Windows
Analysis Report
external.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- external.exe (PID: 7004 cmdline:
"C:\Users\ user\Deskt op\externa l.exe" MD5: 88CD76E4609E50C6435EBC4771427D2C) - conhost.exe (PID: 7028 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - external.exe (PID: 7140 cmdline:
"C:\Users\ user\Deskt op\externa l.exe" MD5: 88CD76E4609E50C6435EBC4771427D2C)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["wordyfindy.lat", "slipperyloo.lat", "talkynicer.lat", "manyrestro.lat", "bellflamre.click", "shapestickyr.lat", "bashfulacid.lat", "curverpluch.lat", "tentabatte.lat"], "Build id": "LPnhqo--alaeljhsfdmg"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
Click to see the 1 entries |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T00:12:00.721501+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:02.708743+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:05.137214+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:18.646834+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:20.849251+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:23.461200+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49740 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:26.189139+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49742 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:30.898745+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49743 | 104.21.19.35 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T00:12:01.470847+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:03.527568+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.19.35 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T00:12:01.470847+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.19.35 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T00:12:03.527568+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.19.35 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T00:11:58.949369+0100 | 2058212 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 56647 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T00:12:24.539100+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49740 | 104.21.19.35 | 443 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Code function: | 2_2_00414DF0 |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00719126 |
Source: | Code function: | 2_2_0043D0E0 | |
Source: | Code function: | 2_2_0042C273 | |
Source: | Code function: | 2_2_0042C273 | |
Source: | Code function: | 2_2_00425B50 | |
Source: | Code function: | 2_2_0042BB35 | |
Source: | Code function: | 2_2_0042BB35 | |
Source: | Code function: | 2_2_0042BB35 | |
Source: | Code function: | 2_2_0043BC60 | |
Source: | Code function: | 2_2_00414DF0 | |
Source: | Code function: | 2_2_0040CD9C | |
Source: | Code function: | 2_2_0040CD9C | |
Source: | Code function: | 2_2_0043A6D4 | |
Source: | Code function: | 2_2_00438750 | |
Source: | Code function: | 2_2_0040B75E | |
Source: | Code function: | 2_2_0041C840 | |
Source: | Code function: | 2_2_0041C840 | |
Source: | Code function: | 2_2_00408860 | |
Source: | Code function: | 2_2_00425079 | |
Source: | Code function: | 2_2_0041C0E0 | |
Source: | Code function: | 2_2_004298E0 | |
Source: | Code function: | 2_2_00408090 | |
Source: | Code function: | 2_2_00419890 | |
Source: | Code function: | 2_2_00419890 | |
Source: | Code function: | 2_2_00419890 | |
Source: | Code function: | 2_2_00419890 | |
Source: | Code function: | 2_2_00419890 | |
Source: | Code function: | 2_2_00419890 | |
Source: | Code function: | 2_2_00419890 | |
Source: | Code function: | 2_2_00419890 | |
Source: | Code function: | 2_2_00422F90 | |
Source: | Code function: | 2_2_00422F90 | |
Source: | Code function: | 2_2_0042891E | |
Source: | Code function: | 2_2_00428134 | |
Source: | Code function: | 2_2_004331D0 | |
Source: | Code function: | 2_2_0042A9E8 | |
Source: | Code function: | 2_2_0042C9AF | |
Source: | Code function: | 2_2_0043B9B0 | |
Source: | Code function: | 2_2_0041EA50 | |
Source: | Code function: | 2_2_0043D270 | |
Source: | Code function: | 2_2_0043AA2A | |
Source: | Code function: | 2_2_00422232 | |
Source: | Code function: | 2_2_0042834D | |
Source: | Code function: | 2_2_0042834D | |
Source: | Code function: | 2_2_0042834D | |
Source: | Code function: | 2_2_00421B60 | |
Source: | Code function: | 2_2_00427B00 | |
Source: | Code function: | 2_2_00416B06 | |
Source: | Code function: | 2_2_00416B06 | |
Source: | Code function: | 2_2_00416B06 | |
Source: | Code function: | 2_2_00416B06 | |
Source: | Code function: | 2_2_00416B06 | |
Source: | Code function: | 2_2_00416B06 | |
Source: | Code function: | 2_2_00416B06 | |
Source: | Code function: | 2_2_0040CB10 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 2_2_00431A20 |
Source: | Code function: | 0_2_0070C040 | |
Source: | Code function: | 0_2_006F1000 | |
Source: | Code function: | 0_2_00706194 | |
Source: | Code function: | 0_2_00711250 | |
Source: | Code function: | 0_2_0071EB72 | |
Source: | Code function: | 0_2_0070AC41 | |
Source: | Code function: | 0_2_0071CD97 | |
Source: | Code function: | 2_2_0040A850 | |
Source: | Code function: | 2_2_0040C1C0 | |
Source: | Code function: | 2_2_0042C273 | |
Source: | Code function: | 2_2_00435AC0 | |
Source: | Code function: | 2_2_00425B50 | |
Source: | Code function: | 2_2_00422B70 | |
Source: | Code function: | 2_2_0042BB35 | |
Source: | Code function: | 2_2_00409BE9 | |
Source: | Code function: | 2_2_004103FA | |
Source: | Code function: | 2_2_00408450 | |
Source: | Code function: | 2_2_00414DF0 | |
Source: | Code function: | 2_2_0043BD90 | |
Source: | Code function: | 2_2_0040CD9C | |
Source: | Code function: | 2_2_00420E70 | |
Source: | Code function: | 2_2_00438750 | |
Source: | Code function: | 2_2_0043C770 | |
Source: | Code function: | 2_2_00409050 | |
Source: | Code function: | 2_2_00419058 | |
Source: | Code function: | 2_2_00425079 | |
Source: | Code function: | 2_2_004038C0 | |
Source: | Code function: | 2_2_0041F0E0 | |
Source: | Code function: | 2_2_0041C0E0 | |
Source: | Code function: | 2_2_00425684 | |
Source: | Code function: | 2_2_00408090 | |
Source: | Code function: | 2_2_00419890 | |
Source: | Code function: | 2_2_0043C0B0 | |
Source: | Code function: | 2_2_00406160 | |
Source: | Code function: | 2_2_00405900 | |
Source: | Code function: | 2_2_0042712C | |
Source: | Code function: | 2_2_00435130 | |
Source: | Code function: | 2_2_004339D5 | |
Source: | Code function: | 2_2_004189F4 | |
Source: | Code function: | 2_2_0040E9A0 | |
Source: | Code function: | 2_2_004119A0 | |
Source: | Code function: | 2_2_0043B9B0 | |
Source: | Code function: | 2_2_0041DA60 | |
Source: | Code function: | 2_2_00430A60 | |
Source: | Code function: | 2_2_00404270 | |
Source: | Code function: | 2_2_00422232 | |
Source: | Code function: | 2_2_00402AF0 | |
Source: | Code function: | 2_2_0042EAF4 | |
Source: | Code function: | 2_2_0042834D | |
Source: | Code function: | 2_2_0040B300 | |
Source: | Code function: | 2_2_00427B00 | |
Source: | Code function: | 2_2_00416B06 | |
Source: | Code function: | 2_2_0041D330 | |
Source: | Code function: | 2_2_0041AB30 | |
Source: | Code function: | 2_2_0043B33D |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 2_2_00435AC0 |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_007067D6 | |
Source: | Code function: | 2_3_00DE8F60 | |
Source: | Code function: | 2_3_00DE8F60 | |
Source: | Code function: | 2_3_00DE93D0 | |
Source: | Code function: | 2_3_00DE93D0 | |
Source: | Code function: | 2_3_00DECD08 | |
Source: | Code function: | 2_3_00DECD08 | |
Source: | Code function: | 2_3_00DF5A80 | |
Source: | Code function: | 2_3_00DF5A80 | |
Source: | Code function: | 2_3_00DF5A80 | |
Source: | Code function: | 2_3_00DF5A80 | |
Source: | Code function: | 2_3_00DF5A80 | |
Source: | Code function: | 2_3_00DF78D8 | |
Source: | Code function: | 2_3_00DF78D8 | |
Source: | Code function: | 2_3_00DF78D8 | |
Source: | Code function: | 2_3_00DF78D8 | |
Source: | Code function: | 2_3_00DF78D8 | |
Source: | Code function: | 2_3_00DFBEE5 | |
Source: | Code function: | 2_3_00DFBEE5 | |
Source: | Code function: | 2_3_00DFBEE5 | |
Source: | Code function: | 2_3_00DFBEE5 | |
Source: | Code function: | 2_3_00DFBEE5 | |
Source: | Code function: | 2_3_00DFBEE5 | |
Source: | Code function: | 2_3_00DFBEE5 | |
Source: | Code function: | 2_3_00DF5A80 | |
Source: | Code function: | 2_3_00DF5A80 | |
Source: | Code function: | 2_3_00DF5A80 | |
Source: | Code function: | 2_3_00DF5A80 | |
Source: | Code function: | 2_3_00DF5A80 | |
Source: | Code function: | 2_3_00DF78D8 | |
Source: | Code function: | 2_3_00DF78D8 |
Source: | Registry key monitored for changes: | Jump to behavior | ||
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Evasive API call chain: | graph_0-21841 |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | Code function: | 0_2_00719126 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 2_2_00439E70 |
Source: | Code function: | 0_2_0070F2B0 |
Source: | Code function: | 0_2_0072F19E | |
Source: | Code function: | 0_2_006F16C0 |
Source: | Code function: | 0_2_00714ABC |
Source: | Code function: | 0_2_0070616C | |
Source: | Code function: | 0_2_0070F2B0 | |
Source: | Code function: | 0_2_00706528 | |
Source: | Code function: | 0_2_0070651C |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Code function: | 0_2_0072F19E |
Source: | Memory written: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_007183DF | |
Source: | Code function: | 0_2_007143A7 | |
Source: | Code function: | 0_2_00718630 | |
Source: | Code function: | 0_2_007186CB | |
Source: | Code function: | 0_2_0071897D | |
Source: | Code function: | 0_2_0071891E | |
Source: | Code function: | 0_2_00718A52 | |
Source: | Code function: | 0_2_00718A9D | |
Source: | Code function: | 0_2_00718B44 | |
Source: | Code function: | 0_2_00718C4A | |
Source: | Code function: | 0_2_00713EAC |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00707110 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 141 Security Software Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 11 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 33 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
37% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
wordyfindy.lat | 104.21.19.35 | true | true | unknown | |
bellflamre.click | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.19.35 | wordyfindy.lat | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1579555 |
Start date and time: | 2024-12-23 00:11:05 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 58s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | external.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/1@2/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Time | Type | Description |
---|---|---|
18:11:58 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.21.19.35 | Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | RHADAMANTHYS | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse |
|
Process: | C:\Users\user\Desktop\external.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:L:L |
MD5: | 7B8B965AD4BCA0E41AB51DE7B31363A1 |
SHA1: | D1854CAE891EC7B29161CCAF79A24B00C274BDAA |
SHA-256: | 1B16B1DF538BA12DC3F97EDBB85CAA7050D46C148134290FEBA80F8236C83DB9 |
SHA-512: | 917148EC47923F2E0E3D73142AC4F94EC4C73078865BA6D29F0EA172CD6F4BF34DB699AF5C33535D3694D4AEF91A11F916004D0382F794448A8550623D34C985 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.513055401926001 |
TrID: |
|
File name: | external.exe |
File size: | 564'224 bytes |
MD5: | 88cd76e4609e50c6435ebc4771427d2c |
SHA1: | e86ece49d9d75aebf84e82ba5886014d2a6e302e |
SHA256: | 42011c4da8ac276fb88efb72aacf717bc57878f5e9a70b9994e4c224c46800bd |
SHA512: | caf707d10213469be757665c13b3233250a609096e9b5492e136b93146bcb1c1e473c82d52c1c643f703838f7b00cbc80f90d6448c35a282d468656bf181fe77 |
SSDEEP: | 12288:gRIomkRJWzi7X+UeyZAHoX+Rmo/RE1rKIwx6:ge/kRJWzib+UnAHoX+Rmo/RCrLw |
TLSH: | 71C4D1117550C073DD6721B364BADB6A462DFA200B626ACFA7480DBDDF352C1AB31B27 |
File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....hg.........."......(...........p............@.................................Z.....@.....................................<.. |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x4170bb |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x676819F1 [Sun Dec 22 13:53:53 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 1f5f01fd52677b24724028ad24992aa9 |
Instruction |
---|
call 00007F6AF952DB6Ah |
jmp 00007F6AF952D9D9h |
mov ecx, dword ptr [00440700h] |
push esi |
push edi |
mov edi, BB40E64Eh |
mov esi, FFFF0000h |
cmp ecx, edi |
je 00007F6AF952DB66h |
test esi, ecx |
jne 00007F6AF952DB88h |
call 00007F6AF952DB91h |
mov ecx, eax |
cmp ecx, edi |
jne 00007F6AF952DB69h |
mov ecx, BB40E64Fh |
jmp 00007F6AF952DB70h |
test esi, ecx |
jne 00007F6AF952DB6Ch |
or eax, 00004711h |
shl eax, 10h |
or ecx, eax |
mov dword ptr [00440700h], ecx |
not ecx |
pop edi |
mov dword ptr [00440740h], ecx |
pop esi |
ret |
push ebp |
mov ebp, esp |
sub esp, 14h |
lea eax, dword ptr [ebp-0Ch] |
xorps xmm0, xmm0 |
push eax |
movlpd qword ptr [ebp-0Ch], xmm0 |
call dword ptr [0043D914h] |
mov eax, dword ptr [ebp-08h] |
xor eax, dword ptr [ebp-0Ch] |
mov dword ptr [ebp-04h], eax |
call dword ptr [0043D8CCh] |
xor dword ptr [ebp-04h], eax |
call dword ptr [0043D8C8h] |
xor dword ptr [ebp-04h], eax |
lea eax, dword ptr [ebp-14h] |
push eax |
call dword ptr [0043D964h] |
mov eax, dword ptr [ebp-10h] |
lea ecx, dword ptr [ebp-04h] |
xor eax, dword ptr [ebp-14h] |
xor eax, dword ptr [ebp-04h] |
xor eax, ecx |
leave |
ret |
mov eax, 00004000h |
ret |
push 00441E50h |
call dword ptr [0043D93Ch] |
ret |
push 00030000h |
push 00010000h |
push 00000000h |
call 00007F6AF9535198h |
add esp, 0Ch |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3d6b4 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8e000 | 0x3e8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x44000 | 0x2324 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x39968 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x35cf8 | 0xc0 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3d860 | 0x170 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x326cc | 0x32800 | ccc71f71555262d04b28eeb13f33c694 | False | 0.5078125 | data | 6.449171689149143 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x34000 | 0xad9c | 0xae00 | 265ca2e098c45dacae5fa86d5b3aa7cb | False | 0.4167789152298851 | locale data table | 4.866718139159974 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x3f000 | 0x3618 | 0x2600 | 34a18fbac611bd450c331e8e8b0fc570 | False | 0.31270559210526316 | data | 5.125689677633356 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x43000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x44000 | 0x2324 | 0x2400 | a5356144ed5fdf31d774488bfaa21264 | False | 0.7392578125 | data | 6.496424389763303 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.bss | 0x47000 | 0x47000 | 0x47000 | 3012423acc5a2286fca531663b8ae4f8 | False | 1.0003301056338028 | OpenPGP Secret Key | 7.999411323179124 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x8e000 | 0x3e8 | 0x400 | 35e84f3f24c06d757c32542e07bb3560 | False | 0.43359375 | data | 3.2859175893892143 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x8e058 | 0x390 | data | English | United States | 0.4517543859649123 |
DLL | Import |
---|---|
KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
USER32.dll | DefWindowProcW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T00:11:58.949369+0100 | 2058212 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click) | 1 | 192.168.2.4 | 56647 | 1.1.1.1 | 53 | UDP |
2024-12-23T00:12:00.721501+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:01.470847+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:01.470847+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:02.708743+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:03.527568+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:03.527568+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:05.137214+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:18.646834+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:20.849251+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49738 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:23.461200+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49740 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:24.539100+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49740 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:26.189139+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49742 | 104.21.19.35 | 443 | TCP |
2024-12-23T00:12:30.898745+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49743 | 104.21.19.35 | 443 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 23, 2024 00:11:59.492892027 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:11:59.492985964 CET | 443 | 49730 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:11:59.493144989 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:11:59.496069908 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:11:59.496099949 CET | 443 | 49730 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:00.721265078 CET | 443 | 49730 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:00.721501112 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:00.724653006 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:00.724678040 CET | 443 | 49730 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:00.725018978 CET | 443 | 49730 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:00.773638010 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:00.778047085 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:00.778146029 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:00.778361082 CET | 443 | 49730 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:01.470827103 CET | 443 | 49730 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:01.470926046 CET | 443 | 49730 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:01.470997095 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:01.472656965 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:01.472697973 CET | 443 | 49730 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:01.472726107 CET | 49730 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:01.472743988 CET | 443 | 49730 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:01.480031013 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:01.480158091 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:01.480264902 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:01.480534077 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:01.480587006 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:02.708508015 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:02.708743095 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:02.709887981 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:02.709923983 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:02.710269928 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:02.711586952 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:02.711586952 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:02.711688042 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.527494907 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.527537107 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.527569056 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.527606010 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.527834892 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.527834892 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.527910948 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.530150890 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.530220985 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.530239105 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.538533926 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.538621902 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.538638115 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.546912909 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.547013044 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.547027111 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.601871014 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.719222069 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.723004103 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.723037958 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.723076105 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.723104000 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.723131895 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.723164082 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.723211050 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.723426104 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.723458052 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.723486900 CET | 49731 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.723500967 CET | 443 | 49731 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.912153959 CET | 49732 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.912225962 CET | 443 | 49732 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:03.912343979 CET | 49732 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.912822962 CET | 49732 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:03.912841082 CET | 443 | 49732 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:05.137093067 CET | 443 | 49732 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:05.137213945 CET | 49732 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:05.139192104 CET | 49732 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:05.139218092 CET | 443 | 49732 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:05.140235901 CET | 443 | 49732 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:05.141633987 CET | 49732 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:05.141856909 CET | 49732 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:05.141916990 CET | 443 | 49732 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:05.142015934 CET | 49732 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:05.142030001 CET | 443 | 49732 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:17.299036026 CET | 443 | 49732 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:17.299345016 CET | 443 | 49732 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:17.299436092 CET | 49732 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:17.302747011 CET | 49732 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:17.302812099 CET | 443 | 49732 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:17.432063103 CET | 49735 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:17.432147026 CET | 443 | 49735 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:17.432243109 CET | 49735 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:17.432615042 CET | 49735 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:17.432647943 CET | 443 | 49735 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:18.646703959 CET | 443 | 49735 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:18.646833897 CET | 49735 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:18.648605108 CET | 49735 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:18.648637056 CET | 443 | 49735 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:18.648971081 CET | 443 | 49735 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:18.650268078 CET | 49735 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:18.650423050 CET | 49735 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:18.650466919 CET | 443 | 49735 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:19.440690041 CET | 443 | 49735 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:19.440932035 CET | 443 | 49735 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:19.441132069 CET | 49735 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:19.441132069 CET | 49735 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:19.627015114 CET | 49738 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:19.627042055 CET | 443 | 49738 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:19.627126932 CET | 49738 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:19.627515078 CET | 49738 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:19.627526045 CET | 443 | 49738 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:19.742419958 CET | 49735 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:19.742469072 CET | 443 | 49735 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:20.849184036 CET | 443 | 49738 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:20.849251032 CET | 49738 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:20.851979017 CET | 49738 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:20.851989031 CET | 443 | 49738 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:20.852901936 CET | 443 | 49738 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:20.861929893 CET | 49738 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:20.862041950 CET | 49738 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:20.862072945 CET | 443 | 49738 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:20.862159967 CET | 49738 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:20.862168074 CET | 443 | 49738 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:21.817790985 CET | 443 | 49738 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:21.818002939 CET | 443 | 49738 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:21.818264961 CET | 49738 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:21.818284988 CET | 49738 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:21.818296909 CET | 443 | 49738 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:22.246716976 CET | 49740 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:22.246836901 CET | 443 | 49740 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:22.246985912 CET | 49740 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:22.247466087 CET | 49740 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:22.247505903 CET | 443 | 49740 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:23.461127996 CET | 443 | 49740 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:23.461199999 CET | 49740 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:23.463130951 CET | 49740 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:23.463160038 CET | 443 | 49740 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:23.463435888 CET | 443 | 49740 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:23.475147009 CET | 49740 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:23.475236893 CET | 49740 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:23.475253105 CET | 443 | 49740 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:24.539091110 CET | 443 | 49740 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:24.539164066 CET | 443 | 49740 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:24.539226055 CET | 49740 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:24.539463043 CET | 49740 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:24.539501905 CET | 443 | 49740 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:24.966101885 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:24.966169119 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:24.966252089 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:24.966532946 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:24.966579914 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.189026117 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.189138889 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.192596912 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.192625999 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.193262100 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.223109961 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.223795891 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.223879099 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.224014997 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.224080086 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.224208117 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.224498034 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.224663019 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.224723101 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.224911928 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.224953890 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.225142956 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.225209951 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.225255013 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.225521088 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.225588083 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.225639105 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.225934029 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.226000071 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.226037979 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.271331072 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.271567106 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.271632910 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.319338083 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.319453001 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.363357067 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.476613998 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.476830959 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:26.476891041 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:26.719999075 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:29.937928915 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:29.938163042 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:29.938240051 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:29.938370943 CET | 49742 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:29.938425064 CET | 443 | 49742 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:29.983300924 CET | 49743 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:29.983350992 CET | 443 | 49743 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:29.983437061 CET | 49743 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:29.983762980 CET | 49743 | 443 | 192.168.2.4 | 104.21.19.35 |
Dec 23, 2024 00:12:29.983778954 CET | 443 | 49743 | 104.21.19.35 | 192.168.2.4 |
Dec 23, 2024 00:12:30.898745060 CET | 49743 | 443 | 192.168.2.4 | 104.21.19.35 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 23, 2024 00:11:58.949368954 CET | 56647 | 53 | 192.168.2.4 | 1.1.1.1 |
Dec 23, 2024 00:11:59.163374901 CET | 53 | 56647 | 1.1.1.1 | 192.168.2.4 |
Dec 23, 2024 00:11:59.166223049 CET | 50389 | 53 | 192.168.2.4 | 1.1.1.1 |
Dec 23, 2024 00:11:59.485234976 CET | 53 | 50389 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 23, 2024 00:11:58.949368954 CET | 192.168.2.4 | 1.1.1.1 | 0x2da0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 23, 2024 00:11:59.166223049 CET | 192.168.2.4 | 1.1.1.1 | 0x8c51 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 23, 2024 00:11:59.163374901 CET | 1.1.1.1 | 192.168.2.4 | 0x2da0 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Dec 23, 2024 00:11:59.485234976 CET | 1.1.1.1 | 192.168.2.4 | 0x8c51 | No error (0) | 104.21.19.35 | A (IP address) | IN (0x0001) | false | ||
Dec 23, 2024 00:11:59.485234976 CET | 1.1.1.1 | 192.168.2.4 | 0x8c51 | No error (0) | 172.67.184.241 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 104.21.19.35 | 443 | 7140 | C:\Users\user\Desktop\external.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-22 23:12:00 UTC | 261 | OUT | |
2024-12-22 23:12:00 UTC | 8 | OUT | |
2024-12-22 23:12:01 UTC | 1125 | IN | |
2024-12-22 23:12:01 UTC | 7 | IN | |
2024-12-22 23:12:01 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49731 | 104.21.19.35 | 443 | 7140 | C:\Users\user\Desktop\external.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-22 23:12:02 UTC | 262 | OUT | |
2024-12-22 23:12:02 UTC | 54 | OUT | |
2024-12-22 23:12:03 UTC | 1129 | IN | |
2024-12-22 23:12:03 UTC | 240 | IN | |
2024-12-22 23:12:03 UTC | 1369 | IN | |
2024-12-22 23:12:03 UTC | 1369 | IN | |
2024-12-22 23:12:03 UTC | 1369 | IN | |
2024-12-22 23:12:03 UTC | 904 | IN | |
2024-12-22 23:12:03 UTC | 1369 | IN | |
2024-12-22 23:12:03 UTC | 1369 | IN | |
2024-12-22 23:12:03 UTC | 1369 | IN | |
2024-12-22 23:12:03 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49732 | 104.21.19.35 | 443 | 7140 | C:\Users\user\Desktop\external.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-22 23:12:05 UTC | 278 | OUT | |
2024-12-22 23:12:05 UTC | 15331 | OUT | |
2024-12-22 23:12:05 UTC | 2827 | OUT | |
2024-12-22 23:12:17 UTC | 1141 | IN | |
2024-12-22 23:12:17 UTC | 20 | IN | |
2024-12-22 23:12:17 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.4 | 49735 | 104.21.19.35 | 443 | 7140 | C:\Users\user\Desktop\external.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-22 23:12:18 UTC | 279 | OUT | |
2024-12-22 23:12:18 UTC | 8791 | OUT | |
2024-12-22 23:12:19 UTC | 1123 | IN | |
2024-12-22 23:12:19 UTC | 20 | IN | |
2024-12-22 23:12:19 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.4 | 49738 | 104.21.19.35 | 443 | 7140 | C:\Users\user\Desktop\external.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-22 23:12:20 UTC | 278 | OUT | |
2024-12-22 23:12:20 UTC | 15331 | OUT | |
2024-12-22 23:12:20 UTC | 5101 | OUT | |
2024-12-22 23:12:21 UTC | 1141 | IN | |
2024-12-22 23:12:21 UTC | 20 | IN | |
2024-12-22 23:12:21 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.4 | 49740 | 104.21.19.35 | 443 | 7140 | C:\Users\user\Desktop\external.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-22 23:12:23 UTC | 276 | OUT | |
2024-12-22 23:12:23 UTC | 1244 | OUT | |
2024-12-22 23:12:24 UTC | 1127 | IN | |
2024-12-22 23:12:24 UTC | 20 | IN | |
2024-12-22 23:12:24 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.4 | 49742 | 104.21.19.35 | 443 | 7140 | C:\Users\user\Desktop\external.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-22 23:12:26 UTC | 273 | OUT | |
2024-12-22 23:12:26 UTC | 15331 | OUT | |
2024-12-22 23:12:26 UTC | 15331 | OUT | |
2024-12-22 23:12:26 UTC | 15331 | OUT | |
2024-12-22 23:12:26 UTC | 15331 | OUT | |
2024-12-22 23:12:26 UTC | 15331 | OUT | |
2024-12-22 23:12:26 UTC | 15331 | OUT | |
2024-12-22 23:12:26 UTC | 15331 | OUT | |
2024-12-22 23:12:26 UTC | 15331 | OUT | |
2024-12-22 23:12:26 UTC | 15331 | OUT | |
2024-12-22 23:12:26 UTC | 15331 | OUT | |
2024-12-22 23:12:29 UTC | 1147 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 18:11:57 |
Start date: | 22/12/2024 |
Path: | C:\Users\user\Desktop\external.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 564'224 bytes |
MD5 hash: | 88CD76E4609E50C6435EBC4771427D2C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 18:11:57 |
Start date: | 22/12/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 18:11:57 |
Start date: | 22/12/2024 |
Path: | C:\Users\user\Desktop\external.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 564'224 bytes |
MD5 hash: | 88CD76E4609E50C6435EBC4771427D2C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 10.2% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 3.4% |
Total number of Nodes: | 443 |
Total number of Limit Nodes: | 4 |
Graph
Function 0072F19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 007140F9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006F1890 Relevance: 9.2, APIs: 6, Instructions: 162fileCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006F1730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006F50C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMONLIBRARYCODE
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006F48C0 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00714C19 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006F1BA0 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00713187 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00703A4A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 007131C1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 007008D0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00718B44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00711250 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00719126 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00706528 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00707110 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 007186CB Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00713EAC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00706194 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0070C040 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0071897D Relevance: 1.6, APIs: 1, Instructions: 83COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0070AC41 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00718A9D Relevance: 1.6, APIs: 1, Instructions: 63COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00718C4A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0070651C Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00714ABC Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006F1000 Relevance: .1, Instructions: 109COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006F16C0 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00721F22 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00706A69 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00716032 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00712826 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00705C7F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00702956 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0070CA3C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00706CBB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0071254D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 007148CD Relevance: 7.7, APIs: 5, Instructions: 197COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 007124B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0071DD31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00718F03 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 007097A2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0071A2F9 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00717AE3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00712C4A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00702882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 006F51B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00706CEF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00713DAD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 16.1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 46.3% |
Total number of Nodes: | 529 |
Total number of Limit Nodes: | 43 |
Graph
Function 00435AC0 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 698memorycomCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B75E Relevance: 13.9, Strings: 11, Instructions: 190COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408450 Relevance: 7.8, APIs: 5, Instructions: 257threadCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040CD9C Relevance: 4.0, Strings: 3, Instructions: 291COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00425B50 Relevance: 2.9, Strings: 2, Instructions: 372COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439E70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043D0E0 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043BC60 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438750 Relevance: .2, Instructions: 234COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043A6D4 Relevance: .1, Instructions: 146COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E57F Relevance: 3.1, APIs: 2, Instructions: 120COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040E2BB Relevance: 3.0, APIs: 2, Instructions: 26COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043A09A Relevance: 3.0, APIs: 2, Instructions: 21COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00434907 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439DF0 Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004307D2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042E704 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438720 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438700 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042834D Relevance: 14.2, Strings: 11, Instructions: 463COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041C0E0 Relevance: 10.6, Strings: 8, Instructions: 637COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00416B06 Relevance: 10.1, Strings: 7, Instructions: 1349COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00425079 Relevance: 7.9, Strings: 6, Instructions: 414COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422232 Relevance: 5.7, Strings: 4, Instructions: 696COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041C840 Relevance: 5.4, Strings: 4, Instructions: 413COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00427B00 Relevance: 4.1, Strings: 3, Instructions: 355COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422F90 Relevance: 3.9, Strings: 3, Instructions: 143COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00421B60 Relevance: 1.7, Strings: 1, Instructions: 481COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408090 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043B9B0 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00428134 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042A9E8 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043D270 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042C9AF Relevance: .3, Instructions: 253COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041EA50 Relevance: .2, Instructions: 204COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408860 Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043AA2A Relevance: .1, Instructions: 65COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004331D0 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004298E0 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040CB10 Relevance: .0, Instructions: 28COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042891E Relevance: .0, Instructions: 9COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|