 1_2_0041F8A0 | |
| Source: | Code function: | 1_2_0041F8A0 | |
| Source: | Code function: | 1_2_0041F8A0 | |
| Source: | Code function: | 1_2_004218B0 | |
| Source: | Code function: | 1_2_00439970 | |
| Source: | Code function: | 1_2_0042D9C5 | |
| Source: | Code function: | 1_2_00443A33 | |
| Source: | Code function: | 1_2_0042EAF0 | |
| Source: | Code function: | 1_2_00423B40 | |
| Source: | Code function: | 1_2_00423B40 | |
| Source: | Code function: | 1_2_00446B70 | |
| Source: | Code function: | 1_2_00446B70 | |
| Source: | Code function: | 1_2_0040BC40 | |
| Source: | Code function: | 1_2_0040BC40 | |
| Source: | Code function: | 1_2_0042CC5F | |
| Source: | Code function: | 1_2_0043FC90 | |
| Source: | Code function: | 1_2_0042CD09 | |
| Source: | Code function: | 1_2_0042DE60 | |
| Source: | Code function: | 1_2_00443E80 | |
| Source: | Code function: | 1_2_0041CFDD | |
| Source: | Code function: | 1_2_00430FFE | |
| Source: | Code function: | 1_2_0042CD09 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 1_2_00436960 | |
| Source: | Code function: | 1_2_00436960 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Code function: | 1_2_00410370 | |
| Source: | Code function: | 1_2_00423330 | |
| Source: | Code function: | 1_2_0042A4D0 | |
| Source: | Code function: | 1_2_0040F490 | |
| Source: | Code function: | 1_2_0041D667 | |
| Source: | Code function: | 1_2_00446600 | |
| Source: | Code function: | 1_2_004309A1 | |
| Source: | Code function: | 1_2_0043CAF0 | |
| Source: | Code function: | 1_2_00426B58 | |
| Source: | Code function: | 1_2_0042FD63 | |
| Source: | Code function: | 1_2_00420D60 | |
| Source: | Code function: | 1_2_00446E50 | |
| Source: | Code function: | 1_2_0040EE20 | |
| Source: | Code function: | 1_2_0042EE3D | |
| Source: | Code function: | 1_2_0040FE86 | |
| Source: | Code function: | 1_2_00429FE0 | |
| Source: | Code function: | 1_2_00407040 | |
| Source: | Code function: | 1_2_00401000 | |
| Source: | Code function: | 1_2_00409006 | |
| Source: | Code function: | 1_2_0040A020 | |
| Source: | Code function: | 1_2_0042C020 | |
| Source: | Code function: | 1_2_0042B03C | |
| Source: | Code function: | 1_2_004110D7 | |
| Source: | Code function: | 1_2_00422090 | |
| Source: | Code function: | 1_2_004260BA | |
| Source: | Code function: | 1_2_0043C152 | |
| Source: | Code function: | 1_2_00445120 | |
| Source: | Code function: | 1_2_0040B130 | |
| Source: | Code function: | 1_2_004441C0 | |
| Source: | Code function: | 1_2_004341D4 | |
| Source: | Code function: | 1_2_0043C180 | |
| Source: | Code function: | 1_2_0042F1A2 | |
| Source: | Code function: | 1_2_00413227 | |
| Source: | Code function: | 1_2_004012D5 | |
| Source: | Code function: | 1_2_00429340 | |
| Source: | Code function: | 1_2_0042B30E | |
| Source: | Code function: | 1_2_00401328 | |
| Source: | Code function: | 1_2_0043C3E0 | |
| Source: | Code function: | 1_2_0042D3EA | |
| Source: | Code function: | 1_2_0040D3F0 | |
| Source: | Code function: | 1_2_00430417 | |
| Source: | Code function: | 1_2_004454D0 | |
| Source: | Code function: | 1_2_00416493 | |
| Source: | Code function: | 1_2_00431495 | |
| Source: | Code function: | 1_2_0043D4B8 | |
| Source: | Code function: | 1_2_0040A500 | |
| Source: | Code function: | 1_2_00436520 | |
| Source: | Code function: | 1_2_004405D0 | |
| Source: | Code function: | 1_2_00444640 | |
| Source: | Code function: | 1_2_00429340 | |
| Source: | Code function: | 1_2_004156C1 | |
| Source: | Code function: | 1_2_0040971D | |
| Source: | Code function: | 1_2_00417736 | |
| Source: | Code function: | 1_2_0042A7E2 | |
| Source: | Code function: | 1_2_0040D780 | |
| Source: | Code function: | 1_2_00445800 | |
| Source: | Code function: | 1_2_004468C0 | |
| Source: | Code function: | 1_2_004038E0 | |
| Source: | Code function: | 1_2_0041E882 | |
| Source: | Code function: | 1_2_0041F8A0 | |
| Source: | Code function: | 1_2_0043B91D | |
| Source: | Code function: | 1_2_0040E920 | |
| Source: | Code function: | 1_2_004229C0 | |
| Source: | Code function: | 1_2_004259D0 | |
| Source: | Code function: | 1_2_004099A9 | |
| Source: | Code function: | 1_2_00407A60 | |
| Source: | Code function: | 1_2_00429ADE | |
| Source: | Code function: | 1_2_00409A81 | |
| Source: | Code function: | 1_2_0041CAB0 | |
| Source: | Code function: | 1_2_00446B70 | |
| Source: | Code function: | 1_2_0043DB76 | |
| Source: | Code function: | 1_2_0040ABC0 | |
| Source: | Code function: | 1_2_0040BC40 | |
| Source: | Code function: | 1_2_00422CE0 | |
| Source: | Code function: | 1_2_00429D3E | |
| Source: | Code function: | 1_2_00430FFE | |
| Source: | Code function: | 1_2_00404FB0 | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_0043CE40 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_0044C53E | |
| Source: | Code function: | 1_2_0044C699 | |
| Source: | Code function: | 1_2_0044C8C7 | |
| Source: | Code function: | 1_2_0041B929 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_00442710 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| fashionablei.sbs | 188.114.97.3 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.97.3 | fashionablei.sbs | European Union | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1542816 |
| Start date and time: | 2024-10-26 15:59:08 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 1s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Setup.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/4@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Setup.exe, PID 7100 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Setup.exe
| Time | Type | Description |
|---|---|---|
| 10:00:24 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.97.3 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Pushdo | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| fashionablei.sbs | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | CobaltStrike | Browse |
| ||
| Get hash | malicious | CobaltStrike | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 138639 |
| Entropy (8bit): | 4.286369825068587 |
| Encrypted: | false |
| SSDEEP: | 1536:ZMjsdRCCXpnzopj7/5dLopnQPporDa6meL4xmJ:fenLo9QP+lmeL4IJ |
| MD5: | A7C8367F8B900617374F5D3FAC86DFD7 |
| SHA1: | 6BDEAB34FA632083B2578708EB0C50443ED5E9A9 |
| SHA-256: | E4F82DB7579D84B2DDB49B16A8CBD8256D86751473D1A86B4B31D1E3963BA0FA |
| SHA-512: | 2C2E9D5445F4BDFBCA7F35881E9D133373145B40D26ECB9B122E60DD343B580FA3BC70C8B981B4AE7E3D9B8C4EA90C6A77F7328A60CBE0F2515EE364AD0CB0A3 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 218125 |
| Entropy (8bit): | 5.457704584855637 |
| Encrypted: | false |
| SSDEEP: | 3072:zKHyW445CPl85X3GJXlAnFhvMvOqGPUqdShdY5S8DoDT1JyBwJbMaky9nwe+L/Iq:LWY4KTvqd8dYQ8uJcwSy9nQ |
| MD5: | 0FEFBA04D8BBEDD2CFF7EB75C3834847 |
| SHA1: | 054D11200D77C1B5DFB3B98A33973623619D34BE |
| SHA-256: | DBBDB23093B0732EE1504F79D3835B1C6B2E3F526AB42A6DA381E6CEC2648AE5 |
| SHA-512: | 3CEAA01275E2DEC044BA5F8D41092EB4F28E62CDAD24A71C8F7F57E4C48B709568C8C376BF2B048DC989810FB8EB91F2D944379804D5D85480A26663FC3F90FE |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 802466 |
| Entropy (8bit): | 4.298722687837962 |
| Encrypted: | false |
| SSDEEP: | 6144:Z6TjefxOXTNwk8mCkCbCp4wrZaWvZEIhU4FFEY+cbCtNYbIgoxrV2z1J:Z6TjefxOXTNUkCbCp42aW4NwL |
| MD5: | 4C6E1287B2F6060C1E0F386B0B47959A |
| SHA1: | 0FA0C721B6848D78C73FCF74BB37891A17FF0999 |
| SHA-256: | C8DB5A41C7EC02EB2F1F20A6CD544DB215246AD9D566EA9494D63521B9B1E271 |
| SHA-512: | 0FF6A037A413BE93DCB3C1B4C26CB9938025F34D9AA20818FBDED5B4B00BC89DCBA9EB58756BAFBA852CA972C058BDDB087E9CB58C9B442AC936C93590E14C13 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1155588 |
| Entropy (8bit): | 5.4159552687244155 |
| Encrypted: | false |
| SSDEEP: | 12288:D2DUMiOfGYFO/1pf0ThVUhI2PoEMuCfzT/2ZoEC74RiCfulDlJ:MZFO/1pf9hI2EjT/2ZoEC74RiCfulDlJ |
| MD5: | BE06DF1EE810220598CAE6D42AE2FD77 |
| SHA1: | 5DD0B0F101FDE69B49E37947380431D75D26125C |
| SHA-256: | 09E18C6FA27068005DA8BCBB802C70B1C182866274478C684A4AB652ACAF2BBD |
| SHA-512: | BF40F52E37DFDBEE4AC4F562A28520893D3C8C13FDDB7A94E94458B1E8591162EADF3A4BE401A2FF6C2CE2449721F3F036C2B41571BB3C491E7F648595BAA8FA |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.563099407038782 |
| TrID: |
|
| File name: | Setup.exe |
| File size: | 9'918'976 bytes |
| MD5: | b159bfa7381138c176f2cd07b86c4588 |
| SHA1: | 1cf2077676782c8275c480a3e38a1413edc65860 |
| SHA256: | 8ba0468886223bcecdae4375c0d0905cef418a4731e85101f0ce6b3706742325 |
| SHA512: | 7343941b64431c87217b23fb8c7269eaaf37cb697117f2a61e2b97148a829d0ed129a37c135fc2fb32ace235a4cc3a4bf9c30d00d2946f415921323b3979c428 |
| SSDEEP: | 98304:oGW4cLHx+3tloiqf8LXKas2Cus30iTAuNu/CAZBC+rQ:B1cAKabCuYNQk+rQ |
| TLSH: | B1A65A02FADB48B2D90719B0455F622F23306D065B29CBC7FA5C3B59FF736A04972299 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........8................5.........p.............@.................................2.....@................................ |
 | |
| Icon Hash: | 2d2e3797b32b2b99 |
| Entrypoint: | 0x46d970 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 4f2f006e2ecf7172ad368f8289dc96c1 |
| Instruction |
|---|
| jmp 00007F85F17B1740h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| sub esp, 28h |
| mov dword ptr [esp+1Ch], ebx |
| mov dword ptr [esp+10h], ebp |
| mov dword ptr [esp+14h], esi |
| mov dword ptr [esp+18h], edi |
| mov dword ptr [esp], eax |
| mov dword ptr [esp+04h], ecx |
| call 00007F85F1796FB6h |
| mov eax, dword ptr [esp+08h] |
| mov edi, dword ptr [esp+18h] |
| mov esi, dword ptr [esp+14h] |
| mov ebp, dword ptr [esp+10h] |
| mov ebx, dword ptr [esp+1Ch] |
| add esp, 28h |
| retn 0004h |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| sub esp, 08h |
| mov ecx, dword ptr [esp+0Ch] |
| mov edx, dword ptr [ecx] |
| mov eax, esp |
| mov dword ptr [edx+04h], eax |
| sub eax, 00010000h |
| mov dword ptr [edx], eax |
| add eax, 00000BA0h |
| mov dword ptr [edx+08h], eax |
| mov dword ptr [edx+0Ch], eax |
| lea edi, dword ptr [ecx+34h] |
| mov dword ptr [edx+18h], ecx |
| mov dword ptr [edi], edx |
| mov dword ptr [esp+04h], edi |
| call 00007F85F17B3B74h |
| cld |
| call 00007F85F17B2C2Eh |
| call 00007F85F17B1869h |
| add esp, 08h |
| ret |
| mov ebx, dword ptr [esp+04h] |
| mov dword ptr fs:[00000034h], 00000000h |
| mov ebp, esp |
| mov ecx, dword ptr [ebx+04h] |
| mov eax, ecx |
| shl eax, 02h |
| sub esp, eax |
| mov edi, esp |
| mov esi, dword ptr [ebx+08h] |
| cld |
| rep movsd |
| call dword ptr [ebx] |
| mov esp, ebp |
| mov ebx, dword ptr [esp+04h] |
| mov dword ptr [ebx+0Ch], eax |
| mov dword ptr [ebx+10h], edx |
| mov eax, dword ptr fs:[00000034h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x97a000 | 0x45e | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x9a6000 | 0x1f10 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x97b000 | 0x294e0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x90e040 | 0xb8 | .data |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x35ce89 | 0x35d000 | 76225605773e8e959b99feb5422863cf | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x35e000 | 0x5ae660 | 0x5ae800 | 3616bfa403d453eebe348163f75edb68 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x90d000 | 0x6c988 | 0x3e000 | d82acf7cbf9c9d97e2ee5a7f2bf474ea | False | 0.45423150831653225 | data | 5.599281163217343 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x97a000 | 0x45e | 0x600 | 8768fab6ab909d308335d2ec3ece3e03 | False | 0.36328125 | data | 3.92186235756886 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x97b000 | 0x294e0 | 0x29600 | f03b7153c730749184c175c1a4541d5b | False | 0.5878316182024169 | data | 6.647085560211021 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .symtab | 0x9a5000 | 0x4 | 0x200 | 07b5472d347d42780469fb2654b7fc54 | False | 0.02734375 | data | 0.020393135236084953 | IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x9a6000 | 0x1f10 | 0x2000 | bff2e9f43c526bd91927f92dd480dac6 | False | 0.330322265625 | data | 4.645728263591671 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x9a61d4 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.5675675675675675 |
| RT_ICON | 0x9a62fc | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States | 0.4486994219653179 |
| RT_ICON | 0x9a6864 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.4637096774193548 |
| RT_ICON | 0x9a6b4c | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States | 0.3935018050541516 |
| RT_GROUP_ICON | 0x9a73f4 | 0x3e | data | English | United States | 0.8387096774193549 |
| RT_VERSION | 0x9a7434 | 0x4f4 | data | English | United States | 0.29574132492113564 |
| RT_MANIFEST | 0x9a7928 | 0x5e8 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4252645502645503 |
| DLL | Import |
|---|---|
| kernel32.dll | WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-26T16:00:25.324279+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:00:25.324279+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:00:26.497687+0200 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:00:26.497687+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:00:29.426425+0200 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49739 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:00:40.586198+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49745 | 188.114.97.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 26, 2024 16:00:23.670959949 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:23.671046972 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:23.671308041 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:23.674860954 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:23.674938917 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:24.289453983 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:24.289555073 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:24.296036959 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:24.296108961 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:24.296442986 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:24.344822884 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:24.844027996 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:24.844028950 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:24.844237089 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:25.324290037 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:25.324420929 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:25.324528933 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:25.327822924 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:25.327872992 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:25.327904940 CEST | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:25.327920914 CEST | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:25.394887924 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:25.394934893 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:25.395025969 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:25.395454884 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:25.395472050 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.008553028 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.008635044 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.010534048 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.010564089 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.010921955 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.012383938 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.012456894 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.012479067 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.497672081 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.497733116 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.498053074 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.498128891 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.498168945 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.498231888 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.498248100 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.498601913 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.498661995 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.498675108 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.499429941 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.499486923 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.499500036 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.548094034 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.614967108 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.615036964 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.615163088 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.615225077 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.615391016 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.615469933 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.615572929 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.615606070 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.615674973 CEST | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.615689993 CEST | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.844710112 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.844805956 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:26.844898939 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.845195055 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:26.845233917 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:27.456109047 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:27.456198931 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:27.460398912 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:27.460429907 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:27.461014032 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:27.472637892 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:27.476632118 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:27.476769924 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:27.476896048 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:27.476917028 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:28.119333982 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:28.119462967 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:28.119564056 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:28.119839907 CEST | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:28.119880915 CEST | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:28.274713993 CEST | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:28.274756908 CEST | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:28.275062084 CEST | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:28.275398016 CEST | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:28.275417089 CEST | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:28.885706902 CEST | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:28.885818005 CEST | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:28.887638092 CEST | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:28.887649059 CEST | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:28.888005972 CEST | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:28.889857054 CEST | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:28.890072107 CEST | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:28.890103102 CEST | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:29.426445961 CEST | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:29.426564932 CEST | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:29.426651955 CEST | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:29.426800013 CEST | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:29.426839113 CEST | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:29.754518986 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:29.754590988 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:29.754702091 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:29.755165100 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:29.755182028 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:30.373938084 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:30.374097109 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:30.446027994 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:30.446079016 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:30.446432114 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:30.447985888 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:30.448765039 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:30.448808908 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:30.448893070 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:30.448909044 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:31.121191025 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:31.121345043 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:31.121452093 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:31.121572018 CEST | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:31.121608973 CEST | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:31.594070911 CEST | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:31.594197035 CEST | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:31.594321012 CEST | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:31.594728947 CEST | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:31.594767094 CEST | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:32.208416939 CEST | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:32.208569050 CEST | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:32.210498095 CEST | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:32.210529089 CEST | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:32.211026907 CEST | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:32.212292910 CEST | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:32.212434053 CEST | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:32.212475061 CEST | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:33.476890087 CEST | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:33.477010965 CEST | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:33.477097034 CEST | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:33.477205992 CEST | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:33.477247953 CEST | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:33.543334007 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:33.543381929 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:33.543476105 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:33.544111967 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:33.544130087 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:35.149179935 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:35.149312973 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:35.151385069 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:35.151438951 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:35.151973963 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:35.153600931 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:35.153717995 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:35.153836012 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:35.648463011 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:35.648564100 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:35.648853064 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:35.648853064 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:35.717957020 CEST | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:35.718055010 CEST | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:35.718159914 CEST | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:35.718571901 CEST | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:35.718605995 CEST | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:35.954411030 CEST | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:35.954513073 CEST | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:36.343687057 CEST | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:36.343799114 CEST | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:36.345578909 CEST | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:36.345591068 CEST | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:36.346035004 CEST | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:36.347387075 CEST | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:36.347518921 CEST | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:36.347526073 CEST | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:37.077028990 CEST | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:37.077135086 CEST | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:37.077318907 CEST | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:37.081160069 CEST | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:37.081176996 CEST | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:37.323565960 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:37.323615074 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:37.323712111 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:37.323966980 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:37.323980093 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:37.950014114 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:37.950097084 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:37.951819897 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:37.951849937 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:37.952194929 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:37.953634024 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:37.953711987 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:37.953723907 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:38.655114889 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:38.655232906 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:38.655344009 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:38.656845093 CEST | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:38.656889915 CEST | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:38.681190014 CEST | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:38.681273937 CEST | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:38.681406975 CEST | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:38.681762934 CEST | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:38.681780100 CEST | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:39.307857990 CEST | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:39.307991982 CEST | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:39.309767008 CEST | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:39.309783936 CEST | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:39.310031891 CEST | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:39.311739922 CEST | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:39.311779976 CEST | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:39.311830997 CEST | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:40.586007118 CEST | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:40.586143970 CEST | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:40.586260080 CEST | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:40.586353064 CEST | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:40.586368084 CEST | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Oct 26, 2024 16:00:40.586384058 CEST | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Oct 26, 2024 16:00:40.586390018 CEST | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 26, 2024 16:00:23.650408983 CEST | 51571 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 26, 2024 16:00:23.663602114 CEST | 53 | 51571 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 26, 2024 16:00:23.650408983 CEST | 192.168.2.4 | 1.1.1.1 | 0x11f9 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 26, 2024 16:00:23.663602114 CEST | 1.1.1.1 | 192.168.2.4 | 0x11f9 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
| Oct 26, 2024 16:00:23.663602114 CEST | 1.1.1.1 | 192.168.2.4 | 0x11f9 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | 3848 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:00:24 UTC | 263 | OUT | |
| 2024-10-26 14:00:24 UTC | 8 | OUT | |
| 2024-10-26 14:00:25 UTC | 1018 | IN | |
| 2024-10-26 14:00:25 UTC | 7 | IN | |
| 2024-10-26 14:00:25 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | 3848 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:00:26 UTC | 264 | OUT | |
| 2024-10-26 14:00:26 UTC | 75 | OUT | |
| 2024-10-26 14:00:26 UTC | 1013 | IN | |
| 2024-10-26 14:00:26 UTC | 356 | IN | |
| 2024-10-26 14:00:26 UTC | 899 | IN | |
| 2024-10-26 14:00:26 UTC | 1369 | IN | |
| 2024-10-26 14:00:26 UTC | 1369 | IN | |
| 2024-10-26 14:00:26 UTC | 1369 | IN | |
| 2024-10-26 14:00:26 UTC | 1369 | IN | |
| 2024-10-26 14:00:26 UTC | 1369 | IN | |
| 2024-10-26 14:00:26 UTC | 1369 | IN | |
| 2024-10-26 14:00:26 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | 3848 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:00:27 UTC | 282 | OUT | |
| 2024-10-26 14:00:27 UTC | 15331 | OUT | |
| 2024-10-26 14:00:27 UTC | 2828 | OUT | |
| 2024-10-26 14:00:28 UTC | 1023 | IN | |
| 2024-10-26 14:00:28 UTC | 23 | IN | |
| 2024-10-26 14:00:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49739 | 188.114.97.3 | 443 | 3848 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:00:28 UTC | 281 | OUT | |
| 2024-10-26 14:00:28 UTC | 8780 | OUT | |
| 2024-10-26 14:00:29 UTC | 1015 | IN | |
| 2024-10-26 14:00:29 UTC | 23 | IN | |
| 2024-10-26 14:00:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49740 | 188.114.97.3 | 443 | 3848 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:00:30 UTC | 282 | OUT | |
| 2024-10-26 14:00:30 UTC | 15331 | OUT | |
| 2024-10-26 14:00:30 UTC | 5102 | OUT | |
| 2024-10-26 14:00:31 UTC | 1006 | IN | |
| 2024-10-26 14:00:31 UTC | 23 | IN | |
| 2024-10-26 14:00:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 188.114.97.3 | 443 | 3848 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:00:32 UTC | 281 | OUT | |
| 2024-10-26 14:00:32 UTC | 3804 | OUT | |
| 2024-10-26 14:00:33 UTC | 1016 | IN | |
| 2024-10-26 14:00:33 UTC | 23 | IN | |
| 2024-10-26 14:00:33 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49742 | 188.114.97.3 | 443 | 3848 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:00:35 UTC | 281 | OUT | |
| 2024-10-26 14:00:35 UTC | 3818 | OUT | |
| 2024-10-26 14:00:35 UTC | 1009 | IN | |
| 2024-10-26 14:00:35 UTC | 23 | IN | |
| 2024-10-26 14:00:35 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49743 | 188.114.97.3 | 443 | 3848 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:00:36 UTC | 281 | OUT | |
| 2024-10-26 14:00:36 UTC | 1269 | OUT | |
| 2024-10-26 14:00:37 UTC | 1010 | IN | |
| 2024-10-26 14:00:37 UTC | 23 | IN | |
| 2024-10-26 14:00:37 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49744 | 188.114.97.3 | 443 | 3848 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:00:37 UTC | 281 | OUT | |
| 2024-10-26 14:00:37 UTC | 1116 | OUT | |
| 2024-10-26 14:00:38 UTC | 1010 | IN | |
| 2024-10-26 14:00:38 UTC | 23 | IN | |
| 2024-10-26 14:00:38 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.4 | 49745 | 188.114.97.3 | 443 | 3848 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:00:39 UTC | 265 | OUT | |
| 2024-10-26 14:00:39 UTC | 110 | OUT | |
| 2024-10-26 14:00:40 UTC | 1019 | IN | |
| 2024-10-26 14:00:40 UTC | 54 | IN | |
| 2024-10-26 14:00:40 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:00:05 |
| Start date: | 26/10/2024 |
| Path: | C:\Users\user\Desktop\Setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x860000 |
| File size: | 9'918'976 bytes |
| MD5 hash: | B159BFA7381138C176F2CD07B86C4588 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 10:00:15 |
| Start date: | 26/10/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x70000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | true |
Function 00899BA0 Relevance: 10.2, Strings: 8, Instructions: 183COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008AA210 Relevance: 6.3, Strings: 5, Instructions: 83COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 61.3% |
| Total number of Nodes: | 282 |
| Total number of Limit Nodes: | 28 |
Graph
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00423330 Relevance: 14.4, Strings: 11, Instructions: 649COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040EE20 Relevance: 13.3, Strings: 10, Instructions: 762COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040F490 Relevance: 11.8, Strings: 9, Instructions: 528COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00420D60 Relevance: 10.3, Strings: 8, Instructions: 336COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043CAF0 Relevance: 9.0, Strings: 7, Instructions: 247COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429FE0 Relevance: 5.4, Strings: 4, Instructions: 422COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040FE86 Relevance: 4.2, Strings: 3, Instructions: 409COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004309A1 Relevance: 3.0, Strings: 2, Instructions: 534COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446E50 Relevance: 2.8, Strings: 2, Instructions: 305COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446600 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442710 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446040 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004464F0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042EE3D Relevance: .3, Instructions: 318COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040DE90 Relevance: .1, Instructions: 142COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D028 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 279memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CED0 Relevance: 6.0, APIs: 4, Instructions: 42threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442630 Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043F710 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043F6A0 Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442C8A Relevance: 1.5, APIs: 1, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D598 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004429E6 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043453D Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00435B85 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D5BB Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D004 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D492 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043B91D Relevance: 71.6, Strings: 57, Instructions: 312COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401000 Relevance: 19.5, Strings: 14, Instructions: 1989COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004012D5 Relevance: 16.0, Strings: 12, Instructions: 987COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041F8A0 Relevance: 15.3, Strings: 11, Instructions: 1540COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D3F0 Relevance: 14.0, Strings: 11, Instructions: 287COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042CD09 Relevance: 13.0, Strings: 10, Instructions: 452COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429340 Relevance: 8.1, Strings: 6, Instructions: 567COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D780 Relevance: 7.9, Strings: 6, Instructions: 392COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042A7E2 Relevance: 7.8, Strings: 6, Instructions: 286COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004260BA Relevance: 7.0, Strings: 5, Instructions: 791COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00444640 Relevance: 7.0, Strings: 5, Instructions: 763COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401328 Relevance: 6.6, Strings: 5, Instructions: 389COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E920 Relevance: 6.6, Strings: 5, Instructions: 367COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004218B0 Relevance: 6.6, Strings: 5, Instructions: 364COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D1F0 Relevance: 6.4, Strings: 5, Instructions: 177COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004405D0 Relevance: 4.5, Strings: 3, Instructions: 703COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00430FFE Relevance: 4.1, Strings: 3, Instructions: 388COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00422CE0 Relevance: 2.9, Strings: 2, Instructions: 441COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004038E0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042C7DC Relevance: 2.9, Strings: 2, Instructions: 353COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443E80 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004110D7 Relevance: 2.8, Strings: 2, Instructions: 267COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004215AD Relevance: 2.6, Strings: 2, Instructions: 89COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004216C0 Relevance: 2.6, Strings: 2, Instructions: 84COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042C020 Relevance: 1.8, Strings: 1, Instructions: 566COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404FB0 Relevance: 1.8, Strings: 1, Instructions: 558COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00425770 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E882 Relevance: 1.7, Strings: 1, Instructions: 487COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004259D0 Relevance: 1.7, Strings: 1, Instructions: 463COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00423B40 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042D3EA Relevance: 1.7, Strings: 1, Instructions: 436COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041CAB0 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00445120 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446B70 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A500 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004468C0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00441100 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004229C0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443A33 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429ADE Relevance: 1.4, Strings: 1, Instructions: 195COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429D3E Relevance: 1.4, Strings: 1, Instructions: 195COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BC40 Relevance: .9, Instructions: 855COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00422090 Relevance: .7, Instructions: 720COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407040 Relevance: .7, Instructions: 671COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B130 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004454D0 Relevance: .6, Instructions: 644COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407A60 Relevance: .6, Instructions: 627COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043DB76 Relevance: .5, Instructions: 532COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A020 Relevance: .4, Instructions: 412COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409006 Relevance: .4, Instructions: 410COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040ABC0 Relevance: .4, Instructions: 407COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00445800 Relevance: .4, Instructions: 393COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042B30E Relevance: .4, Instructions: 385COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409A81 Relevance: .3, Instructions: 338COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043C3E0 Relevance: .3, Instructions: 335COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00431495 Relevance: .3, Instructions: 333COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042C390 Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040971D Relevance: .3, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004156C1 Relevance: .3, Instructions: 283COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D4B8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417736 Relevance: .3, Instructions: 259COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042EAF0 Relevance: .2, Instructions: 247COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416493 Relevance: .2, Instructions: 242COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004441C0 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004341D4 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413227 Relevance: .2, Instructions: 235COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436520 Relevance: .2, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042B03C Relevance: .2, Instructions: 194COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043FC90 Relevance: .2, Instructions: 192COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043C152 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043C180 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041C692 Relevance: .2, Instructions: 175COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00405850 Relevance: .2, Instructions: 167COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004099A9 Relevance: .1, Instructions: 119COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042D9C5 Relevance: .1, Instructions: 103COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00439970 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042DE60 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042CC5F Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00435FD0 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 148memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E134 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179threadwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|