Edit tour
Windows
Analysis Report
tOE2mg8TbU.exe
Overview
General Information
| Sample name: | tOE2mg8TbU.exerenamed because original name is a hash value |
| Original sample name: | 250b19f587575df98fc24e8eb185db8afdadd2b672de55bb9be1982212bc05b3.exe |
| Analysis ID: | 1574818 |
| MD5: | 007c8d6917cb62d9cf8bc921ff92ae93 |
| SHA1: | de2bef155edeafb67956d1425bcf5a085319a179 |
| SHA256: | 250b19f587575df98fc24e8eb185db8afdadd2b672de55bb9be1982212bc05b3 |
| Tags: | exeimmureprech-bizuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
tOE2mg8TbU.exe (PID: 6908 cmdline: "C:\Users\ user\Deskt op\tOE2mg8 TbU.exe" MD5: 007C8D6917CB62D9CF8BC921FF92AE93)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["debonairnukk.xyz", "diffuculttan.xyz", "deafeninggeh.biz", "immureprech.biz", "sordid-snaked.cyou", "wrathful-jammy.cyou", "effecterectz.xyz", "cycahao.shop", "awake-weaves.cyou"], "Build id": "hRjzG3--ALFA"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-13T16:42:43.535259+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49717 | 104.21.7.3 | 443 | TCP |
| 2024-12-13T16:42:45.967011+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49719 | 104.21.7.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-13T16:42:44.542927+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.12 | 49717 | 104.21.7.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-13T16:42:44.542927+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.12 | 49717 | 104.21.7.3 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_005AEE40 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_005CC1C8 | |
| Source: | Code function: | 0_2_0058720F | |
| Source: | Code function: | 0_2_00591970 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_0056A370 | |
| Source: | Code function: | 0_2_005A0310 | |
| Source: | Code function: | 0_2_0059D0F0 | |
| Source: | Code function: | 0_2_0059D800 | |
| Source: | Code function: | 0_2_00581D70 | |
| Source: | Code function: | 0_2_0060806B | |
| Source: | Code function: | 0_2_005A4010 | |
| Source: | Code function: | 0_2_005F4035 | |
| Source: | Code function: | 0_2_0056E0D0 | |
| Source: | Code function: | 0_2_005EC0AE | |
| Source: | Code function: | 0_2_00586149 | |
| Source: | Code function: | 0_2_005D8356 | |
| Source: | Code function: | 0_2_005885C0 | |
| Source: | Code function: | 0_2_005AA5C0 | |
| Source: | Code function: | 0_2_00604629 | |
| Source: | Code function: | 0_2_00590790 | |
| Source: | Code function: | 0_2_005FE85F | |
| Source: | Code function: | 0_2_005BC990 | |
| Source: | Code function: | 0_2_0060E9B0 | |
| Source: | Code function: | 0_2_00592C10 | |
| Source: | Code function: | 0_2_005B4E00 | |
| Source: | Code function: | 0_2_005D2FC3 | |
| Source: | Code function: | 0_2_0059D150 | |
| Source: | Code function: | 0_2_00603251 | |
| Source: | Code function: | 0_2_00603375 | |
| Source: | Code function: | 0_2_005A1310 | |
| Source: | Code function: | 0_2_005E73B0 | |
| Source: | Code function: | 0_2_005E745D | |
| Source: | Code function: | 0_2_005E77CF | |
| Source: | Code function: | 0_2_005D37A9 | |
| Source: | Code function: | 0_2_005C3880 | |
| Source: | Code function: | 0_2_005E7A79 | |
| Source: | Code function: | 0_2_005AFA70 | |
| Source: | Code function: | 0_2_005CDAE0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_005852D0 | |
| Source: | Code function: | 0_2_005AE990 | |
| Source: | Code function: | 0_2_0057C0D0 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Command line argument: | 0_2_00581D70 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_005AA5C0 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_005D6AD2 | |
| Source: | Code function: | 0_2_00581369 | |
| Source: | Code function: | 0_2_00617375 | |
| Source: | Code function: | 0_2_005CF68A | |
| Source: | Code function: | 0_2_005AF924 | |
| Source: | Code function: | 0_2_005AF990 | |
| Source: | Code function: | 0_2_005CDAE0 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Code function: | 0_2_00568000 | |
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_005CC1C8 | |
| Source: | Code function: | 0_2_0058720F | |
| Source: | Code function: | 0_2_00591970 | |
| Source: | Code function: | 0_2_005CAD53 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_005CE685 | |
| Source: | Code function: | 0_2_005AA5C0 | |
| Source: | Code function: | 0_2_005CE99A | |
| Source: | Code function: | 0_2_005FF262 | |
| Source: | Code function: | 0_2_005FF21C | |
| Source: | Code function: | 0_2_005CE8A4 | |
| Source: | Code function: | 0_2_005CF11C | |
| Source: | Code function: | 0_2_005CF8BC | |
| Source: | Code function: | 0_2_005CFA4F | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00568000 | |
| Source: | Code function: | 0_2_006085C4 | |
| Source: | Code function: | 0_2_0060886A | |
| Source: | Code function: | 0_2_006088B5 | |
| Source: | Code function: | 0_2_00608950 | |
| Source: | Code function: | 0_2_006089DB | |
| Source: | Code function: | 0_2_00608C30 | |
| Source: | Code function: | 0_2_00608D58 | |
| Source: | Code function: | 0_2_00608E60 | |
| Source: | Code function: | 0_2_00600E1C | |
| Source: | Code function: | 0_2_00608F33 | |
| Source: | Code function: | 0_2_006013CF | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_005CE043 | |
| Source: | Code function: | 0_2_006029E5 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_005E05B4 | |
| Source: | Code function: | 0_2_005E128A | |
| Source: | Code function: | 0_2_00561330 | |
| Source: | Code function: | 0_2_00561410 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 3 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Deobfuscate/Decode Files or Information | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 Native API | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | 1 PowerShell | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 45 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 21% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| cycahao.shop | 104.21.7.3 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.7.3 | cycahao.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1574818 |
| Start date and time: | 2024-12-13 16:41:20 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 37s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | tOE2mg8TbU.exerenamed because original name is a hash value |
| Original Sample Name: | 250b19f587575df98fc24e8eb185db8afdadd2b672de55bb9be1982212bc05b3.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@1/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: tOE2mg8TbU.exe
| Time | Type | Description |
|---|---|---|
| 10:42:43 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.7.3 | Get hash | malicious | FormBook | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer, Xmrig | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.19670760341727 |
| TrID: |
|
| File name: | tOE2mg8TbU.exe |
| File size: | 2'916'584 bytes |
| MD5: | 007c8d6917cb62d9cf8bc921ff92ae93 |
| SHA1: | de2bef155edeafb67956d1425bcf5a085319a179 |
| SHA256: | 250b19f587575df98fc24e8eb185db8afdadd2b672de55bb9be1982212bc05b3 |
| SHA512: | a11e390bcd63bd4e30f27a8efabe99365a097861e8fa83591574545ee80e7eae9af1a305348f964527ade3d0773cf41479e5cfa3a5dbffb48fcad69f7a1e504d |
| SSDEEP: | 49152:kMotPlPU+QG/rOVqVzM2dXidwyPvEUZHRUnxSIapDwfkEarSU5Nv1Y:kMalc+QGjuN2FKtQh4Ea+U5d1Y |
| TLSH: | 88D59D61B2D14125E5B2E6302C7DB7EA0B76BC296F35418F32D8B63C0B729C19D35B26 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Lo.."<.."<.."<..!=.."<..'=C."<..!=.."<..&=.."<..'=t."<..&=.."<..$=.."<..#=.."<..#<8."<R.+=.."<R..<.."<...<.."<R. =.."<Rich.." |
 | |
| Icon Hash: | 70e8abaa8eccf830 |
| Entrypoint: | 0x46f66d |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66A912A6 [Tue Jul 30 16:19:50 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 63ccd71a76a39a85385ce6d1810f26c1 |
| Signature Valid: | false |
| Signature Issuer: | CN=Sectigo RSA Code Signing CA 2, O=Sectigo Limited, C=GB |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | ECA3BD5C57433237AA1CE99AD78E0A95 |
| Thumbprint SHA-1: | 0A5E143F869DA652384B3EC6E735F6A7D9ADCD41 |
| Thumbprint SHA-256: | DBD30BD9BD76C363B669665083A37B462F3F71F5DB2AB069965F9C7BECEF87D9 |
| Serial: | 00A657F778B31AE523D667131718D16EB2 |
| Instruction |
|---|
| call 00007EFFE08FFB0Bh |
| jmp 00007EFFE08FF25Fh |
| mov ecx, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], ecx |
| pop ecx |
| pop edi |
| pop edi |
| pop esi |
| pop ebx |
| mov esp, ebp |
| pop ebp |
| push ecx |
| ret |
| mov ecx, dword ptr [ebp-10h] |
| xor ecx, ebp |
| call 00007EFFE08FE8FEh |
| jmp 00007EFFE08FF3C0h |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [004E706Ch] |
| xor eax, ebp |
| push eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [004E706Ch] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [004E706Ch] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], esp |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xe50cc | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xed000 | 0x178869 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x2bbc00 | 0xc4e8 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x266000 | 0xabf8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xd4e40 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xd4eb0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xbcc98 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xb9000 | 0x2ec | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0xe371c | 0x1a0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xb7a36 | 0xb7c00 | 32f98843af17184b5d5c250395c6085b | False | 0.49614822491496596 | data | 6.592545337295465 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xb9000 | 0x2d220 | 0x2d400 | 9bc7d8ff891dbcd12a2198b97e2b31ee | False | 0.3807568629143646 | data | 5.019273831361903 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xe7000 | 0x5c5c | 0x4600 | b8bfec2e3db0d853c1cad1f68aa2d83a | False | 0.22126116071428573 | DOS executable (block device driver pyright) | 4.715695426686277 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xed000 | 0x178869 | 0x178a00 | 05bdf527abb7436f8c7642ffd8e094a3 | False | 0.6041742293810156 | data | 7.130416376543464 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x266000 | 0x59800 | 0x59800 | 6862cdbcfe7bedd20a2c6c3094b522e1 | False | 0.7062292685055865 | data | 7.728163425515973 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| BINARY | 0xefec0 | 0x28da8 | TrueType Font data, 18 tables, 1st "GDEF", 13 names, Microsoft, language 0x409, Copyright 2011 Google Inc. All Rights Reserved.RobotoBoldRoboto BoldVersion 2.137; 2017Roboto-Bo | English | United States | 0.5296768178993163 |
| BINARY | 0x118c68 | 0x29144 | TrueType Font data, 18 tables, 1st "GDEF", 13 names, Microsoft, language 0x409, Copyright 2011 Google Inc. All Rights Reserved.RobotoRegularVersion 2.137; 2017Roboto-RegularRob | English | United States | 0.5236776417449186 |
| PNG | 0x141dac | 0x2514 | PNG image data, 109 x 101, 8-bit/color RGBA, non-interlaced | English | United States | 1.001158870627897 |
| PNG | 0x1442c0 | 0x3005 | PNG image data, 134 x 124, 8-bit/color RGBA, non-interlaced | English | United States | 1.0008948181892134 |
| PNG | 0x1472c8 | 0x40f6 | PNG image data, 164 x 152, 8-bit/color RGBA, non-interlaced | English | United States | 1.0009621166566447 |
| PNG | 0x14b3c0 | 0x61fe | PNG image data, 218 x 202, 8-bit/color RGBA, non-interlaced | English | United States | 1.0005182173323766 |
| PNG | 0x1515c0 | 0x15b | PNG image data, 32 x 32, 8-bit colormap, non-interlaced | English | United States | 0.9971181556195965 |
| PNG | 0x15171c | 0x49a | PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced | English | United States | 1.0093378607809846 |
| PNG | 0x151bb8 | 0x5ef | PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced | English | United States | 1.0072416063199474 |
| PNG | 0x1521a8 | 0x215 | PNG image data, 64 x 64, 8-bit colormap, non-interlaced | English | United States | 1.0168855534709194 |
| PNG | 0x1523c0 | 0x1967 | PNG image data, 80 x 80, 8-bit/color RGBA, non-interlaced | English | United States | 1.0016915269875442 |
| PNG | 0x153d28 | 0x24b8 | PNG image data, 100 x 101, 8-bit/color RGBA, non-interlaced | English | United States | 1.0011702127659574 |
| PNG | 0x1561e0 | 0x30f6 | PNG image data, 120 x 121, 8-bit/color RGBA, non-interlaced | English | United States | 1.0008776128929313 |
| PNG | 0x1592d8 | 0x4fb0 | PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced | English | United States | 1.0007843137254901 |
| PNG | 0x15e288 | 0x156d | PNG image data, 81 x 80, 8-bit/color RGBA, non-interlaced | English | United States | 1.0020054694621696 |
| PNG | 0x15f7f8 | 0x1d9a | PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced | English | United States | 1.0014515703351807 |
| PNG | 0x161594 | 0x27ae | PNG image data, 121 x 121, 8-bit/color RGBA, non-interlaced | English | United States | 1.0010828903327427 |
| PNG | 0x163d44 | 0x3f4a | PNG image data, 161 x 160, 8-bit/color RGBA, non-interlaced | English | United States | 1.0006789285273423 |
| PNG | 0x167c90 | 0x340 | PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced | English | United States | 1.0084134615384615 |
| PNG | 0x167fd0 | 0x3d0 | PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced | English | United States | 1.0112704918032787 |
| PNG | 0x1683a0 | 0x488 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0094827586206896 |
| PNG | 0x168828 | 0x612 | PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced | English | United States | 1.007078507078507 |
| PNG | 0x168e3c | 0x1375 | PNG image data, 111 x 70, 8-bit/color RGBA, non-interlaced | English | United States | 1.0022083918891789 |
| PNG | 0x16a1b4 | 0x2272 | PNG image data, 167 x 105, 8-bit/color RGBA, non-interlaced | English | United States | 1.0012474484009979 |
| PNG | 0x16c428 | 0x2272 | PNG image data, 167 x 105, 8-bit/color RGBA, non-interlaced | English | United States | 1.0012474484009979 |
| PNG | 0x16e69c | 0x31bd | PNG image data, 222 x 140, 8-bit/color RGBA, non-interlaced | English | United States | 1.0008638969606534 |
| PNG | 0x17185c | 0x114 | PNG image data, 13 x 11, 8-bit/color RGBA, non-interlaced | English | United States | 1.0072463768115942 |
| PNG | 0x171970 | 0x13f | PNG image data, 17 x 14, 8-bit/color RGBA, non-interlaced | English | United States | 1.0125391849529781 |
| PNG | 0x171ab0 | 0x169 | PNG image data, 20 x 16, 8-bit/color RGBA, non-interlaced | English | United States | 1.0221606648199446 |
| PNG | 0x171c1c | 0x192 | PNG image data, 26 x 21, 8-bit/color RGBA, non-interlaced | English | United States | 1.027363184079602 |
| PNG | 0x171db0 | 0x1e2d | PNG image data, 222 x 190, 8-bit/color RGBA, non-interlaced | English | United States | 0.9800647249190938 |
| PNG | 0x173be0 | 0x2643 | PNG image data, 278 x 238, 8-bit/color RGBA, non-interlaced | English | United States | 0.9742725880551302 |
| PNG | 0x176224 | 0x2f01 | PNG image data, 333 x 285, 8-bit/color RGBA, non-interlaced | English | United States | 0.9673398155073548 |
| PNG | 0x179128 | 0x3d85 | PNG image data, 444 x 380, 8-bit/color RGBA, non-interlaced | English | United States | 0.9634262492856689 |
| PNG | 0x17ceb0 | 0x36fd | PNG image data, 222 x 190, 8-bit/color RGBA, non-interlaced | English | United States | 0.987781487532855 |
| PNG | 0x1805b0 | 0x4b8b | PNG image data, 279 x 238, 8-bit/color RGBA, non-interlaced | English | United States | 0.9896064946481203 |
| PNG | 0x18513c | 0x62b6 | PNG image data, 334 x 285, 8-bit/color RGBA, non-interlaced | English | United States | 0.9856351404827859 |
| PNG | 0x18b3f4 | 0x9877 | PNG image data, 444 x 380, 8-bit/color RGBA, non-interlaced | English | United States | 0.981834951705055 |
| PNG | 0x194c6c | 0x2351 | PNG image data, 222 x 190, 8-bit/color RGBA, non-interlaced | English | United States | 0.9826346643070457 |
| PNG | 0x196fc0 | 0x32bb | PNG image data, 278 x 238, 8-bit/color RGBA, non-interlaced | English | United States | 0.977977977977978 |
| PNG | 0x19a27c | 0x4345 | PNG image data, 333 x 285, 8-bit/color RGBA, non-interlaced | English | United States | 0.9784565356251089 |
| PNG | 0x19e5c4 | 0x6870 | PNG image data, 444 x 380, 8-bit/color RGBA, non-interlaced | English | United States | 0.97348144823459 |
| PNG | 0x1a4e34 | 0x2ec1 | PNG image data, 222 x 190, 8-bit/color RGBA, non-interlaced | English | United States | 0.9812849862143872 |
| PNG | 0x1a7cf8 | 0x3eb9 | PNG image data, 278 x 238, 8-bit/color RGBA, non-interlaced | English | United States | 0.9794482157314567 |
| PNG | 0x1abbb4 | 0x5176 | PNG image data, 334 x 285, 8-bit/color RGBA, non-interlaced | English | United States | 0.9782775486717177 |
| PNG | 0x1b0d2c | 0x7a0a | PNG image data, 444 x 380, 8-bit/color RGBA, non-interlaced | English | United States | 0.9715127072530568 |
| PNG | 0x1b8738 | 0x2f93 | PNG image data, 222 x 190, 8-bit/color RGBA, non-interlaced | English | United States | 0.9830035306675425 |
| PNG | 0x1bb6cc | 0x4203 | PNG image data, 279 x 238, 8-bit/color RGBA, non-interlaced | English | United States | 0.9791111900112432 |
| PNG | 0x1bf8d0 | 0x5771 | PNG image data, 334 x 285, 8-bit/color RGBA, non-interlaced | English | United States | 0.9775742684833594 |
| PNG | 0x1c5044 | 0x8a78 | PNG image data, 444 x 380, 8-bit/color RGBA, non-interlaced | English | United States | 0.9728898668472128 |
| PNG | 0x1cdabc | 0x47e | PNG image data, 66 x 66, 8-bit/color RGBA, non-interlaced | English | United States | 1.0095652173913043 |
| PNG | 0x1cdf3c | 0x958 | PNG image data, 81 x 81, 8-bit/color RGBA, non-interlaced | English | United States | 1.004598662207358 |
| PNG | 0x1ce894 | 0xaf7 | PNG image data, 98 x 98, 8-bit/color RGBA, non-interlaced | English | United States | 1.0039187744923406 |
| PNG | 0x1cf38c | 0x901 | PNG image data, 131 x 131, 8-bit/color RGBA, non-interlaced | English | United States | 1.004772234273319 |
| PNG | 0x1cfc90 | 0x175b | PNG image data, 142 x 142, 8-bit/color RGBA, non-interlaced | English | United States | 0.9998327479511624 |
| PNG | 0x1d13ec | 0x1efd | PNG image data, 178 x 178, 8-bit/color RGBA, non-interlaced | English | United States | 1.0013866128828943 |
| PNG | 0x1d32ec | 0x23e7 | PNG image data, 213 x 213, 8-bit/color RGBA, non-interlaced | English | United States | 0.9859645305189859 |
| PNG | 0x1d56d4 | 0x3156 | PNG image data, 284 x 284, 8-bit/color RGBA, non-interlaced | English | United States | 0.9855898653998416 |
| PNG | 0x1d882c | 0x1524 | PNG image data, 142 x 142, 8-bit/color RGBA, non-interlaced | English | United States | 1.0020325203252032 |
| PNG | 0x1d9d50 | 0x1b36 | PNG image data, 178 x 178, 8-bit/color RGBA, non-interlaced | English | United States | 1.0015790984783233 |
| PNG | 0x1db888 | 0x1fb5 | PNG image data, 213 x 213, 8-bit/color RGBA, non-interlaced | English | United States | 0.9963040532216336 |
| PNG | 0x1dd840 | 0x2bd8 | PNG image data, 284 x 284, 8-bit/color RGBA, non-interlaced | English | United States | 0.9932287954383464 |
| PNG | 0x1e0418 | 0x493 | PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced | English | United States | 1.0093936806148591 |
| PNG | 0x1e08ac | 0x596 | PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced | English | United States | 1.0076923076923077 |
| PNG | 0x1e0e44 | 0x68a | PNG image data, 60 x 60, 8-bit/color RGBA, non-interlaced | English | United States | 1.0065710872162486 |
| PNG | 0x1e14d0 | 0x8c7 | PNG image data, 80 x 80, 8-bit/color RGBA, non-interlaced | English | United States | 1.0048954161103694 |
| PNG | 0x1e1d98 | 0x469 | PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced | English | United States | 1.0097431355181576 |
| PNG | 0x1e2204 | 0x701 | PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced | English | United States | 1.0061349693251533 |
| PNG | 0x1e2908 | 0x945 | PNG image data, 60 x 60, 8-bit/color RGBA, non-interlaced | English | United States | 1.0046354825115886 |
| PNG | 0x1e3250 | 0xa56 | PNG image data, 80 x 80, 8-bit/color RGBA, non-interlaced | English | United States | 1.00151171579743 |
| RESOURCEFILE | 0x1e3ca8 | 0xf5ee | HTML document, Unicode text, UTF-8 text, with very long lines (3413), with CRLF line terminators | Russian | Russia | 0.27048190857397 |
| RESOURCEFILE | 0x1f3298 | 0xeb64 | HTML document, Unicode text, UTF-8 text, with very long lines (1295), with CRLF line terminators | Russian | Russia | 0.2268503153003651 |
| RT_BITMAP | 0x201dfc | 0x2ae8 | Device independent bitmap graphic, 152 x 24 x 24, image size 10944, resolution 3780 x 3780 px/m | Russian | Russia | 0.2274217042971595 |
| RT_BITMAP | 0x2048e4 | 0x4330 | Device independent bitmap graphic, 190 x 30 x 24, image size 17160, resolution 3780 x 3780 px/m | Russian | Russia | 0.19284883720930232 |
| RT_BITMAP | 0x208c14 | 0x5f38 | Device independent bitmap graphic, 225 x 36 x 24, image size 24336, resolution 3780 x 3780 px/m | Russian | Russia | 0.16212668198227764 |
| RT_BITMAP | 0x20eb4c | 0xb104 | Device independent bitmap graphic, 307 x 49 x 24, image size 45276, resolution 3780 x 3780 px/m | Russian | Russia | 0.12234089504810663 |
| RT_ICON | 0x219c50 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.62677304964539 |
| RT_ICON | 0x21a0b8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.5315573770491804 |
| RT_ICON | 0x21aa40 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.4699812382739212 |
| RT_ICON | 0x21bae8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.3537344398340249 |
| RT_ICON | 0x21e090 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.28206188001889465 |
| RT_ICON | 0x2222b8 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 38016 | English | United States | 0.20238595753626235 |
| RT_ICON | 0x22b760 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.17061989826097243 |
| RT_DIALOG | 0x23bf88 | 0x110 | data | English | United States | 0.45588235294117646 |
| RT_DIALOG | 0x23c098 | 0x178 | data | English | United States | 0.3882978723404255 |
| RT_DIALOG | 0x23c210 | 0x104 | data | English | United States | 0.47692307692307695 |
| RT_DIALOG | 0x23c314 | 0x1f0 | data | English | United States | 0.3286290322580645 |
| RT_DIALOG | 0x23c504 | 0x180 | data | English | United States | 0.3541666666666667 |
| RT_DIALOG | 0x23c684 | 0xd8 | data | English | United States | 0.44907407407407407 |
| RT_DIALOG | 0x23c75c | 0xe4 | data | English | United States | 0.5219298245614035 |
| RT_DIALOG | 0x23c840 | 0x120 | data | English | United States | 0.5972222222222222 |
| RT_STRING | 0x23c960 | 0x48 | data | German | Germany | 0.6666666666666666 |
| RT_STRING | 0x23c9a8 | 0x4e | data | English | United States | 0.6794871794871795 |
| RT_STRING | 0x23c9f8 | 0x48 | data | Spanish | Spain | 0.6388888888888888 |
| RT_STRING | 0x23ca40 | 0x48 | data | French | France | 0.6666666666666666 |
| RT_STRING | 0x23ca88 | 0x48 | data | Italian | Italy | 0.6666666666666666 |
| RT_STRING | 0x23cad0 | 0x48 | data | Dutch | Netherlands | 0.6666666666666666 |
| RT_STRING | 0x23cb18 | 0x48 | data | Polish | Poland | 0.6666666666666666 |
| RT_STRING | 0x23cb60 | 0x4e | data | Portuguese | Brazil | 0.6923076923076923 |
| RT_STRING | 0x23cbb0 | 0x48 | data | Russian | Russia | 0.6666666666666666 |
| RT_STRING | 0x23cbf8 | 0x4e | data | Portuguese | Portugal | 0.6923076923076923 |
| RT_STRING | 0x23cc48 | 0x158 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | German | Germany | 0.48546511627906974 |
| RT_STRING | 0x23cda0 | 0x116 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | English | United States | 0.5 |
| RT_STRING | 0x23ceb8 | 0x168 | Matlab v4 mat-file (little endian) s, numeric, rows 0, columns 0 | Spanish | Spain | 0.4444444444444444 |
| RT_STRING | 0x23d020 | 0x17a | Matlab v4 mat-file (little endian) s, numeric, rows 0, columns 0 | French | France | 0.4312169312169312 |
| RT_STRING | 0x23d19c | 0x15c | Matlab v4 mat-file (little endian) o, numeric, rows 0, columns 0 | Italian | Italy | 0.4454022988505747 |
| RT_STRING | 0x23d2f8 | 0x15e | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Dutch | Netherlands | 0.44571428571428573 |
| RT_STRING | 0x23d458 | 0x136 | Matlab v4 mat-file (little endian) r, numeric, rows 0, columns 0 | Polish | Poland | 0.4774193548387097 |
| RT_STRING | 0x23d590 | 0x14e | Matlab v4 mat-file (little endian) s, numeric, rows 0, columns 0 | Portuguese | Brazil | 0.45808383233532934 |
| RT_STRING | 0x23d6e0 | 0x16a | Matlab v4 mat-file (little endian) 0\004A\004B\0045\004@\004 , numeric, rows 0, columns 0 | Russian | Russia | 0.5220994475138122 |
| RT_STRING | 0x23d84c | 0x178 | Matlab v4 mat-file (little endian) s, numeric, rows 0, columns 0 | Portuguese | Portugal | 0.4441489361702128 |
| RT_STRING | 0x23d9c4 | 0x20a | data | German | Germany | 0.4674329501915709 |
| RT_STRING | 0x23dbd0 | 0x1b8 | data | English | United States | 0.4772727272727273 |
| RT_STRING | 0x23dd88 | 0x216 | data | Spanish | Spain | 0.45131086142322097 |
| RT_STRING | 0x23dfa0 | 0x250 | data | French | France | 0.4172297297297297 |
| RT_STRING | 0x23e1f0 | 0x282 | data | Italian | Italy | 0.40654205607476634 |
| RT_STRING | 0x23e474 | 0x22e | data | Dutch | Netherlands | 0.4121863799283154 |
| RT_STRING | 0x23e6a4 | 0x1f8 | data | Polish | Poland | 0.501984126984127 |
| RT_STRING | 0x23e89c | 0x20a | data | Portuguese | Brazil | 0.46934865900383144 |
| RT_STRING | 0x23eaa8 | 0x22e | data | Russian | Russia | 0.5 |
| RT_STRING | 0x23ecd8 | 0x202 | data | Portuguese | Portugal | 0.4474708171206226 |
| RT_STRING | 0x23eedc | 0x140 | data | German | Germany | 0.43125 |
| RT_STRING | 0x23f01c | 0x144 | data | English | United States | 0.41975308641975306 |
| RT_STRING | 0x23f160 | 0x134 | data | Spanish | Spain | 0.4837662337662338 |
| RT_STRING | 0x23f294 | 0x144 | data | French | France | 0.4691358024691358 |
| RT_STRING | 0x23f3d8 | 0x142 | data | Italian | Italy | 0.4472049689440994 |
| RT_STRING | 0x23f51c | 0x140 | data | Dutch | Netherlands | 0.453125 |
| RT_STRING | 0x23f65c | 0x182 | data | Polish | Poland | 0.42487046632124353 |
| RT_STRING | 0x23f7e0 | 0x12c | data | Portuguese | Brazil | 0.4666666666666667 |
| RT_STRING | 0x23f90c | 0x15c | data | Russian | Russia | 0.45977011494252873 |
| RT_STRING | 0x23fa68 | 0x12c | data | Portuguese | Portugal | 0.4866666666666667 |
| RT_STRING | 0x23fb94 | 0x142 | data | German | Germany | 0.5900621118012422 |
| RT_STRING | 0x23fcd8 | 0x130 | data | English | United States | 0.6085526315789473 |
| RT_STRING | 0x23fe08 | 0x14e | data | Spanish | Spain | 0.5748502994011976 |
| RT_STRING | 0x23ff58 | 0x14c | data | French | France | 0.5933734939759037 |
| RT_STRING | 0x2400a4 | 0x13a | data | Italian | Italy | 0.6050955414012739 |
| RT_STRING | 0x2401e0 | 0x140 | data | Dutch | Netherlands | 0.603125 |
| RT_STRING | 0x240320 | 0x130 | data | Polish | Poland | 0.6348684210526315 |
| RT_STRING | 0x240450 | 0x148 | data | Portuguese | Brazil | 0.5945121951219512 |
| RT_STRING | 0x240598 | 0x140 | data | Russian | Russia | 0.65 |
| RT_STRING | 0x2406d8 | 0x14c | data | Portuguese | Portugal | 0.5843373493975904 |
| RT_STRING | 0x240824 | 0x29e | data | German | Germany | 0.34626865671641793 |
| RT_STRING | 0x240ac4 | 0x23c | data | English | United States | 0.3409090909090909 |
| RT_STRING | 0x240d00 | 0x294 | data | Spanish | Spain | 0.3212121212121212 |
| RT_STRING | 0x240f94 | 0x2d2 | data | French | France | 0.3268698060941828 |
| RT_STRING | 0x241268 | 0x2f2 | data | Italian | Italy | 0.3116710875331565 |
| RT_STRING | 0x24155c | 0x28e | data | Dutch | Netherlands | 0.3195718654434251 |
| RT_STRING | 0x2417ec | 0x268 | data | Polish | Poland | 0.36688311688311687 |
| RT_STRING | 0x241a54 | 0x28a | data | Portuguese | Brazil | 0.3384615384615385 |
| RT_STRING | 0x241ce0 | 0x212 | data | Russian | Russia | 0.37735849056603776 |
| RT_STRING | 0x241ef4 | 0x28a | data | Portuguese | Portugal | 0.3415384615384615 |
| RT_STRING | 0x242180 | 0x156 | data | German | Germany | 0.564327485380117 |
| RT_STRING | 0x2422d8 | 0x10c | data | English | United States | 0.5746268656716418 |
| RT_STRING | 0x2423e4 | 0x136 | data | Spanish | Spain | 0.5612903225806452 |
| RT_STRING | 0x24251c | 0x144 | data | French | France | 0.5308641975308642 |
| RT_STRING | 0x242660 | 0x138 | data | Italian | Italy | 0.5416666666666666 |
| RT_STRING | 0x242798 | 0x12c | data | Dutch | Netherlands | 0.5466666666666666 |
| RT_STRING | 0x2428c4 | 0x124 | data | Polish | Poland | 0.565068493150685 |
| RT_STRING | 0x2429e8 | 0x13c | data | Portuguese | Brazil | 0.5379746835443038 |
| RT_STRING | 0x242b24 | 0x126 | data | Russian | Russia | 0.5578231292517006 |
| RT_STRING | 0x242c4c | 0x13e | data | Portuguese | Portugal | 0.5566037735849056 |
| RT_STRING | 0x242d8c | 0x2d0 | data | German | Germany | 0.45555555555555555 |
| RT_STRING | 0x24305c | 0x262 | data | English | United States | 0.46885245901639344 |
| RT_STRING | 0x2432c0 | 0x29a | data | Spanish | Spain | 0.481981981981982 |
| RT_STRING | 0x24355c | 0x2f0 | data | French | France | 0.46808510638297873 |
| RT_STRING | 0x24384c | 0x280 | data | Italian | Italy | 0.4828125 |
| RT_STRING | 0x243acc | 0x27a | data | Dutch | Netherlands | 0.4589905362776025 |
| RT_STRING | 0x243d48 | 0x294 | data | Polish | Poland | 0.49242424242424243 |
| RT_STRING | 0x243fdc | 0x27a | data | Portuguese | Brazil | 0.48580441640378547 |
| RT_STRING | 0x244258 | 0x2e6 | data | Russian | Russia | 0.4865229110512129 |
| RT_STRING | 0x244540 | 0x2c8 | data | Portuguese | Portugal | 0.47752808988764045 |
| RT_STRING | 0x244808 | 0x1cc | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | German | Germany | 0.4891304347826087 |
| RT_STRING | 0x2449d4 | 0x16c | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | United States | 0.4835164835164835 |
| RT_STRING | 0x244b40 | 0x18e | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Spanish | Spain | 0.4949748743718593 |
| RT_STRING | 0x244cd0 | 0x1b8 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | French | France | 0.4636363636363636 |
| RT_STRING | 0x244e88 | 0x1aa | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Italian | Italy | 0.4694835680751174 |
| RT_STRING | 0x245034 | 0x1b2 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Dutch | Netherlands | 0.44930875576036866 |
| RT_STRING | 0x2451e8 | 0x15a | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Polish | Poland | 0.5115606936416185 |
| RT_STRING | 0x245344 | 0x184 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Portuguese | Brazil | 0.4690721649484536 |
| RT_STRING | 0x2454c8 | 0x1b2 | Matlab v4 mat-file (little endian) A\004B\0040\004=\004>\0042\004:\0040\004., numeric, rows 0, columns 0 | Russian | Russia | 0.5368663594470046 |
| RT_STRING | 0x24567c | 0x1aa | Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0 | Portuguese | Portugal | 0.45539906103286387 |
| RT_STRING | 0x245828 | 0x82e | data | German | Germany | 0.3729703915950334 |
| RT_STRING | 0x246058 | 0x776 | data | English | United States | 0.3612565445026178 |
| RT_STRING | 0x2467d0 | 0x8a8 | data | Spanish | Spain | 0.3483754512635379 |
| RT_STRING | 0x247078 | 0x8c0 | data | French | France | 0.34732142857142856 |
| RT_STRING | 0x247938 | 0x90a | data | Italian | Italy | 0.3452895419187554 |
| RT_STRING | 0x248244 | 0x826 | data | Dutch | Netherlands | 0.34755512943432404 |
| RT_STRING | 0x248a6c | 0x7c0 | data | Polish | Poland | 0.38860887096774194 |
| RT_STRING | 0x24922c | 0x8a8 | data | Portuguese | Brazil | 0.35694945848375453 |
| RT_STRING | 0x249ad4 | 0x82c | data | Russian | Russia | 0.4077437858508604 |
| RT_STRING | 0x24a300 | 0x8b4 | data | Portuguese | Portugal | 0.3500897666068223 |
| RT_STRING | 0x24abb4 | 0xa2a | data | German | Germany | 0.31744811683320523 |
| RT_STRING | 0x24b5e0 | 0x98c | data | English | United States | 0.3044189852700491 |
| RT_STRING | 0x24bf6c | 0xb72 | data | Spanish | Spain | 0.29215017064846416 |
| RT_STRING | 0x24cae0 | 0xb80 | data | French | France | 0.29347826086956524 |
| RT_STRING | 0x24d660 | 0xb98 | data | Italian | Italy | 0.2884097035040431 |
| RT_STRING | 0x24e1f8 | 0xa84 | data | Dutch | Netherlands | 0.29977711738484397 |
| RT_STRING | 0x24ec7c | 0x9da | data | Polish | Poland | 0.3267248215701824 |
| RT_STRING | 0x24f658 | 0xb90 | PDP-11 UNIX/RT ldp | Portuguese | Brazil | 0.29493243243243245 |
| RT_STRING | 0x2501e8 | 0xa04 | data | Russian | Russia | 0.3482839313572543 |
| RT_STRING | 0x250bec | 0xb58 | data | Portuguese | Portugal | 0.29338842975206614 |
| RT_STRING | 0x251744 | 0x17a | data | German | Germany | 0.42592592592592593 |
| RT_STRING | 0x2518c0 | 0x110 | data | English | United States | 0.5073529411764706 |
| RT_STRING | 0x2519d0 | 0x148 | data | Spanish | Spain | 0.4603658536585366 |
| RT_STRING | 0x251b18 | 0x17e | data | French | France | 0.45287958115183247 |
| RT_STRING | 0x251c98 | 0x1dc | Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0 | Italian | Italy | 0.3760504201680672 |
| RT_STRING | 0x251e74 | 0x13a | data | Dutch | Netherlands | 0.49363057324840764 |
| RT_STRING | 0x251fb0 | 0x13e | data | Polish | Poland | 0.5094339622641509 |
| RT_STRING | 0x2520f0 | 0x140 | data | Portuguese | Brazil | 0.471875 |
| RT_STRING | 0x252230 | 0x11c | data | Russian | Russia | 0.528169014084507 |
| RT_STRING | 0x25234c | 0x134 | data | Portuguese | Portugal | 0.45454545454545453 |
| RT_STRING | 0x252480 | 0x5f8 | data | German | Germany | 0.3147905759162304 |
| RT_STRING | 0x252a78 | 0x504 | data | English | United States | 0.3161993769470405 |
| RT_STRING | 0x252f7c | 0x5bc | data | Spanish | Spain | 0.30381471389645776 |
| RT_STRING | 0x253538 | 0x58a | data | French | France | 0.32863187588152326 |
| RT_STRING | 0x253ac4 | 0x68c | data | Italian | Italy | 0.2834128878281623 |
| RT_STRING | 0x254150 | 0x53e | data | Dutch | Netherlands | 0.3181818181818182 |
| RT_STRING | 0x254690 | 0x4fa | data | Polish | Poland | 0.33830455259026687 |
| RT_STRING | 0x254b8c | 0x54a | data | Portuguese | Brazil | 0.3124076809453471 |
| RT_STRING | 0x2550d8 | 0x4d4 | data | Russian | Russia | 0.37216828478964403 |
| RT_STRING | 0x2555ac | 0x53e | data | Portuguese | Portugal | 0.31296572280178836 |
| RT_STRING | 0x255aec | 0x234 | data | German | Germany | 0.4397163120567376 |
| RT_STRING | 0x255d20 | 0x1d4 | data | English | United States | 0.4230769230769231 |
| RT_STRING | 0x255ef4 | 0x21a | data | Spanish | Spain | 0.41263940520446096 |
| RT_STRING | 0x256110 | 0x216 | data | French | France | 0.45318352059925093 |
| RT_STRING | 0x256328 | 0x216 | data | Italian | Italy | 0.41947565543071164 |
| RT_STRING | 0x256540 | 0x216 | data | Dutch | Netherlands | 0.40636704119850187 |
| RT_STRING | 0x256758 | 0x1ca | data | Polish | Poland | 0.48253275109170307 |
| RT_STRING | 0x256924 | 0x1f0 | data | Portuguese | Brazil | 0.4334677419354839 |
| RT_STRING | 0x256b14 | 0x1fc | data | Russian | Russia | 0.5255905511811023 |
| RT_STRING | 0x256d10 | 0x1fa | data | Portuguese | Portugal | 0.43280632411067194 |
| RT_STRING | 0x256f0c | 0xd0 | data | German | Germany | 0.5673076923076923 |
| RT_STRING | 0x256fdc | 0xac | data | English | United States | 0.5872093023255814 |
| RT_STRING | 0x257088 | 0xbc | data | Spanish | Spain | 0.5319148936170213 |
| RT_STRING | 0x257144 | 0xf2 | data | French | France | 0.5165289256198347 |
| RT_STRING | 0x257238 | 0xf2 | data | Italian | Italy | 0.49586776859504134 |
| RT_STRING | 0x25732c | 0xe0 | data | Dutch | Netherlands | 0.5535714285714286 |
| RT_STRING | 0x25740c | 0xc8 | data | Polish | Poland | 0.575 |
| RT_STRING | 0x2574d4 | 0xb4 | data | Portuguese | Brazil | 0.5777777777777777 |
| RT_STRING | 0x257588 | 0x98 | data | Russian | Russia | 0.6578947368421053 |
| RT_STRING | 0x257620 | 0xba | data | Portuguese | Portugal | 0.5752688172043011 |
| RT_STRING | 0x2576dc | 0xe0 | data | German | Germany | 0.53125 |
| RT_STRING | 0x2577bc | 0xc6 | data | English | United States | 0.5151515151515151 |
| RT_STRING | 0x257884 | 0xde | data | Spanish | Spain | 0.49099099099099097 |
| RT_STRING | 0x257964 | 0xde | data | French | France | 0.5225225225225225 |
| RT_STRING | 0x257a44 | 0xee | data | Italian | Italy | 0.5084033613445378 |
| RT_STRING | 0x257b34 | 0xde | data | Dutch | Netherlands | 0.5 |
| RT_STRING | 0x257c14 | 0xc4 | data | Polish | Poland | 0.5867346938775511 |
| RT_STRING | 0x257cd8 | 0xdc | data | Portuguese | Brazil | 0.5181818181818182 |
| RT_STRING | 0x257db4 | 0xae | data | Russian | Russia | 0.5344827586206896 |
| RT_STRING | 0x257e64 | 0xca | data | Portuguese | Portugal | 0.5099009900990099 |
| RT_STRING | 0x257f30 | 0x16c | data | German | Germany | 0.4340659340659341 |
| RT_STRING | 0x25809c | 0x124 | AmigaOS bitmap font "x", fc_YSize 30720, 17664 elements, 2nd "t", 3rd | English | United States | 0.4863013698630137 |
| RT_STRING | 0x2581c0 | 0x126 | data | Spanish | Spain | 0.4897959183673469 |
| RT_STRING | 0x2582e8 | 0x186 | data | French | France | 0.44358974358974357 |
| RT_STRING | 0x258470 | 0x168 | data | Italian | Italy | 0.425 |
| RT_STRING | 0x2585d8 | 0x14a | data | Dutch | Netherlands | 0.45151515151515154 |
| RT_STRING | 0x258724 | 0x12a | data | Polish | Poland | 0.5302013422818792 |
| RT_STRING | 0x258850 | 0x126 | data | Portuguese | Brazil | 0.5034013605442177 |
| RT_STRING | 0x258978 | 0x136 | data | Russian | Russia | 0.5161290322580645 |
| RT_STRING | 0x258ab0 | 0xf0 | data | Portuguese | Portugal | 0.49166666666666664 |
| RT_STRING | 0x258ba0 | 0x116 | data | German | Germany | 0.5287769784172662 |
| RT_STRING | 0x258cb8 | 0xfc | data | English | United States | 0.5119047619047619 |
| RT_STRING | 0x258db4 | 0xf8 | data | Spanish | Spain | 0.5483870967741935 |
| RT_STRING | 0x258eac | 0x110 | data | French | France | 0.5514705882352942 |
| RT_STRING | 0x258fbc | 0x128 | data | Italian | Italy | 0.5067567567567568 |
| RT_STRING | 0x2590e4 | 0x112 | data | Dutch | Netherlands | 0.5583941605839416 |
| RT_STRING | 0x2591f8 | 0xec | data | Polish | Poland | 0.6016949152542372 |
| RT_STRING | 0x2592e4 | 0x104 | data | Portuguese | Brazil | 0.5692307692307692 |
| RT_STRING | 0x2593e8 | 0xf0 | data | Russian | Russia | 0.6458333333333334 |
| RT_STRING | 0x2594d8 | 0xfe | data | Portuguese | Portugal | 0.5748031496062992 |
| RT_STRING | 0x2595d8 | 0x11c | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | German | Germany | 0.5176056338028169 |
| RT_STRING | 0x2596f4 | 0x102 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | United States | 0.4844961240310077 |
| RT_STRING | 0x2597f8 | 0xf8 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Spanish | Spain | 0.532258064516129 |
| RT_STRING | 0x2598f0 | 0x116 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | French | France | 0.5287769784172662 |
| RT_STRING | 0x259a08 | 0x144 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Italian | Italy | 0.49691358024691357 |
| RT_STRING | 0x259b4c | 0x11c | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Dutch | Netherlands | 0.5176056338028169 |
| RT_STRING | 0x259c68 | 0xf6 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Polish | Poland | 0.5772357723577236 |
| RT_STRING | 0x259d60 | 0x10e | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Portuguese | Brazil | 0.5555555555555556 |
| RT_STRING | 0x259e70 | 0xfa | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Russian | Russia | 0.652 |
| RT_STRING | 0x259f6c | 0x108 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | Portuguese | Portugal | 0.5568181818181818 |
| RT_STRING | 0x25a074 | 0x16e | data | German | Germany | 0.5327868852459017 |
| RT_STRING | 0x25a1e4 | 0x112 | data | English | United States | 0.5474452554744526 |
| RT_STRING | 0x25a2f8 | 0x172 | data | Spanish | Spain | 0.4648648648648649 |
| RT_STRING | 0x25a46c | 0x158 | data | French | France | 0.4738372093023256 |
| RT_STRING | 0x25a5c4 | 0x162 | data | Italian | Italy | 0.4830508474576271 |
| RT_STRING | 0x25a728 | 0x154 | data | Dutch | Netherlands | 0.5029411764705882 |
| RT_STRING | 0x25a87c | 0x144 | data | Polish | Poland | 0.5555555555555556 |
| RT_STRING | 0x25a9c0 | 0x142 | data | Portuguese | Brazil | 0.5093167701863354 |
| RT_STRING | 0x25ab04 | 0x166 | data | Russian | Russia | 0.5893854748603352 |
| RT_STRING | 0x25ac6c | 0x192 | data | Portuguese | Portugal | 0.48258706467661694 |
| RT_STRING | 0x25ae00 | 0x78 | data | German | Germany | 0.6666666666666666 |
| RT_STRING | 0x25ae78 | 0x70 | data | English | United States | 0.625 |
| RT_STRING | 0x25aee8 | 0xae | data | Spanish | Spain | 0.5919540229885057 |
| RT_STRING | 0x25af98 | 0x86 | data | French | France | 0.6343283582089553 |
| RT_STRING | 0x25b020 | 0x80 | AmigaOS bitmap font "a", 20480 elements, 2nd, 3rd | Italian | Italy | 0.6328125 |
| RT_STRING | 0x25b0a0 | 0x88 | data | Dutch | Netherlands | 0.6691176470588235 |
| RT_STRING | 0x25b128 | 0x96 | data | Polish | Poland | 0.6866666666666666 |
| RT_STRING | 0x25b1c0 | 0x82 | data | Portuguese | Brazil | 0.6076923076923076 |
| RT_STRING | 0x25b244 | 0x86 | AmigaOS bitmap font "5\0042\0045\004@\004=\004K\0049\004 ", 7428 elements, 2nd, 3rd | Russian | Russia | 0.6940298507462687 |
| RT_STRING | 0x25b2cc | 0x82 | data | Portuguese | Portugal | 0.6461538461538462 |
| RT_STRING | 0x25b350 | 0x492 | data | German | Germany | 0.26324786324786326 |
| RT_STRING | 0x25b7e4 | 0x352 | data | English | United States | 0.30117647058823527 |
| RT_STRING | 0x25bb38 | 0x38a | data | Spanish | Spain | 0.2924944812362031 |
| RT_STRING | 0x25bec4 | 0x3ee | data | French | France | 0.2823061630218688 |
| RT_STRING | 0x25c2b4 | 0x4a8 | 0420 Alliant virtual executable not stripped | Italian | Italy | 0.27348993288590606 |
| RT_STRING | 0x25c75c | 0x2f2 | data | Dutch | Netherlands | 0.3076923076923077 |
| RT_STRING | 0x25ca50 | 0x44c | data | Polish | Poland | 0.28909090909090907 |
| RT_STRING | 0x25ce9c | 0x382 | data | Portuguese | Brazil | 0.2984409799554566 |
| RT_STRING | 0x25d220 | 0x356 | data | Russian | Russia | 0.319672131147541 |
| RT_STRING | 0x25d578 | 0x36e | OpenPGP Secret Key | Portuguese | Portugal | 0.296127562642369 |
| RT_STRING | 0x25d8e8 | 0x84 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | German | Germany | 0.5681818181818182 |
| RT_STRING | 0x25d96c | 0x84 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | English | United States | 0.5681818181818182 |
| RT_STRING | 0x25d9f0 | 0x8a | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | Spanish | Spain | 0.5869565217391305 |
| RT_STRING | 0x25da7c | 0x84 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | French | France | 0.5681818181818182 |
| RT_STRING | 0x25db00 | 0x84 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | Italian | Italy | 0.5681818181818182 |
| RT_STRING | 0x25db84 | 0x84 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | Dutch | Netherlands | 0.5681818181818182 |
| RT_STRING | 0x25dc08 | 0xb4 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | Polish | Poland | 0.5888888888888889 |
| RT_STRING | 0x25dcbc | 0x84 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | Portuguese | Brazil | 0.5681818181818182 |
| RT_STRING | 0x25dd40 | 0x84 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | Russian | Russia | 0.5681818181818182 |
| RT_STRING | 0x25ddc4 | 0x84 | Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0 | Portuguese | Portugal | 0.5681818181818182 |
| RT_STRING | 0x25de48 | 0xe8 | data | German | Germany | 0.625 |
| RT_STRING | 0x25df30 | 0xd8 | data | English | United States | 0.6018518518518519 |
| RT_STRING | 0x25e008 | 0xf4 | data | Spanish | Spain | 0.5860655737704918 |
| RT_STRING | 0x25e0fc | 0xf4 | data | French | France | 0.5819672131147541 |
| RT_STRING | 0x25e1f0 | 0xde | data | Italian | Italy | 0.6216216216216216 |
| RT_STRING | 0x25e2d0 | 0xe0 | data | Dutch | Netherlands | 0.6071428571428571 |
| RT_STRING | 0x25e3b0 | 0xda | data | Polish | Poland | 0.6330275229357798 |
| RT_STRING | 0x25e48c | 0xee | data | Portuguese | Brazil | 0.6050420168067226 |
| RT_STRING | 0x25e57c | 0x116 | data | Russian | Russia | 0.6438848920863309 |
| RT_STRING | 0x25e694 | 0xdc | data | Portuguese | Portugal | 0.6090909090909091 |
| RT_STRING | 0x25e770 | 0x4b8 | data | German | Germany | 0.34602649006622516 |
| RT_STRING | 0x25ec28 | 0x374 | data | English | United States | 0.3778280542986425 |
| RT_STRING | 0x25ef9c | 0x3c6 | data | Spanish | Spain | 0.35714285714285715 |
| RT_STRING | 0x25f364 | 0x42a | data | French | France | 0.34615384615384615 |
| RT_STRING | 0x25f790 | 0x416 | data | Italian | Italy | 0.3441682600382409 |
| RT_STRING | 0x25fba8 | 0x44c | data | Dutch | Netherlands | 0.33 |
| RT_STRING | 0x25fff4 | 0x428 | data | Polish | Poland | 0.37218045112781956 |
| RT_STRING | 0x26041c | 0x394 | data | Portuguese | Brazil | 0.3548034934497817 |
| RT_STRING | 0x2607b0 | 0x378 | data | Russian | Russia | 0.4189189189189189 |
| RT_STRING | 0x260b28 | 0x3ce | data | Portuguese | Portugal | 0.3480492813141684 |
| RT_STRING | 0x260ef8 | 0x55c | data | German | Germany | 0.3629737609329446 |
| RT_STRING | 0x261454 | 0x4e6 | data | English | United States | 0.33811802232854865 |
| RT_STRING | 0x26193c | 0x526 | data | Spanish | Spain | 0.3482549317147193 |
| RT_STRING | 0x261e64 | 0x536 | data | French | France | 0.3613193403298351 |
| RT_STRING | 0x26239c | 0x538 | data | Italian | Italy | 0.34880239520958084 |
| RT_STRING | 0x2628d4 | 0x53e | data | Dutch | Netherlands | 0.3502235469448584 |
| RT_STRING | 0x262e14 | 0x4b4 | data | Polish | Poland | 0.3920265780730897 |
| RT_STRING | 0x2632c8 | 0x4ee | data | Portuguese | Brazil | 0.3589540412044374 |
| RT_STRING | 0x2637b8 | 0x4f0 | data | Russian | Russia | 0.4185126582278481 |
| RT_STRING | 0x263ca8 | 0x4ee | data | Portuguese | Portugal | 0.358161648177496 |
| RT_STRING | 0x264198 | 0x1fa | data | German | Germany | 0.4762845849802372 |
| RT_STRING | 0x264394 | 0x194 | data | English | United States | 0.504950495049505 |
| RT_STRING | 0x264528 | 0x1be | data | Spanish | Spain | 0.4910313901345291 |
| RT_STRING | 0x2646e8 | 0x1e0 | data | French | France | 0.49583333333333335 |
| RT_STRING | 0x2648c8 | 0x1ee | data | Italian | Italy | 0.4797570850202429 |
| RT_STRING | 0x264ab8 | 0x1a2 | data | Dutch | Netherlands | 0.5311004784688995 |
| RT_STRING | 0x264c5c | 0x1e4 | data | Polish | Poland | 0.5351239669421488 |
| RT_STRING | 0x264e40 | 0x1b6 | data | Portuguese | Brazil | 0.5091324200913242 |
| RT_STRING | 0x264ff8 | 0x1de | data | Russian | Russia | 0.5648535564853556 |
| RT_STRING | 0x2651d8 | 0x1b4 | data | Portuguese | Portugal | 0.5114678899082569 |
| RT_GROUP_ICON | 0x26538c | 0x68 | data | English | United States | 0.7403846153846154 |
| RT_VERSION | 0x2653f4 | 0x2f8 | data | English | United States | 0.4605263157894737 |
| RT_MANIFEST | 0x2656ec | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| KERNEL32.dll | LeaveCriticalSection, RaiseException, EnterCriticalSection, GetLastError, MultiByteToWideChar, SizeofResource, LoadResource, FindResourceW, LoadLibraryExW, GetModuleFileNameW, InitializeCriticalSectionEx, DeleteCriticalSection, IsWow64Process, GetCurrentProcess, VerifyVersionInfoW, VerSetConditionMask, GetSystemDirectoryW, CreateFileW, DeviceIoControl, CloseHandle, GetCurrentThreadId, SetLastError, Sleep, DeleteFileW, GlobalFree, LockResource, FindResourceExW, LocalFree, FormatMessageW, LocalAlloc, CallNamedPipeW, GetWindowsDirectoryW, SetCurrentDirectoryW, GetCommandLineW, lstrcmpiW, CreateMutexW, GetNativeSystemInfo, GetDiskFreeSpaceExW, FindFirstFileW, FindClose, CreateProcessW, FindNextFileW, WideCharToMultiByte, GlobalAlloc, GlobalLock, SetThreadUILanguage, LoadLibraryW, CreateDirectoryW, GetLogicalDrives, GetTempPathW, MoveFileExW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, OpenProcess, ResumeThread, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, K32GetModuleFileNameExW, GetCurrentDirectoryW, GetCurrentProcessId, GetModuleFileNameA, OutputDebugStringW, SetEndOfFile, WriteConsoleW, SetStdHandle, GetProcAddress, GetModuleHandleW, FreeLibrary, GetProcessHeap, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, HeapDestroy, DecodePointer, MulDiv, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, GetTimeZoneInformation, ReadConsoleW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, FindFirstFileExW, GetFileAttributesW, GetFileAttributesExW, GetFileInformationByHandle, RemoveDirectoryW, AreFileApisANSI, CopyFileW, DuplicateHandle, WaitForSingleObjectEx, SwitchToThread, GetCurrentThread, QueryPerformanceCounter, TryEnterCriticalSection, EncodePointer, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, SetEvent, ResetEvent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, CreateTimerQueue, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, GetThreadTimes, FreeLibraryAndExitThread, GetModuleHandleA, GetVersionExW, ReleaseSemaphore, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, RtlUnwind, ExitProcess, GetModuleHandleExW, GetCommandLineA, ExitThread, GetStdHandle, WriteFile, GetFileType, FlushFileBuffers, GetConsoleCP, GetConsoleMode, ReadFile, SetFilePointerEx, GetFileSizeEx, GetDateFormatW |
| dwmapi.dll | DwmGetWindowAttribute |
| CRYPT32.dll | CryptMsgClose, CertCloseStore, CertFreeCertificateContext, CertGetNameStringW, CertFindCertificateInStore, CryptMsgGetParam, CryptQueryObject |
| RPCRT4.dll | UuidToStringW, RpcStringFreeW, UuidCreate |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
| Russian | Russia |  |
| German | Germany |  |
| Spanish | Spain |  |
| French | France |  |
| Italian | Italy |  |
| Dutch | Netherlands |  |
| Polish | Poland |  |
| Portuguese | Brazil |  |
| Portuguese | Portugal |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-13T16:42:43.535259+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49717 | 104.21.7.3 | 443 | TCP |
| 2024-12-13T16:42:44.542927+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.12 | 49717 | 104.21.7.3 | 443 | TCP |
| 2024-12-13T16:42:44.542927+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.12 | 49717 | 104.21.7.3 | 443 | TCP |
| 2024-12-13T16:42:45.967011+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49719 | 104.21.7.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 13, 2024 16:42:42.308744907 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:42.308793068 CET | 443 | 49717 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:42.308871031 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:42.314730883 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:42.314749002 CET | 443 | 49717 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:43.535162926 CET | 443 | 49717 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:43.535259008 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:43.545485973 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:43.545504093 CET | 443 | 49717 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:43.545778990 CET | 443 | 49717 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:43.591824055 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:43.596429110 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:43.596466064 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:43.596579075 CET | 443 | 49717 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:44.542813063 CET | 443 | 49717 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:44.542903900 CET | 443 | 49717 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:44.543098927 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:44.544280052 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:44.544296980 CET | 443 | 49717 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:44.544336081 CET | 49717 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:44.544342995 CET | 443 | 49717 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:44.593765020 CET | 49719 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:44.593806028 CET | 443 | 49719 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:44.593904018 CET | 49719 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:44.594270945 CET | 49719 | 443 | 192.168.2.12 | 104.21.7.3 |
| Dec 13, 2024 16:42:44.594285011 CET | 443 | 49719 | 104.21.7.3 | 192.168.2.12 |
| Dec 13, 2024 16:42:45.967010975 CET | 49719 | 443 | 192.168.2.12 | 104.21.7.3 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 13, 2024 16:42:41.995201111 CET | 60902 | 53 | 192.168.2.12 | 1.1.1.1 |
| Dec 13, 2024 16:42:42.302823067 CET | 53 | 60902 | 1.1.1.1 | 192.168.2.12 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 13, 2024 16:42:41.995201111 CET | 192.168.2.12 | 1.1.1.1 | 0xc22f | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 13, 2024 16:42:42.302823067 CET | 1.1.1.1 | 192.168.2.12 | 0xc22f | No error (0) | 104.21.7.3 | A (IP address) | IN (0x0001) | false | ||
| Dec 13, 2024 16:42:42.302823067 CET | 1.1.1.1 | 192.168.2.12 | 0xc22f | No error (0) | 172.67.135.139 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.12 | 49717 | 104.21.7.3 | 443 | 6908 | C:\Users\user\Desktop\tOE2mg8TbU.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-13 15:42:43 UTC | 259 | OUT | |
| 2024-12-13 15:42:43 UTC | 8 | OUT | |
| 2024-12-13 15:42:44 UTC | 1010 | IN | |
| 2024-12-13 15:42:44 UTC | 7 | IN | |
| 2024-12-13 15:42:44 UTC | 5 | IN |
| Target ID: | 0 |
| Start time: | 10:42:27 |
| Start date: | 13/12/2024 |
| Path: | C:\Users\user\Desktop\tOE2mg8TbU.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x560000 |
| File size: | 2'916'584 bytes |
| MD5 hash: | 007C8D6917CB62D9CF8BC921FF92AE93 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 40.9% |
| Total number of Nodes: | 479 |
| Total number of Limit Nodes: | 6 |
Graph
Function 00581D70 Relevance: 110.3, APIs: 10, Strings: 52, Instructions: 1755synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0059D0F0 Relevance: 8.0, APIs: 1, Strings: 4, Instructions: 455memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0059D150 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 430memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0059D800 Relevance: .3, Instructions: 261COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A03A0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005885C0 Relevance: 69.6, APIs: 1, Strings: 44, Instructions: 2126sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00592C10 Relevance: 54.3, APIs: 5, Strings: 25, Instructions: 1813sleepprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A4010 Relevance: 23.4, APIs: 8, Strings: 5, Instructions: 644threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0058720F Relevance: 21.5, APIs: 2, Strings: 10, Instructions: 458fileCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005AEE40 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 252encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0056A370 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 418fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00590790 Relevance: 16.1, Strings: 12, Instructions: 1123COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005AA5C0 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 256libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005AE990 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75processCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005CE8A4 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006029E5 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 376timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005CE99A Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00568000 Relevance: 8.9, Strings: 7, Instructions: 131COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00608F33 Relevance: 7.7, APIs: 5, Instructions: 184COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006089DB Relevance: 4.7, APIs: 3, Instructions: 206COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0057C0D0 Relevance: 4.5, APIs: 3, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005F4035 Relevance: 3.3, Strings: 1, Instructions: 2060COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00561410 Relevance: 3.3, APIs: 2, Instructions: 308COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00608C30 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006088B5 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00608E60 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00608950 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060886A Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00600E1C Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006013CF Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005CFA4F Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005EC0AE Relevance: 1.5, Strings: 1, Instructions: 240COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A1310 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060E9B0 Relevance: .7, Instructions: 651COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00604629 Relevance: .6, Instructions: 637COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0056E0D0 Relevance: .3, Instructions: 339COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005BC990 Relevance: .3, Instructions: 339COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060806B Relevance: .3, Instructions: 329COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E7A79 Relevance: .2, Instructions: 239COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E77CF Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005C3880 Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00603375 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00603251 Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E73B0 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00561330 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FF21C Relevance: .0, Instructions: 30COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FF262 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A7620 Relevance: 57.2, APIs: 3, Strings: 35, Instructions: 213sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005AD420 Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 361libraryloaderthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0056AD70 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 412fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00594750 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 215processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005673F0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A6F84 Relevance: 16.8, APIs: 2, Strings: 9, Instructions: 349sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E421D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A18A0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 99memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FCEE8 Relevance: 15.1, APIs: 10, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0056B3C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00590550 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 137libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005CE798 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00565950 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 335stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A2F20 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 229libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005667B0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 100libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E8897 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006066F5 Relevance: 12.2, APIs: 8, Instructions: 204COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005C4700 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 346fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00600FDB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMONLIBRARYCODE
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00607920 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005BAB70 Relevance: 9.5, APIs: 6, Instructions: 495COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FF3AC Relevance: 9.3, APIs: 6, Instructions: 319fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FC663 Relevance: 9.3, APIs: 6, Instructions: 265COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005F7922 Relevance: 9.3, APIs: 6, Instructions: 265COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00566AAF Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 163stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0059E030 Relevance: 9.1, APIs: 6, Instructions: 123COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0059E5E0 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005DC7C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005EE03D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060D3E0 Relevance: 7.7, APIs: 5, Instructions: 245COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FEFE5 Relevance: 7.7, APIs: 5, Instructions: 200COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005C4FB0 Relevance: 7.7, APIs: 5, Instructions: 193COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FC1DA Relevance: 7.7, APIs: 5, Instructions: 188COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0056C8F8 Relevance: 7.6, APIs: 5, Instructions: 132threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0059CA50 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005DA8AB Relevance: 7.6, APIs: 5, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006073F0 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005DC678 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00602BC2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00566530 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0057C350 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84memorywindowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A1AF0 Relevance: 6.4, APIs: 4, Instructions: 426COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FD70C Relevance: 6.3, APIs: 4, Instructions: 321COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0059F840 Relevance: 6.2, APIs: 4, Instructions: 185COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0059F780 Relevance: 6.2, APIs: 4, Instructions: 164COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060D26E Relevance: 6.1, APIs: 4, Instructions: 133fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005F1293 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00596C40 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E30BF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0056C040 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005D2DAA Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005CD33D Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0060D0C2 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005D8B70 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005D2047 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005D20B4 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FB42C Relevance: 6.0, APIs: 4, Instructions: 19COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FA5DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0056CA1B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005CE092 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005AD0D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005CEA05 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|