Windows
Analysis Report
X2hna87N3Y.exe
Overview
General Information
Sample name: | X2hna87N3Y.exerenamed because original name is a hash value |
Original sample name: | 443f4cf9f362a96bbd0845ba6d2859f0.exe |
Analysis ID: | 1576576 |
MD5: | 443f4cf9f362a96bbd0845ba6d2859f0 |
SHA1: | 1bf75dea31eaf0c26da3428ae2b8518771989522 |
SHA256: | e11c9223741b2d1291f1031539da3dd183ce2ac4b2de705d92366c6f61d94aa5 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- X2hna87N3Y.exe (PID: 7416 cmdline:
"C:\Users\ user\Deskt op\X2hna87 N3Y.exe" MD5: 443F4CF9F362A96BBD0845BA6D2859F0) - conhost.exe (PID: 7424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - X2hna87N3Y.exe (PID: 7536 cmdline:
"C:\Users\ user\Deskt op\X2hna87 N3Y.exe" MD5: 443F4CF9F362A96BBD0845BA6D2859F0)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["debonairnukk.xyz", "tacitglibbr.biz", "deafeninggeh.biz", "sordid-snaked.cyou", "diffuculttan.xyz", "wrathful-jammy.cyou", "awake-weaves.cyou", "effecterectz.xyz", "immureprech.biz"], "Build id": "yau6Na--7911731954"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-17T09:44:46.252787+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:48.513726+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:51.088601+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:53.644621+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:55.870029+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:58.597611+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:45:03.023443+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49740 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:45:06.714844+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49743 | 104.21.50.161 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-17T09:44:47.246583+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:49.565445+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:45:07.452999+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49743 | 104.21.50.161 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-17T09:44:47.246583+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.50.161 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-17T09:44:49.565445+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.50.161 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-17T09:44:46.252787+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49730 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:48.513726+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:51.088601+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49732 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:53.644621+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49733 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:55.870029+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49734 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:58.597611+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49735 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:45:03.023443+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49740 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:45:06.714844+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49743 | 104.21.50.161 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-17T09:44:44.702846+0100 | 2058230 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 54326 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-17T09:44:52.295457+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49732 | 104.21.50.161 | 443 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Code function: | 2_2_00418A48 | |
Source: | Code function: | 2_2_00DB52D0 |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00D9D358 |
Source: | Code function: | 2_2_0043C070 | |
Source: | Code function: | 2_2_00435880 | |
Source: | Code function: | 2_2_0040C97B | |
Source: | Code function: | 2_2_0040C97B | |
Source: | Code function: | 2_2_0040C97B | |
Source: | Code function: | 2_2_0040C593 | |
Source: | Code function: | 2_2_0040C593 | |
Source: | Code function: | 2_2_004256E0 | |
Source: | Code function: | 2_2_0043B800 | |
Source: | Code function: | 2_2_0042C024 | |
Source: | Code function: | 2_2_004330F0 | |
Source: | Code function: | 2_2_00405930 | |
Source: | Code function: | 2_2_00405930 | |
Source: | Code function: | 2_2_0041A9F0 | |
Source: | Code function: | 2_2_0042C189 | |
Source: | Code function: | 2_2_004091B0 | |
Source: | Code function: | 2_2_00425A42 | |
Source: | Code function: | 2_2_00423249 | |
Source: | Code function: | 2_2_00423249 | |
Source: | Code function: | 2_2_00423249 | |
Source: | Code function: | 2_2_00423249 | |
Source: | Code function: | 2_2_00427250 | |
Source: | Code function: | 2_2_0042B258 | |
Source: | Code function: | 2_2_0042B258 | |
Source: | Code function: | 2_2_00438A00 | |
Source: | Code function: | 2_2_00438A00 | |
Source: | Code function: | 2_2_00419210 | |
Source: | Code function: | 2_2_0040C22A | |
Source: | Code function: | 2_2_004232C0 | |
Source: | Code function: | 2_2_004232C0 | |
Source: | Code function: | 2_2_004232C0 | |
Source: | Code function: | 2_2_00426288 | |
Source: | Code function: | 2_2_0043BA90 | |
Source: | Code function: | 2_2_00421AAD | |
Source: | Code function: | 2_2_00421AAD | |
Source: | Code function: | 2_2_0040BAB0 | |
Source: | Code function: | 2_2_004262B1 | |
Source: | Code function: | 2_2_00436B74 | |
Source: | Code function: | 2_2_00436B74 | |
Source: | Code function: | 2_2_0042B3C0 | |
Source: | Code function: | 2_2_0042B3C0 | |
Source: | Code function: | 2_2_00439B80 | |
Source: | Code function: | 2_2_00421390 | |
Source: | Code function: | 2_2_00421390 | |
Source: | Code function: | 2_2_004363A0 | |
Source: | Code function: | 2_2_0042C3A4 | |
Source: | Code function: | 2_2_0041B3B2 | |
Source: | Code function: | 2_2_0040BC3E | |
Source: | Code function: | 2_2_0043B4D0 | |
Source: | Code function: | 2_2_00428480 | |
Source: | Code function: | 2_2_0041AC8E | |
Source: | Code function: | 2_2_00416C91 | |
Source: | Code function: | 2_2_00407490 | |
Source: | Code function: | 2_2_00407490 | |
Source: | Code function: | 2_2_00416494 | |
Source: | Code function: | 2_2_004294A0 | |
Source: | Code function: | 2_2_00428D60 | |
Source: | Code function: | 2_2_0041D520 | |
Source: | Code function: | 2_2_0041D520 | |
Source: | Code function: | 2_2_0042AD2D | |
Source: | Code function: | 2_2_004275C0 | |
Source: | Code function: | 2_2_004275C0 | |
Source: | Code function: | 2_2_0043B5C0 | |
Source: | Code function: | 2_2_004095B0 | |
Source: | Code function: | 2_2_00418E01 | |
Source: | Code function: | 2_2_0041BE3C | |
Source: | Code function: | 2_2_0043B6E0 | |
Source: | Code function: | 2_2_00428EF0 | |
Source: | Code function: | 2_2_0041C6A4 | |
Source: | Code function: | 2_2_0040A740 | |
Source: | Code function: | 2_2_00427F40 | |
Source: | Code function: | 2_2_0043B770 | |
Source: | Code function: | 2_2_00408F00 | |
Source: | Code function: | 2_2_00427726 | |
Source: | Code function: | 2_2_00418F36 | |
Source: | Code function: | 2_2_0041A7EF | |
Source: | Code function: | 2_2_00424F90 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 2_2_004303D0 |
Source: | Code function: | 2_2_004303D0 |
Source: | Code function: | 0_2_00DB5000 | |
Source: | Code function: | 0_2_00DA29F2 | |
Source: | Code function: | 0_2_00D8B2B8 | |
Source: | Code function: | 0_2_00DA0C16 | |
Source: | Code function: | 0_2_00D95790 | |
Source: | Code function: | 0_2_00D8FF5A | |
Source: | Code function: | 2_2_00408870 | |
Source: | Code function: | 2_2_0042B0E3 | |
Source: | Code function: | 2_2_00435880 | |
Source: | Code function: | 2_2_004228A8 | |
Source: | Code function: | 2_2_0040C97B | |
Source: | Code function: | 2_2_00418A48 | |
Source: | Code function: | 2_2_00435530 | |
Source: | Code function: | 2_2_0040C593 | |
Source: | Code function: | 2_2_004385B0 | |
Source: | Code function: | 2_2_0043CE10 | |
Source: | Code function: | 2_2_0043C610 | |
Source: | Code function: | 2_2_004256E0 | |
Source: | Code function: | 2_2_004167B7 | |
Source: | Code function: | 2_2_0043C840 | |
Source: | Code function: | 2_2_00411073 | |
Source: | Code function: | 2_2_0041D000 | |
Source: | Code function: | 2_2_0043B800 | |
Source: | Code function: | 2_2_00435000 | |
Source: | Code function: | 2_2_0042C024 | |
Source: | Code function: | 2_2_0043409C | |
Source: | Code function: | 2_2_0042329A | |
Source: | Code function: | 2_2_004360A0 | |
Source: | Code function: | 2_2_004180B9 | |
Source: | Code function: | 2_2_00403940 | |
Source: | Code function: | 2_2_00430170 | |
Source: | Code function: | 2_2_00405930 | |
Source: | Code function: | 2_2_004091B0 | |
Source: | Code function: | 2_2_00408240 | |
Source: | Code function: | 2_2_00423249 | |
Source: | Code function: | 2_2_00427250 | |
Source: | Code function: | 2_2_00434A76 | |
Source: | Code function: | 2_2_0040E201 | |
Source: | Code function: | 2_2_0041BA00 | |
Source: | Code function: | 2_2_00438A00 | |
Source: | Code function: | 2_2_00419210 | |
Source: | Code function: | 2_2_00406220 | |
Source: | Code function: | 2_2_0041CAC0 | |
Source: | Code function: | 2_2_004232C0 | |
Source: | Code function: | 2_2_004042F0 | |
Source: | Code function: | 2_2_0042329A | |
Source: | Code function: | 2_2_00421AAD | |
Source: | Code function: | 2_2_00436B74 | |
Source: | Code function: | 2_2_0043CB10 | |
Source: | Code function: | 2_2_00402B90 | |
Source: | Code function: | 2_2_00421390 | |
Source: | Code function: | 2_2_00427396 | |
Source: | Code function: | 2_2_004363A0 | |
Source: | Code function: | 2_2_0041B3B2 | |
Source: | Code function: | 2_2_00415461 | |
Source: | Code function: | 2_2_00424C60 | |
Source: | Code function: | 2_2_00404C20 | |
Source: | Code function: | 2_2_0042A42F | |
Source: | Code function: | 2_2_0040AC30 | |
Source: | Code function: | 2_2_0043B4D0 | |
Source: | Code function: | 2_2_00428480 | |
Source: | Code function: | 2_2_00415C82 | |
Source: | Code function: | 2_2_00416C91 | |
Source: | Code function: | 2_2_00407490 | |
Source: | Code function: | 2_2_00416494 | |
Source: | Code function: | 2_2_004294A0 | |
Source: | Code function: | 2_2_0042A4BE | |
Source: | Code function: | 2_2_00438D40 | |
Source: | Code function: | 2_2_0042A507 | |
Source: | Code function: | 2_2_0042A51C | |
Source: | Code function: | 2_2_0041D520 | |
Source: | Code function: | 2_2_004275C0 | |
Source: | Code function: | 2_2_0043B5C0 | |
Source: | Code function: | 2_2_0041E5E0 | |
Source: | Code function: | 2_2_0041A5A0 | |
Source: | Code function: | 2_2_00434DA0 | |
Source: | Code function: | 2_2_004095B0 | |
Source: | Code function: | 2_2_00417678 | |
Source: | Code function: | 2_2_00414EC0 | |
Source: | Code function: | 2_2_0043B6E0 | |
Source: | Code function: | 2_2_004066B0 | |
Source: | Code function: | 2_2_0040A740 | |
Source: | Code function: | 2_2_0043B770 | |
Source: | Code function: | 2_2_00408F00 | |
Source: | Code function: | 2_2_0042FF00 | |
Source: | Code function: | 2_2_00402F30 | |
Source: | Code function: | 2_2_004267F9 | |
Source: | Code function: | 2_2_00424F90 | |
Source: | Code function: | 2_2_00DB5000 | |
Source: | Code function: | 2_2_00DA29F2 | |
Source: | Code function: | 2_2_00D8B2B8 | |
Source: | Code function: | 2_2_00DA0C16 | |
Source: | Code function: | 2_2_00D95790 | |
Source: | Code function: | 2_2_00D8FF5A |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 2_2_00435880 |
Source: | Mutant created: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00D8B98D | |
Source: | Code function: | 2_2_0043896E | |
Source: | Code function: | 2_2_0043B4A1 | |
Source: | Code function: | 2_2_00D8B98D |
Source: | Registry key monitored for changes: | Jump to behavior | ||
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | API coverage: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | Code function: | 0_2_00D9D358 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 2_2_00439DF0 |
Source: | Code function: | 0_2_00D93C11 |
Source: | Code function: | 0_2_00DB21A9 | |
Source: | Code function: | 0_2_00DB55D0 | |
Source: | Code function: | 2_2_00DB55D0 |
Source: | Code function: | 0_2_00D98D25 |
Source: | Code function: | 0_2_00D8B290 | |
Source: | Code function: | 0_2_00D93C11 | |
Source: | Code function: | 0_2_00D8B64C | |
Source: | Code function: | 0_2_00D8B640 | |
Source: | Code function: | 2_2_00D8B290 | |
Source: | Code function: | 2_2_00D93C11 | |
Source: | Code function: | 2_2_00D8B64C | |
Source: | Code function: | 2_2_00D8B640 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Code function: | 0_2_00DB21A9 |
Source: | Memory written: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00D9C8FD | |
Source: | Code function: | 0_2_00D9806C | |
Source: | Code function: | 0_2_00D9C862 | |
Source: | Code function: | 0_2_00D9CBAF | |
Source: | Code function: | 0_2_00D9CB50 | |
Source: | Code function: | 0_2_00D9CCCF | |
Source: | Code function: | 0_2_00D9CC84 | |
Source: | Code function: | 0_2_00D9CD76 | |
Source: | Code function: | 0_2_00D9CE7C | |
Source: | Code function: | 0_2_00D9C611 | |
Source: | Code function: | 0_2_00D98610 | |
Source: | Code function: | 2_2_00D9C8FD | |
Source: | Code function: | 2_2_00D9806C | |
Source: | Code function: | 2_2_00D9C862 | |
Source: | Code function: | 2_2_00D9CBAF | |
Source: | Code function: | 2_2_00D9CB50 | |
Source: | Code function: | 2_2_00D9CCCF | |
Source: | Code function: | 2_2_00D9CC84 | |
Source: | Code function: | 2_2_00D9CD76 | |
Source: | Code function: | 2_2_00D9CE7C | |
Source: | Code function: | 2_2_00D9C611 | |
Source: | Code function: | 2_2_00D98610 |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00D8C367 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 141 Security Software Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 11 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 33 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
53% | Virustotal | Browse | ||
50% | ReversingLabs | Win32.Exploit.LummaC | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
tacitglibbr.biz | 104.21.50.161 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.50.161 | tacitglibbr.biz | United States | 13335 | CLOUDFLARENETUS | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1576576 |
Start date and time: | 2024-12-17 09:43:46 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 22s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | X2hna87N3Y.exerenamed because original name is a hash value |
Original Sample Name: | 443f4cf9f362a96bbd0845ba6d2859f0.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/0@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Time | Type | Description |
---|---|---|
03:44:46 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.21.50.161 | Get hash | malicious | LummaC | Browse | ||
Get hash | malicious | LummaC, Stealc | Browse | |||
Get hash | malicious | LummaC, Stealc | Browse | |||
Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig | Browse | |||
Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
tacitglibbr.biz | Get hash | malicious | LummaC, Amadey, LummaC Stealer, Xmrig | Browse |
| |
Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Stealc | Browse |
| ||
Get hash | malicious | LummaC, Stealc | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Stealc | Browse |
| ||
Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine, SectopRAT | Browse |
| ||
Get hash | malicious | RedLine | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig | Browse |
| ||
Get hash | malicious | LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig | Browse |
|
File type: | |
Entropy (8bit): | 7.804689296683032 |
TrID: |
|
File name: | X2hna87N3Y.exe |
File size: | 800'256 bytes |
MD5: | 443f4cf9f362a96bbd0845ba6d2859f0 |
SHA1: | 1bf75dea31eaf0c26da3428ae2b8518771989522 |
SHA256: | e11c9223741b2d1291f1031539da3dd183ce2ac4b2de705d92366c6f61d94aa5 |
SHA512: | f43bf238027dacc972e98caff32461c680aefe1197be827348bb8bd371f85456352fbebf5bffa2381f6496466da2acef549c01c4e06c8d52727539196755db9a |
SSDEEP: | 24576:ErtEhokkSG46ZY4vaIAaCzxZY4vaIAaCzs:ErGhokkSG4kdCzvdCzs |
TLSH: | FC05010170C0C072D86725BA64F6AF75AE3EF4300F766ADB9B980F799B211C19635B1A |
File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....^g.........."......f........................@.......................................@.....................................P.. |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x40c312 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x675EBBFA [Sun Dec 15 11:22:34 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 49250672a2ab6e8bdde5f4e329392300 |
Instruction |
---|
call 00007F5D60BBA05Ah |
jmp 00007F5D60BB9EC9h |
mov ecx, dword ptr [00432840h] |
push esi |
push edi |
mov edi, BB40E64Eh |
mov esi, FFFF0000h |
cmp ecx, edi |
je 00007F5D60BBA056h |
test esi, ecx |
jne 00007F5D60BBA078h |
call 00007F5D60BBA081h |
mov ecx, eax |
cmp ecx, edi |
jne 00007F5D60BBA059h |
mov ecx, BB40E64Fh |
jmp 00007F5D60BBA060h |
test esi, ecx |
jne 00007F5D60BBA05Ch |
or eax, 00004711h |
shl eax, 10h |
or ecx, eax |
mov dword ptr [00432840h], ecx |
not ecx |
pop edi |
mov dword ptr [00432880h], ecx |
pop esi |
ret |
push ebp |
mov ebp, esp |
sub esp, 14h |
lea eax, dword ptr [ebp-0Ch] |
xorps xmm0, xmm0 |
push eax |
movlpd qword ptr [ebp-0Ch], xmm0 |
call dword ptr [00430920h] |
mov eax, dword ptr [ebp-08h] |
xor eax, dword ptr [ebp-0Ch] |
mov dword ptr [ebp-04h], eax |
call dword ptr [004308D4h] |
xor dword ptr [ebp-04h], eax |
call dword ptr [004308D0h] |
xor dword ptr [ebp-04h], eax |
lea eax, dword ptr [ebp-14h] |
push eax |
call dword ptr [00430968h] |
mov eax, dword ptr [ebp-10h] |
lea ecx, dword ptr [ebp-04h] |
xor eax, dword ptr [ebp-14h] |
xor eax, dword ptr [ebp-04h] |
xor eax, ecx |
leave |
ret |
mov eax, 00004000h |
ret |
push 00433D60h |
call dword ptr [00430940h] |
ret |
push 00030000h |
push 00010000h |
push 00000000h |
call 00007F5D60BC0D92h |
add esp, 0Ch |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x30694 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37000 | 0xe8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x38000 | 0x1c78 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x2cb78 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x28ff8 | 0xc0 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x30860 | 0x17c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2646d | 0x26600 | 1cb7d0c9464ff9128ba37efaba3a0910 | False | 0.5475111970684039 | data | 6.556524326867543 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x28000 | 0x9bec | 0x9c00 | 878d385b80bbd700cbb2c5199eea38b8 | False | 0.43246694711538464 | data | 4.997055879664181 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x32000 | 0x252c | 0x1600 | a99215662023900c738cb0230ba36a9a | False | 0.40873579545454547 | data | 4.766185881298672 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CODE | 0x35000 | 0xef4 | 0x1000 | 540c3f0f86009f36fac5556f91f62d2a | False | 0.498291015625 | data | 5.7055594939540075 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.tls | 0x36000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x37000 | 0xe8 | 0x200 | a6b9bc0f9a7419955ff68c6924c37c42 | False | 0.306640625 | data | 2.344915704357875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x38000 | 0x1c78 | 0x1e00 | d59be9c629a3697e2f595ead5e7c7371 | False | 0.7571614583333334 | data | 6.452492512245182 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.bss | 0x3a000 | 0x47200 | 0x47200 | ed9994771f012739118aa84a4b9096a1 | False | 1.000329525483304 | data | 7.999382444394363 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0x82000 | 0x47200 | 0x47200 | ed9994771f012739118aa84a4b9096a1 | False | 1.000329525483304 | data | 7.999382444394363 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x37060 | 0x87 | XML 1.0 document, ASCII text | English | United States | 0.8222222222222222 |
DLL | Import |
---|---|
ADVAPI32.dll | CryptContextAddRef |
KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
USER32.dll | DefWindowProcW, GetMessageW, RegisterClassW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-17T09:44:44.702846+0100 | 2058230 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tacitglibbr .biz) | 1 | 192.168.2.4 | 54326 | 1.1.1.1 | 53 | UDP |
2024-12-17T09:44:46.252787+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.4 | 49730 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:46.252787+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:47.246583+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:47.246583+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:48.513726+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.4 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:48.513726+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:49.565445+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:49.565445+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:51.088601+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.4 | 49732 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:51.088601+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:52.295457+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49732 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:53.644621+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.4 | 49733 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:53.644621+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:55.870029+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.4 | 49734 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:55.870029+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:58.597611+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.4 | 49735 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:44:58.597611+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:45:03.023443+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.4 | 49740 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:45:03.023443+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49740 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:45:06.714844+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.4 | 49743 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:45:06.714844+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49743 | 104.21.50.161 | 443 | TCP |
2024-12-17T09:45:07.452999+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49743 | 104.21.50.161 | 443 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 17, 2024 09:44:45.023700953 CET | 49730 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:45.023750067 CET | 443 | 49730 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:45.023848057 CET | 49730 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:45.027175903 CET | 49730 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:45.027190924 CET | 443 | 49730 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:46.252665997 CET | 443 | 49730 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:46.252787113 CET | 49730 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:46.256473064 CET | 49730 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:46.256506920 CET | 443 | 49730 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:46.256831884 CET | 443 | 49730 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:46.305723906 CET | 49730 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:46.305723906 CET | 49730 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:46.305922985 CET | 443 | 49730 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:47.246604919 CET | 443 | 49730 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:47.246701956 CET | 443 | 49730 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:47.246778965 CET | 49730 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:47.248999119 CET | 49730 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:47.249027014 CET | 443 | 49730 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:47.301083088 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:47.301139116 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:47.301203966 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:47.301515102 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:47.301525116 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:48.513598919 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:48.513725996 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:48.515461922 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:48.515477896 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:48.515727997 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:48.517081022 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:48.517101049 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:48.517159939 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.565459013 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.565510988 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.565541983 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.565563917 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.565576077 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.565586090 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.565632105 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.565640926 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.565658092 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.565675020 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.581465960 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.581531048 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.581549883 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.581573963 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.581619978 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.591245890 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.640079975 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.685339928 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.733839989 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.757028103 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.760801077 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.760972977 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.760991096 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.761018038 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.761200905 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.761234999 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.761259079 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.761400938 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.761413097 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.761425018 CET | 49731 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.761430979 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.872530937 CET | 49732 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.872586012 CET | 443 | 49732 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:49.872689009 CET | 49732 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.873043060 CET | 49732 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:49.873060942 CET | 443 | 49732 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:51.088483095 CET | 443 | 49732 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:51.088601112 CET | 49732 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:51.090038061 CET | 49732 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:51.090045929 CET | 443 | 49732 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:51.090280056 CET | 443 | 49732 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:51.091600895 CET | 49732 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:51.091774940 CET | 49732 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:51.091801882 CET | 443 | 49732 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:51.091866970 CET | 49732 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:51.091871977 CET | 443 | 49732 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:52.295471907 CET | 443 | 49732 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:52.295583963 CET | 443 | 49732 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:52.295639038 CET | 49732 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:52.295906067 CET | 49732 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:52.295923948 CET | 443 | 49732 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:52.424551010 CET | 49733 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:52.424597979 CET | 443 | 49733 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:52.424686909 CET | 49733 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:52.425050974 CET | 49733 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:52.425067902 CET | 443 | 49733 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:53.644543886 CET | 443 | 49733 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:53.644620895 CET | 49733 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:53.646584988 CET | 49733 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:53.646599054 CET | 443 | 49733 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:53.647037029 CET | 443 | 49733 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:53.648575068 CET | 49733 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:53.648880005 CET | 49733 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:53.648921967 CET | 443 | 49733 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:54.406203032 CET | 443 | 49733 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:54.406316996 CET | 443 | 49733 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:54.406410933 CET | 49733 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:54.408658981 CET | 49733 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:54.408682108 CET | 443 | 49733 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:54.654217958 CET | 49734 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:54.654278040 CET | 443 | 49734 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:54.654355049 CET | 49734 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:54.654714108 CET | 49734 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:54.654733896 CET | 443 | 49734 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:55.869947910 CET | 443 | 49734 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:55.870028973 CET | 49734 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:55.871493101 CET | 49734 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:55.871500969 CET | 443 | 49734 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:55.871748924 CET | 443 | 49734 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:55.873018026 CET | 49734 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:55.873198032 CET | 49734 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:55.873233080 CET | 443 | 49734 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:55.873291969 CET | 49734 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:55.873301029 CET | 443 | 49734 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:56.757422924 CET | 443 | 49734 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:56.757527113 CET | 443 | 49734 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:56.757667065 CET | 49734 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:56.757702112 CET | 49734 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:57.383735895 CET | 49735 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:57.383785963 CET | 443 | 49735 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:57.383857965 CET | 49735 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:57.384210110 CET | 49735 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:57.384223938 CET | 443 | 49735 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:58.597469091 CET | 443 | 49735 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:58.597610950 CET | 49735 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:58.645642996 CET | 49735 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:58.645680904 CET | 443 | 49735 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:58.646047115 CET | 443 | 49735 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:44:58.658598900 CET | 49735 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:58.658598900 CET | 49735 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:44:58.658668041 CET | 443 | 49735 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:00.567850113 CET | 443 | 49735 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:00.568123102 CET | 443 | 49735 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:00.568397999 CET | 49735 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:00.568474054 CET | 49735 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:00.568490982 CET | 443 | 49735 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:01.807569027 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:01.807615995 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:01.807774067 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:01.808024883 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:01.808042049 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.023324966 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.023442984 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.028511047 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.028522968 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.028852940 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.036089897 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.036845922 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.036896944 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.037327051 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.037363052 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.037467003 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.037545919 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.037659883 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.037693024 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.037806034 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.037842989 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.037908077 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.037918091 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.037961960 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.037985086 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.038016081 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.038039923 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.038113117 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.038137913 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.038155079 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.038172960 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.038268089 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.038294077 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.079339981 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:03.079529047 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.079555988 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.108869076 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:03.108890057 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:05.480267048 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:05.480375051 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:05.480483055 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:05.480643988 CET | 49740 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:05.480664015 CET | 443 | 49740 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:05.491220951 CET | 49743 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:05.491270065 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:05.491556883 CET | 49743 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:05.491739988 CET | 49743 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:05.491745949 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:06.714467049 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:06.714843988 CET | 49743 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:06.718406916 CET | 49743 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:06.718416929 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:06.718725920 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:06.726628065 CET | 49743 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:06.726628065 CET | 49743 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:06.726815939 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:07.453095913 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:07.453372002 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:07.453458071 CET | 49743 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:07.453542948 CET | 49743 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:07.453542948 CET | 49743 | 443 | 192.168.2.4 | 104.21.50.161 |
Dec 17, 2024 09:45:07.453566074 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.4 |
Dec 17, 2024 09:45:07.453572035 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 17, 2024 09:44:44.702846050 CET | 54326 | 53 | 192.168.2.4 | 1.1.1.1 |
Dec 17, 2024 09:44:45.018381119 CET | 53 | 54326 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 17, 2024 09:44:44.702846050 CET | 192.168.2.4 | 1.1.1.1 | 0xb986 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 17, 2024 09:44:45.018381119 CET | 1.1.1.1 | 192.168.2.4 | 0xb986 | No error (0) | 104.21.50.161 | A (IP address) | IN (0x0001) | false | ||
Dec 17, 2024 09:44:45.018381119 CET | 1.1.1.1 | 192.168.2.4 | 0xb986 | No error (0) | 172.67.164.37 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 104.21.50.161 | 443 | 7536 | C:\Users\user\Desktop\X2hna87N3Y.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-17 08:44:46 UTC | 262 | OUT | |
2024-12-17 08:44:46 UTC | 8 | OUT | |
2024-12-17 08:44:47 UTC | 1038 | IN | |
2024-12-17 08:44:47 UTC | 7 | IN | |
2024-12-17 08:44:47 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49731 | 104.21.50.161 | 443 | 7536 | C:\Users\user\Desktop\X2hna87N3Y.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-17 08:44:48 UTC | 263 | OUT | |
2024-12-17 08:44:48 UTC | 52 | OUT | |
2024-12-17 08:44:49 UTC | 1037 | IN | |
2024-12-17 08:44:49 UTC | 332 | IN | |
2024-12-17 08:44:49 UTC | 1369 | IN | |
2024-12-17 08:44:49 UTC | 1369 | IN | |
2024-12-17 08:44:49 UTC | 1369 | IN | |
2024-12-17 08:44:49 UTC | 1369 | IN | |
2024-12-17 08:44:49 UTC | 1369 | IN | |
2024-12-17 08:44:49 UTC | 1369 | IN | |
2024-12-17 08:44:49 UTC | 1369 | IN | |
2024-12-17 08:44:49 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49732 | 104.21.50.161 | 443 | 7536 | C:\Users\user\Desktop\X2hna87N3Y.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-17 08:44:51 UTC | 276 | OUT | |
2024-12-17 08:44:51 UTC | 15331 | OUT | |
2024-12-17 08:44:51 UTC | 2807 | OUT | |
2024-12-17 08:44:52 UTC | 1043 | IN | |
2024-12-17 08:44:52 UTC | 20 | IN | |
2024-12-17 08:44:52 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.4 | 49733 | 104.21.50.161 | 443 | 7536 | C:\Users\user\Desktop\X2hna87N3Y.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-17 08:44:53 UTC | 276 | OUT | |
2024-12-17 08:44:53 UTC | 8765 | OUT | |
2024-12-17 08:44:54 UTC | 1030 | IN | |
2024-12-17 08:44:54 UTC | 20 | IN | |
2024-12-17 08:44:54 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.4 | 49734 | 104.21.50.161 | 443 | 7536 | C:\Users\user\Desktop\X2hna87N3Y.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-17 08:44:55 UTC | 274 | OUT | |
2024-12-17 08:44:55 UTC | 15331 | OUT | |
2024-12-17 08:44:55 UTC | 5069 | OUT | |
2024-12-17 08:44:56 UTC | 1044 | IN | |
2024-12-17 08:44:56 UTC | 20 | IN | |
2024-12-17 08:44:56 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.4 | 49735 | 104.21.50.161 | 443 | 7536 | C:\Users\user\Desktop\X2hna87N3Y.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-17 08:44:58 UTC | 278 | OUT | |
2024-12-17 08:44:58 UTC | 1266 | OUT | |
2024-12-17 08:45:00 UTC | 1034 | IN | |
2024-12-17 08:45:00 UTC | 20 | IN | |
2024-12-17 08:45:00 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.4 | 49740 | 104.21.50.161 | 443 | 7536 | C:\Users\user\Desktop\X2hna87N3Y.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-17 08:45:03 UTC | 279 | OUT | |
2024-12-17 08:45:03 UTC | 15331 | OUT | |
2024-12-17 08:45:03 UTC | 15331 | OUT | |
2024-12-17 08:45:03 UTC | 15331 | OUT | |
2024-12-17 08:45:03 UTC | 15331 | OUT | |
2024-12-17 08:45:03 UTC | 15331 | OUT | |
2024-12-17 08:45:03 UTC | 15331 | OUT | |
2024-12-17 08:45:03 UTC | 15331 | OUT | |
2024-12-17 08:45:03 UTC | 15331 | OUT | |
2024-12-17 08:45:03 UTC | 15331 | OUT | |
2024-12-17 08:45:03 UTC | 15331 | OUT | |
2024-12-17 08:45:05 UTC | 1050 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.4 | 49743 | 104.21.50.161 | 443 | 7536 | C:\Users\user\Desktop\X2hna87N3Y.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-17 08:45:06 UTC | 263 | OUT | |
2024-12-17 08:45:06 UTC | 87 | OUT | |
2024-12-17 08:45:07 UTC | 1032 | IN | |
2024-12-17 08:45:07 UTC | 54 | IN | |
2024-12-17 08:45:07 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 03:44:39 |
Start date: | 17/12/2024 |
Path: | C:\Users\user\Desktop\X2hna87N3Y.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd80000 |
File size: | 800'256 bytes |
MD5 hash: | 443F4CF9F362A96BBD0845BA6D2859F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 03:44:40 |
Start date: | 17/12/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 03:44:43 |
Start date: | 17/12/2024 |
Path: | C:\Users\user\Desktop\X2hna87N3Y.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd80000 |
File size: | 800'256 bytes |
MD5 hash: | 443F4CF9F362A96BBD0845BA6D2859F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 6% |
Dynamic/Decrypted Code Coverage: | 0.5% |
Signature Coverage: | 2.5% |
Total number of Nodes: | 2000 |
Total number of Limit Nodes: | 26 |
Graph
Function 00DB21A9 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D98362 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DB57C0 Relevance: 9.2, APIs: 6, Instructions: 162fileCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DB5660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D91131 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D98E82 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DB5B10 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D91249 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DB5600 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8A10F Relevance: 1.6, APIs: 1, Instructions: 111COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D88770 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D88B60 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8A101 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D98700 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D97381 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9C611 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D95790 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9D358 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8B64C Relevance: 6.1, APIs: 4, Instructions: 70COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8C367 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9C8FD Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8B2B8 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9CBAF Relevance: 1.6, APIs: 1, Instructions: 83COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8FF5A Relevance: 1.6, Strings: 1, Instructions: 333COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9C862 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9CCCF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9CE7C Relevance: 1.5, APIs: 1, Instructions: 48COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9CB50 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D98610 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9CC84 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9806C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8B640 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D98D25 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DB5000 Relevance: .1, Instructions: 109COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DB55D0 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DA5DA2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8BC65 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9A29B Relevance: 10.8, APIs: 7, Instructions: 329COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8BEDC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D969DA Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DB5C74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63registrywindowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9139D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D98B36 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8BB07 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DA1BB1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9D135 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8EA02 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9E52B Relevance: 6.1, APIs: 4, Instructions: 74COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D81690 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8AA61 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D96DFE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9666A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 5% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 35.5% |
Total number of Nodes: | 234 |
Total number of Limit Nodes: | 17 |
Graph
Function 00435880 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 699memorycomCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00418A48 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 374encryptionCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408870 Relevance: 7.6, APIs: 5, Instructions: 111threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C97B Relevance: 2.8, Strings: 2, Instructions: 306COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043C070 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439DF0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C593 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004256E0 Relevance: .3, Instructions: 281COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043A92F Relevance: 3.0, APIs: 2, Instructions: 8COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409A30 Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00433961 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439D90 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438570 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042D6A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042EDE6 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C900 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C93E Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438550 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004303D0 Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 116clipboardCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00423249 Relevance: 24.8, Strings: 19, Instructions: 1046COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004232C0 Relevance: 24.6, Strings: 19, Instructions: 860COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040BAB0 Relevance: 11.4, Strings: 9, Instructions: 122COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040BC3E Relevance: 11.4, Strings: 9, Instructions: 118COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00416C91 Relevance: 10.8, Strings: 8, Instructions: 764COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00418F36 Relevance: 10.1, Strings: 8, Instructions: 88COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004275C0 Relevance: 9.3, Strings: 7, Instructions: 515COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004091B0 Relevance: 9.1, Strings: 7, Instructions: 382COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9C611 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041D520 Relevance: 7.1, Strings: 5, Instructions: 867COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00424F90 Relevance: 6.7, Strings: 5, Instructions: 465COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004095B0 Relevance: 6.6, Strings: 5, Instructions: 346COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042C024 Relevance: 6.5, Strings: 5, Instructions: 219COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D95790 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041A9F0 Relevance: 6.3, Strings: 5, Instructions: 64COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8B64C Relevance: 6.1, APIs: 4, Instructions: 70COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DB52D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156encryptionCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A740 Relevance: 5.4, Strings: 4, Instructions: 387COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00418E01 Relevance: 5.0, Strings: 4, Instructions: 37COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041AC8E Relevance: 3.9, Strings: 3, Instructions: 142COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00428480 Relevance: 2.9, Strings: 2, Instructions: 432COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041BE3C Relevance: 2.8, Strings: 2, Instructions: 342COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00416494 Relevance: 2.8, Strings: 2, Instructions: 320COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408F00 Relevance: 2.8, Strings: 2, Instructions: 283COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B258 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B3C0 Relevance: 2.7, Strings: 2, Instructions: 226COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C22A Relevance: 2.6, Strings: 2, Instructions: 53COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00421AAD Relevance: 1.9, Strings: 1, Instructions: 610COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00421390 Relevance: 1.7, Strings: 1, Instructions: 458COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004294A0 Relevance: 1.7, Strings: 1, Instructions: 413COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00436B74 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00425A42 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00427F40 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041A7EF Relevance: 1.4, Strings: 1, Instructions: 142COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00427726 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407490 Relevance: .7, Instructions: 664COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043B4D0 Relevance: .6, Instructions: 590COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043B5C0 Relevance: .5, Instructions: 491COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041B3B2 Relevance: .5, Instructions: 464COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004363A0 Relevance: .5, Instructions: 463COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405930 Relevance: .4, Instructions: 449COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043B6E0 Relevance: .4, Instructions: 402COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043B770 Relevance: .4, Instructions: 367COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043B800 Relevance: .4, Instructions: 356COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00427250 Relevance: .3, Instructions: 328COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438A00 Relevance: .2, Instructions: 236COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043BA90 Relevance: .2, Instructions: 189COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042C3A4 Relevance: .2, Instructions: 175COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00428D60 Relevance: .2, Instructions: 175COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042AD2D Relevance: .2, Instructions: 168COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042C189 Relevance: .2, Instructions: 156COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426288 Relevance: .1, Instructions: 96COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004262B1 Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004330F0 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00428EF0 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439B80 Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041C6A4 Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042F2CE Relevance: 66.7, APIs: 1, Strings: 37, Instructions: 168memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8BC65 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9A29B Relevance: 10.8, APIs: 7, Instructions: 329COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D98362 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8BEDC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D969DA Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DB5C74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63registrywindowCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9139D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D98B36 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DB57C0 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8BB07 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00DA1BB1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9D135 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8EA02 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9E52B Relevance: 6.1, APIs: 4, Instructions: 74COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D81690 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8AA61 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8C367 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D96DFE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D9666A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|