Windows
Analysis Report
Adobe GenP 5.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
Adobe GenP 5.exe (PID: 6000 cmdline:
"C:\Users\ user\Deskt op\Adobe G enP 5.exe" MD5: 9CCE9D11869E1568A959515CD688F1F9) BitLockerToGo.exe (PID: 5448 cmdline:
"C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["rapeflowwj.lat", "necklacebudi.lat", "grannyejh.lat", "discokeyus.lat", "icyidentifysu.click", "energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "sustainskelet.lat"], "Build id": "LPnhqo--iycpjnafscfz"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
Click to see the 1 entries |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-24T02:56:31.907057+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49725 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:34.245323+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49736 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:36.612569+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49742 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:39.234144+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49748 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:43.540784+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49759 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:46.356781+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49765 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:48.876162+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49771 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:52.541408+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49781 | 104.21.29.252 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-24T02:56:33.011243+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49725 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:35.029159+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49736 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:57:00.470768+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49781 | 104.21.29.252 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-24T02:56:33.011243+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49725 | 104.21.29.252 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-24T02:56:35.029159+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49736 | 104.21.29.252 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-24T02:56:37.510301+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49742 | 104.21.29.252 | 443 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Code function: | 3_2_00416D93 |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 3_2_0042A03C | |
Source: | Code function: | 3_2_0040E2D5 | |
Source: | Code function: | 3_2_0040E2D5 | |
Source: | Code function: | 3_2_0040C37A | |
Source: | Code function: | 3_2_004253A0 | |
Source: | Code function: | 3_2_004253A0 | |
Source: | Code function: | 3_2_0043C410 | |
Source: | Code function: | 3_2_0043A55A | |
Source: | Code function: | 3_2_0042A749 | |
Source: | Code function: | 3_2_0042A749 | |
Source: | Code function: | 3_2_0042B771 | |
Source: | Code function: | 3_2_0042A80B | |
Source: | Code function: | 3_2_0042A80B | |
Source: | Code function: | 3_2_00439BE8 | |
Source: | Code function: | 3_2_0043CCD0 | |
Source: | Code function: | 3_2_0040DCA0 | |
Source: | Code function: | 3_2_00439F2D | |
Source: | Code function: | 3_2_00429070 | |
Source: | Code function: | 3_2_0042B0DE | |
Source: | Code function: | 3_2_0042B0DE | |
Source: | Code function: | 3_2_00429E89 | |
Source: | Code function: | 3_2_00429E89 | |
Source: | Code function: | 3_2_00439140 | |
Source: | Code function: | 3_2_00422154 | |
Source: | Code function: | 3_2_004221FE | |
Source: | Code function: | 3_2_00409270 | |
Source: | Code function: | 3_2_00420273 | |
Source: | Code function: | 3_2_0040B215 | |
Source: | Code function: | 3_2_0040C2DA | |
Source: | Code function: | 3_2_004282E8 | |
Source: | Code function: | 3_2_0041B2AA | |
Source: | Code function: | 3_2_0043A35B | |
Source: | Code function: | 3_2_00424330 | |
Source: | Code function: | 3_2_004153FC | |
Source: | Code function: | 3_2_00421380 | |
Source: | Code function: | 3_2_00421380 | |
Source: | Code function: | 3_2_00419490 | |
Source: | Code function: | 3_2_00419490 | |
Source: | Code function: | 3_2_00419490 | |
Source: | Code function: | 3_2_004074A0 | |
Source: | Code function: | 3_2_004074A0 | |
Source: | Code function: | 3_2_004245DE | |
Source: | Code function: | 3_2_0042760C | |
Source: | Code function: | 3_2_00438620 | |
Source: | Code function: | 3_2_00409630 | |
Source: | Code function: | 3_2_00409630 | |
Source: | Code function: | 3_2_0041D6F0 | |
Source: | Code function: | 3_2_004256A0 | |
Source: | Code function: | 3_2_00432770 | |
Source: | Code function: | 3_2_00436770 | |
Source: | Code function: | 3_2_0043B720 | |
Source: | Code function: | 3_2_0040C830 | |
Source: | Code function: | 3_2_004298A0 | |
Source: | Code function: | 3_2_00405940 | |
Source: | Code function: | 3_2_00405940 | |
Source: | Code function: | 3_2_004029D0 | |
Source: | Code function: | 3_2_004389F0 | |
Source: | Code function: | 3_2_004389F0 | |
Source: | Code function: | 3_2_0041CA40 | |
Source: | Code function: | 3_2_00408A50 | |
Source: | Code function: | 3_2_00428AF0 | |
Source: | Code function: | 3_2_00418BE7 | |
Source: | Code function: | 3_2_00426B8E | |
Source: | Code function: | 3_2_00414C4E | |
Source: | Code function: | 3_2_0041AC1D | |
Source: | Code function: | 3_2_0040CCC5 | |
Source: | Code function: | 3_2_00417CE5 | |
Source: | Code function: | 3_2_00415CFC | |
Source: | Code function: | 3_2_00414D45 | |
Source: | Code function: | 3_2_00427D4D | |
Source: | Code function: | 3_2_00427D4D | |
Source: | Code function: | 3_2_00439DD7 | |
Source: | Code function: | 3_2_00435E40 | |
Source: | Code function: | 3_2_00435E40 | |
Source: | Code function: | 3_2_00414D40 | |
Source: | Code function: | 3_2_00429ECA | |
Source: | Code function: | 3_2_00429ECA | |
Source: | Code function: | 3_2_00402F40 | |
Source: | Code function: | 3_2_00422F44 | |
Source: | Code function: | 3_2_00421F0E | |
Source: | Code function: | 3_2_00421F10 | |
Source: | Code function: | 3_2_00408FE0 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 3_2_0042A03C | |
Source: | Code function: | 3_2_00435090 | |
Source: | Code function: | 3_2_00438110 | |
Source: | Code function: | 3_2_0040E2D5 | |
Source: | Code function: | 3_2_004253A0 | |
Source: | Code function: | 3_2_004353A0 | |
Source: | Code function: | 3_2_0043C410 | |
Source: | Code function: | 3_2_0040D49A | |
Source: | Code function: | 3_2_00408690 | |
Source: | Code function: | 3_2_0042A749 | |
Source: | Code function: | 3_2_00420720 | |
Source: | Code function: | 3_2_0040B9AF | |
Source: | Code function: | 3_2_0043CCD0 | |
Source: | Code function: | 3_2_0040CF2B | |
Source: | Code function: | 3_2_00412010 | |
Source: | Code function: | 3_2_004340EF | |
Source: | Code function: | 3_2_004160F1 | |
Source: | Code function: | 3_2_0041D170 | |
Source: | Code function: | 3_2_00409270 | |
Source: | Code function: | 3_2_0041C200 | |
Source: | Code function: | 3_2_00406230 | |
Source: | Code function: | 3_2_004282E8 | |
Source: | Code function: | 3_2_00404300 | |
Source: | Code function: | 3_2_0042D32A | |
Source: | Code function: | 3_2_00421380 | |
Source: | Code function: | 3_2_0042E440 | |
Source: | Code function: | 3_2_00426400 | |
Source: | Code function: | 3_2_0042B429 | |
Source: | Code function: | 3_2_00419490 | |
Source: | Code function: | 3_2_004074A0 | |
Source: | Code function: | 3_2_0041D4B0 | |
Source: | Code function: | 3_2_00409630 | |
Source: | Code function: | 3_2_004066C0 | |
Source: | Code function: | 3_2_0041D6F0 | |
Source: | Code function: | 3_2_0043C6A0 | |
Source: | Code function: | 3_2_0041876C | |
Source: | Code function: | 3_2_0040D738 | |
Source: | Code function: | 3_2_0041E7F0 | |
Source: | Code function: | 3_2_0041A790 | |
Source: | Code function: | 3_2_00434870 | |
Source: | Code function: | 3_2_0040C830 | |
Source: | Code function: | 3_2_004158D6 | |
Source: | Code function: | 3_2_00405940 | |
Source: | Code function: | 3_2_00403950 | |
Source: | Code function: | 3_2_0043395D | |
Source: | Code function: | 3_2_0042A9C4 | |
Source: | Code function: | 3_2_004389F0 | |
Source: | Code function: | 3_2_0043C990 | |
Source: | Code function: | 3_2_0040A9B0 | |
Source: | Code function: | 3_2_0041CA40 | |
Source: | Code function: | 3_2_0042AA62 | |
Source: | Code function: | 3_2_00434AD0 | |
Source: | Code function: | 3_2_00418BE7 | |
Source: | Code function: | 3_2_00402B90 | |
Source: | Code function: | 3_2_0040FC0A | |
Source: | Code function: | 3_2_00404C30 | |
Source: | Code function: | 3_2_00414D45 | |
Source: | Code function: | 3_2_0041CD60 | |
Source: | Code function: | 3_2_0042FD60 | |
Source: | Code function: | 3_2_00435E40 | |
Source: | Code function: | 3_2_00414D40 | |
Source: | Code function: | 3_2_00429ECA | |
Source: | Code function: | 3_2_00405E90 | |
Source: | Code function: | 3_2_00402F40 | |
Source: | Code function: | 3_2_00408FE0 | |
Source: | Code function: | 3_2_00420FA0 |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | String found in binary or memory: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Code function: | 3_2_0043B253 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 3_2_00439AF0 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
38% | Virustotal | Browse | ||
45% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
icyidentifysu.click | 104.21.29.252 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
true |
| unknown | |
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.29.252 | icyidentifysu.click | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1580154 |
Start date and time: | 2024-12-24 02:55:10 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 5s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Adobe GenP 5.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/0@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Adobe GenP 5.exe, PID 6000 because there are no executed function
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Time | Type | Description |
---|---|---|
20:56:31 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.21.29.252 | Get hash | malicious | HTMLPhisher | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
File type: | |
Entropy (8bit): | 6.569633473475677 |
TrID: |
|
File name: | Adobe GenP 5.exe |
File size: | 14'820'352 bytes |
MD5: | 9cce9d11869e1568a959515cd688f1f9 |
SHA1: | 98e048ba68a2aa5b2640f768dea8a6c6a4eb060c |
SHA256: | 8a83820f2b3d79812bf39f4171d7d70d44b4d7a137c0aa1603f7e195dfc5210f |
SHA512: | cb5caabe0fa3bb7cf87351ca04e87fbc02e28b538867cf181d66687de8be95a8ad46cae2f22dccc2ee04e7029d8b4b8251b49b017009f5ce6a7e58546a540147 |
SSDEEP: | 98304:AXtPdrxHwuf+HtWUOVZZB3wUi7cheilI1ei/sktpGJz5vo:Wnr+tWxjZBgUi74ktpGJz5 |
TLSH: | 42E68E50B6A7F8B5C25306F7044B0129B734EC8C6A148951F98CFA6CF7B2F65B4B2A35 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................)..6......PN........U...@..........................`......g}....@................................ |
Icon Hash: | 0f42e0e8e4c040a0 |
Entrypoint: | 0x464e50 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | 9cbefe68f395e67356e2a5d8d1b285c0 |
Instruction |
---|
jmp 00007F9B089B99C0h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov ecx, dword ptr [esp+04h] |
sub esp, 28h |
mov dword ptr [esp+1Ch], ebx |
mov dword ptr [esp+10h], ebp |
mov dword ptr [esp+14h], esi |
mov dword ptr [esp+18h], edi |
mov esi, eax |
mov edx, dword ptr fs:[00000014h] |
cmp edx, 00000000h |
jne 00007F9B089BBCF9h |
mov eax, 00000000h |
jmp 00007F9B089BBD56h |
mov edx, dword ptr [edx+00000000h] |
cmp edx, 00000000h |
jne 00007F9B089BBCF7h |
call 00007F9B089BBDE9h |
mov dword ptr [esp+20h], edx |
mov dword ptr [esp+24h], esp |
mov ebx, dword ptr [edx+18h] |
mov ebx, dword ptr [ebx] |
cmp edx, ebx |
je 00007F9B089BBD0Ah |
mov ebp, dword ptr fs:[00000014h] |
mov dword ptr [ebp+00000000h], ebx |
mov edi, dword ptr [ebx+1Ch] |
sub edi, 28h |
mov dword ptr [edi+24h], esp |
mov esp, edi |
mov ebx, dword ptr [ecx] |
mov ecx, dword ptr [ecx+04h] |
mov dword ptr [esp], ebx |
mov dword ptr [esp+04h], ecx |
mov dword ptr [esp+08h], edx |
call esi |
mov eax, dword ptr [esp+0Ch] |
mov esp, dword ptr [esp+24h] |
mov edx, dword ptr [esp+20h] |
mov ebp, dword ptr fs:[00000014h] |
mov dword ptr [ebp+00000000h], edx |
mov edi, dword ptr [esp+18h] |
mov esi, dword ptr [esp+14h] |
mov ebp, dword ptr [esp+10h] |
mov ebx, dword ptr [esp+1Ch] |
add esp, 28h |
retn 0004h |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov ecx, dword ptr [esp+04h] |
mov edx, dword ptr [ecx] |
mov eax, esp |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xdf0000 | 0x3dc | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xe14000 | 0x412a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xdf1000 | 0x21ac0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x560660 | 0xa0 | .data |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x29f545 | 0x29f600 | f14e48f7a797fa1bbe4f3f0e2f6d94b1 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x2a1000 | 0x2bd1fc | 0x2bd200 | eb579c62a5b1d2909ba79696bedddf45 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x55f000 | 0x890228 | 0x862200 | 286aa978e6ebb31fef951f56b98a82d4 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xdf0000 | 0x3dc | 0x400 | 2a3e82e76cbe9aa150cbc3daef96d04e | False | 0.4873046875 | data | 4.597883782143737 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0xdf1000 | 0x21ac0 | 0x21c00 | be2139855029bfc5b05153ff9dc7f084 | False | 0.5820384837962963 | data | 6.630531076404684 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.symtab | 0xe13000 | 0x4 | 0x200 | 07b5472d347d42780469fb2654b7fc54 | False | 0.02734375 | data | 0.020393135236084953 | IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0xe14000 | 0x412a0 | 0x41400 | 898e3bcb4e48ddc3e11daa3de7454f65 | False | 0.3349459710249042 | data | 5.36012129893166 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xe14184 | 0x40768 | Device independent bitmap graphic, 256 x 500 x 32, image size 256000 | 0.3333320708983487 | ||
RT_GROUP_ICON | 0xe548ec | 0x14 | data | 1.2 | ||
RT_VERSION | 0xe54900 | 0x374 | data | 0.43891402714932126 | ||
RT_MANIFEST | 0xe54c74 | 0x62c | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4240506329113924 |
DLL | Import |
---|---|
kernel32.dll | WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-24T02:56:31.907057+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49725 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:33.011243+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49725 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:33.011243+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49725 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:34.245323+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49736 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:35.029159+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49736 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:35.029159+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49736 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:36.612569+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49742 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:37.510301+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49742 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:39.234144+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49748 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:43.540784+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49759 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:46.356781+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49765 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:48.876162+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49771 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:56:52.541408+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49781 | 104.21.29.252 | 443 | TCP |
2024-12-24T02:57:00.470768+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49781 | 104.21.29.252 | 443 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 24, 2024 02:56:30.689531088 CET | 49725 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:30.689578056 CET | 443 | 49725 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:30.689654112 CET | 49725 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:30.690819025 CET | 49725 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:30.690835953 CET | 443 | 49725 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:31.906970024 CET | 443 | 49725 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:31.907057047 CET | 49725 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:31.931040049 CET | 49725 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:31.931058884 CET | 443 | 49725 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:31.931257010 CET | 443 | 49725 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:31.972542048 CET | 49725 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:32.265635967 CET | 49725 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:32.265672922 CET | 49725 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:32.265707016 CET | 443 | 49725 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:33.011248112 CET | 443 | 49725 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:33.011318922 CET | 443 | 49725 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:33.011445045 CET | 49725 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:33.016627073 CET | 49725 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:33.016640902 CET | 443 | 49725 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:33.031878948 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:33.031905890 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:33.032005072 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:33.032958031 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:33.032982111 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:34.245105982 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:34.245322943 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:34.246635914 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:34.246644974 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:34.246968985 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:34.248270035 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:34.248296022 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:34.248343945 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.029165983 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.029567957 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.029669046 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.029731035 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.030335903 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.030487061 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.030503035 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.039799929 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.039890051 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.039906979 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.048103094 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.048151970 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.048157930 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.097558022 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.097574949 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.144407034 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.148699999 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.191446066 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.221069098 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.225117922 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.225270987 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.225302935 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.225347042 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.225374937 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.225404978 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.225436926 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.225599051 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.225629091 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.225652933 CET | 49736 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.225665092 CET | 443 | 49736 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.397927999 CET | 49742 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.398044109 CET | 443 | 49742 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:35.398135900 CET | 49742 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.398471117 CET | 49742 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:35.398508072 CET | 443 | 49742 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:36.612453938 CET | 443 | 49742 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:36.612569094 CET | 49742 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:36.614053011 CET | 49742 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:36.614065886 CET | 443 | 49742 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:36.614389896 CET | 443 | 49742 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:36.615530968 CET | 49742 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:36.615673065 CET | 49742 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:36.615710974 CET | 443 | 49742 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:37.510270119 CET | 443 | 49742 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:37.510373116 CET | 443 | 49742 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:37.510437012 CET | 49742 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:37.513070107 CET | 49742 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:37.513103008 CET | 443 | 49742 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:38.019917011 CET | 49748 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:38.020005941 CET | 443 | 49748 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:38.020104885 CET | 49748 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:38.020440102 CET | 49748 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:38.020478010 CET | 443 | 49748 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:39.234057903 CET | 443 | 49748 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:39.234143972 CET | 49748 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:39.235305071 CET | 49748 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:39.235326052 CET | 443 | 49748 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:39.235650063 CET | 443 | 49748 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:39.236694098 CET | 49748 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:39.236852884 CET | 49748 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:39.236893892 CET | 443 | 49748 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:39.236953974 CET | 49748 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:39.279382944 CET | 443 | 49748 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:42.099302053 CET | 443 | 49748 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:42.099406958 CET | 443 | 49748 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:42.099466085 CET | 49748 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:42.101422071 CET | 49748 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:42.101454973 CET | 443 | 49748 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:42.324596882 CET | 49759 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:42.324639082 CET | 443 | 49759 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:42.324744940 CET | 49759 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:42.325206995 CET | 49759 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:42.325222015 CET | 443 | 49759 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:43.540719032 CET | 443 | 49759 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:43.540783882 CET | 49759 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:43.542107105 CET | 49759 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:43.542121887 CET | 443 | 49759 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:43.542335033 CET | 443 | 49759 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:43.543488026 CET | 49759 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:43.543678045 CET | 49759 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:43.543709040 CET | 443 | 49759 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:43.543791056 CET | 49759 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:43.543811083 CET | 443 | 49759 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:44.790678978 CET | 443 | 49759 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:44.790766001 CET | 443 | 49759 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:44.790911913 CET | 49759 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:44.791040897 CET | 49759 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:44.791055918 CET | 443 | 49759 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:45.141987085 CET | 49765 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:45.142081976 CET | 443 | 49765 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:45.142167091 CET | 49765 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:45.142524004 CET | 49765 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:45.142563105 CET | 443 | 49765 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:46.356684923 CET | 443 | 49765 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:46.356781006 CET | 49765 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:46.358197927 CET | 49765 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:46.358207941 CET | 443 | 49765 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:46.358531952 CET | 443 | 49765 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:46.359853029 CET | 49765 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:46.359972000 CET | 49765 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:46.359977961 CET | 443 | 49765 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:47.168437958 CET | 443 | 49765 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:47.168555021 CET | 443 | 49765 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:47.168627977 CET | 49765 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:47.168742895 CET | 49765 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:47.168788910 CET | 443 | 49765 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:47.661575079 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:47.661606073 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:47.661679029 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:47.662017107 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:47.662033081 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.876091003 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.876162052 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.877439976 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.877454996 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.877775908 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.879275084 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.880033016 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.880069971 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.880170107 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.880204916 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.880306005 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.880369902 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.880481958 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.880506039 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.880631924 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.880656958 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.880800962 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.880825043 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.880848885 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.881083965 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.881114006 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.923337936 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.923485994 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.923532963 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.923547029 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.971332073 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:48.971599102 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.971643925 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:48.971669912 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:49.015360117 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:49.018261909 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:49.059334993 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:49.240740061 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:51.286396027 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:51.286498070 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:51.286566973 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:51.286675930 CET | 49771 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:51.286688089 CET | 443 | 49771 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:51.322452068 CET | 49781 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:51.322489023 CET | 443 | 49781 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:51.322593927 CET | 49781 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:51.322906971 CET | 49781 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:51.322921038 CET | 443 | 49781 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:52.541307926 CET | 443 | 49781 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:52.541408062 CET | 49781 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:52.542773008 CET | 49781 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:52.542785883 CET | 443 | 49781 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:52.543132067 CET | 443 | 49781 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:56:52.544365883 CET | 49781 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:52.544406891 CET | 49781 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:56:52.544452906 CET | 443 | 49781 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:57:00.470799923 CET | 443 | 49781 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:57:00.470921040 CET | 443 | 49781 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:57:00.471129894 CET | 49781 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:57:00.471340895 CET | 49781 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:57:00.471349955 CET | 443 | 49781 | 104.21.29.252 | 192.168.2.5 |
Dec 24, 2024 02:57:00.471375942 CET | 49781 | 443 | 192.168.2.5 | 104.21.29.252 |
Dec 24, 2024 02:57:00.471379995 CET | 443 | 49781 | 104.21.29.252 | 192.168.2.5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 24, 2024 02:56:30.356976986 CET | 58093 | 53 | 192.168.2.5 | 1.1.1.1 |
Dec 24, 2024 02:56:30.684155941 CET | 53 | 58093 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 24, 2024 02:56:30.356976986 CET | 192.168.2.5 | 1.1.1.1 | 0xf849 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 24, 2024 02:56:30.684155941 CET | 1.1.1.1 | 192.168.2.5 | 0xf849 | No error (0) | 104.21.29.252 | A (IP address) | IN (0x0001) | false | ||
Dec 24, 2024 02:56:30.684155941 CET | 1.1.1.1 | 192.168.2.5 | 0xf849 | No error (0) | 172.67.150.24 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.5 | 49725 | 104.21.29.252 | 443 | 5448 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-24 01:56:32 UTC | 266 | OUT | |
2024-12-24 01:56:32 UTC | 8 | OUT | |
2024-12-24 01:56:33 UTC | 1128 | IN | |
2024-12-24 01:56:33 UTC | 7 | IN | |
2024-12-24 01:56:33 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.5 | 49736 | 104.21.29.252 | 443 | 5448 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-24 01:56:34 UTC | 267 | OUT | |
2024-12-24 01:56:34 UTC | 54 | OUT | |
2024-12-24 01:56:35 UTC | 1129 | IN | |
2024-12-24 01:56:35 UTC | 240 | IN | |
2024-12-24 01:56:35 UTC | 900 | IN | |
2024-12-24 01:56:35 UTC | 1369 | IN | |
2024-12-24 01:56:35 UTC | 1369 | IN | |
2024-12-24 01:56:35 UTC | 1369 | IN | |
2024-12-24 01:56:35 UTC | 1369 | IN | |
2024-12-24 01:56:35 UTC | 1369 | IN | |
2024-12-24 01:56:35 UTC | 1369 | IN | |
2024-12-24 01:56:35 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.5 | 49742 | 104.21.29.252 | 443 | 5448 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-24 01:56:36 UTC | 278 | OUT | |
2024-12-24 01:56:36 UTC | 12800 | OUT | |
2024-12-24 01:56:37 UTC | 1131 | IN | |
2024-12-24 01:56:37 UTC | 20 | IN | |
2024-12-24 01:56:37 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.5 | 49748 | 104.21.29.252 | 443 | 5448 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-24 01:56:39 UTC | 281 | OUT | |
2024-12-24 01:56:39 UTC | 15060 | OUT | |
2024-12-24 01:56:42 UTC | 1128 | IN | |
2024-12-24 01:56:42 UTC | 20 | IN | |
2024-12-24 01:56:42 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.5 | 49759 | 104.21.29.252 | 443 | 5448 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-24 01:56:43 UTC | 285 | OUT | |
2024-12-24 01:56:43 UTC | 15331 | OUT | |
2024-12-24 01:56:43 UTC | 5243 | OUT | |
2024-12-24 01:56:44 UTC | 1134 | IN | |
2024-12-24 01:56:44 UTC | 20 | IN | |
2024-12-24 01:56:44 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.5 | 49765 | 104.21.29.252 | 443 | 5448 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-24 01:56:46 UTC | 283 | OUT | |
2024-12-24 01:56:46 UTC | 1251 | OUT | |
2024-12-24 01:56:47 UTC | 1134 | IN | |
2024-12-24 01:56:47 UTC | 20 | IN | |
2024-12-24 01:56:47 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.5 | 49771 | 104.21.29.252 | 443 | 5448 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-24 01:56:48 UTC | 283 | OUT | |
2024-12-24 01:56:48 UTC | 15331 | OUT | |
2024-12-24 01:56:48 UTC | 15331 | OUT | |
2024-12-24 01:56:48 UTC | 15331 | OUT | |
2024-12-24 01:56:48 UTC | 15331 | OUT | |
2024-12-24 01:56:48 UTC | 15331 | OUT | |
2024-12-24 01:56:48 UTC | 15331 | OUT | |
2024-12-24 01:56:48 UTC | 15331 | OUT | |
2024-12-24 01:56:48 UTC | 15331 | OUT | |
2024-12-24 01:56:48 UTC | 15331 | OUT | |
2024-12-24 01:56:48 UTC | 15331 | OUT | |
2024-12-24 01:56:51 UTC | 1131 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.5 | 49781 | 104.21.29.252 | 443 | 5448 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-24 01:56:52 UTC | 267 | OUT | |
2024-12-24 01:56:52 UTC | 89 | OUT | |
2024-12-24 01:57:00 UTC | 1130 | IN | |
2024-12-24 01:57:00 UTC | 54 | IN | |
2024-12-24 01:57:00 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 20:56:01 |
Start date: | 23/12/2024 |
Path: | C:\Users\user\Desktop\Adobe GenP 5.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc20000 |
File size: | 14'820'352 bytes |
MD5 hash: | 9CCE9D11869E1568A959515CD688F1F9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 20:56:26 |
Start date: | 23/12/2024 |
Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xee0000 |
File size: | 231'736 bytes |
MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Function 00C53900 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00C63990 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 9.4% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 59.4% |
Total number of Nodes: | 155 |
Total number of Limit Nodes: | 7 |
Graph
Function 00420720 Relevance: 16.8, Strings: 13, Instructions: 561COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004353A0 Relevance: 9.4, APIs: 3, Strings: 2, Instructions: 681memoryCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00435090 Relevance: 6.5, Strings: 5, Instructions: 248COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040DCA0 Relevance: 4.1, Strings: 3, Instructions: 314COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042A80B Relevance: 3.9, Strings: 3, Instructions: 110COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043CCD0 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004253A0 Relevance: 2.8, Strings: 2, Instructions: 265COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439BE8 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408690 Relevance: 1.7, APIs: 1, Instructions: 245COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00416D93 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439AF0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040D49A Relevance: 1.4, Strings: 1, Instructions: 188COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040CF2B Relevance: 1.4, Strings: 1, Instructions: 175COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B9AF Relevance: 1.4, Strings: 1, Instructions: 151COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438110 Relevance: .3, Instructions: 284COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043C410 Relevance: .3, Instructions: 268COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043A55A Relevance: .2, Instructions: 192COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B771 Relevance: .2, Instructions: 154COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439F2D Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C37A Relevance: .1, Instructions: 74COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00433F96 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042FB46 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042DBBF Relevance: 1.5, APIs: 1, Instructions: 23COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C7F3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C7C0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439AB6 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004380B0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004380F3 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040FC0A Relevance: 23.4, Strings: 18, Instructions: 932COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004298A0 Relevance: 12.7, Strings: 10, Instructions: 245COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409630 Relevance: 11.6, Strings: 9, Instructions: 400COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00415CFC Relevance: 11.5, Strings: 9, Instructions: 270COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00419490 Relevance: 11.4, Strings: 8, Instructions: 1409COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00417CE5 Relevance: 8.9, Strings: 7, Instructions: 151COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A9B0 Relevance: 7.9, Strings: 6, Instructions: 396COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B429 Relevance: 6.5, Strings: 5, Instructions: 241COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041D6F0 Relevance: 5.9, Strings: 4, Instructions: 866COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004389F0 Relevance: 5.6, Strings: 4, Instructions: 626COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00435E40 Relevance: 5.4, Strings: 4, Instructions: 437COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043395D Relevance: 5.4, Strings: 4, Instructions: 379COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409270 Relevance: 5.4, Strings: 4, Instructions: 375COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004340EF Relevance: 5.3, Strings: 4, Instructions: 334COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C830 Relevance: 5.3, Strings: 4, Instructions: 294COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004158D6 Relevance: 4.0, Strings: 3, Instructions: 216COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404C30 Relevance: 3.3, Strings: 2, Instructions: 821COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041C200 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004160F1 Relevance: 2.8, Strings: 2, Instructions: 343COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404300 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042A9C4 Relevance: 2.7, Strings: 2, Instructions: 248COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042AA62 Relevance: 2.7, Strings: 2, Instructions: 246COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004221FE Relevance: 2.6, Strings: 2, Instructions: 78COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00421380 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429070 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00420FA0 Relevance: 1.6, Strings: 1, Instructions: 355COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041CA40 Relevance: 1.5, Strings: 1, Instructions: 285COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041876C Relevance: 1.5, Strings: 1, Instructions: 285COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E90 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040D738 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00418BE7 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042D32A Relevance: 1.5, Strings: 1, Instructions: 216COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438620 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429ECA Relevance: 1.4, Strings: 1, Instructions: 196COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B0DE Relevance: 1.4, Strings: 1, Instructions: 143COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429E89 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041AC1D Relevance: 1.4, Strings: 1, Instructions: 108COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422154 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426B8E Relevance: 1.3, Strings: 1, Instructions: 63COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00421F0E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041B2AA Relevance: 1.3, Strings: 1, Instructions: 60COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00424330 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00427D4D Relevance: 1.3, Strings: 1, Instructions: 58COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040CCC5 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00421F10 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004066C0 Relevance: .7, Instructions: 665COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402F40 Relevance: .7, Instructions: 664COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004074A0 Relevance: .6, Instructions: 611COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403950 Relevance: .6, Instructions: 600COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041E7F0 Relevance: .6, Instructions: 562COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405940 Relevance: .4, Instructions: 448COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041CD60 Relevance: .3, Instructions: 337COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043C990 Relevance: .3, Instructions: 317COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406230 Relevance: .3, Instructions: 303COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043C6A0 Relevance: .3, Instructions: 301COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00434AD0 Relevance: .3, Instructions: 293COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408FE0 Relevance: .3, Instructions: 264COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042E440 Relevance: .2, Instructions: 248COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042FD60 Relevance: .2, Instructions: 235COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041D170 Relevance: .2, Instructions: 219COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042760C Relevance: .2, Instructions: 212COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439140 Relevance: .2, Instructions: 209COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041D4B0 Relevance: .2, Instructions: 202COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041A790 Relevance: .2, Instructions: 193COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004282E8 Relevance: .2, Instructions: 190COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00434870 Relevance: .2, Instructions: 189COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426400 Relevance: .2, Instructions: 187COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414D45 Relevance: .2, Instructions: 185COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004029D0 Relevance: .2, Instructions: 167COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004153FC Relevance: .1, Instructions: 123COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414D40 Relevance: .1, Instructions: 118COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004256A0 Relevance: .1, Instructions: 118COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043B720 Relevance: .1, Instructions: 100COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00436770 Relevance: .1, Instructions: 92COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408A50 Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043A35B Relevance: .1, Instructions: 80COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402B90 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414C4E Relevance: .1, Instructions: 73COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00432770 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00428AF0 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040C2DA Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439DD7 Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040B215 Relevance: .0, Instructions: 19COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00420273 Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004245DE Relevance: .0, Instructions: 9COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422F44 Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|