Edit tour
Windows
Analysis Report
txUcQFc0aJ.exe
Overview
General Information
| Sample name: | txUcQFc0aJ.exerenamed because original name is a hash value |
| Original sample name: | 2e3ea061bac71f40040a84deb399f8ce7683f4b8.exe |
| Analysis ID: | 1580259 |
| MD5: | 856fcc25696a214f54af0d37de84d818 |
| SHA1: | 2e3ea061bac71f40040a84deb399f8ce7683f4b8 |
| SHA256: | 92d457b286fb63d2f5ec9413fd234643448c5f8d2c0763e43ed5cf27ab47eb02 |
| Tags: | ArduinoIDEAtaleoGmbHexeuser-NDA0E |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
txUcQFc0aJ.exe (PID: 7404 cmdline: "C:\Users\ user\Deskt op\txUcQFc 0aJ.exe" MD5: 856FCC25696A214F54AF0D37DE84D818) 
BitLockerToGo.exe (PID: 7764 cmdline: "C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["crosshuaht.lat", "grannyejh.lat", "rapeflowwj.lat", "energyaffai.lat", "aspecteirs.lat", "discokeyus.lat", "bithithol.click", "sustainskelet.lat", "necklacebudi.lat"], "Build id": "VvQOXN--moneytree"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T08:16:28.440312+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49741 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:30.440036+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49742 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:32.898998+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49743 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:35.540667+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49744 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:37.764019+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49745 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:40.257292+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49746 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:42.756989+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49747 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:46.380672+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49748 | 172.67.151.61 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T08:16:29.185397+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49741 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:31.217842+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49742 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:47.143767+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49748 | 172.67.151.61 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T08:16:29.185397+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49741 | 172.67.151.61 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T08:16:31.217842+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49742 | 172.67.151.61 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T08:16:36.361395+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49744 | 172.67.151.61 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00813170 | |
| Source: | Code function: | 0_2_00828B70 | |
| Source: | Code function: | 0_2_00837C70 | |
| Source: | Code function: | 0_2_00833620 | |
| Source: | Code function: | 0_2_00833FD0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_0083A870 | |
| Source: | Code function: | 0_2_0083BD40 | |
| Source: | Code function: | 0_2_0086B8E0 | |
| Source: | Code function: | 0_2_00834900 | |
| Source: | Code function: | 0_2_00813170 | |
| Source: | Code function: | 0_2_0083EBB0 | |
| Source: | Code function: | 0_2_008373C0 | |
| Source: | Code function: | 0_2_00817BE0 | |
| Source: | Code function: | 0_2_0081A4F0 | |
| Source: | Code function: | 0_2_0082C420 | |
| Source: | Code function: | 0_2_0081EDC0 | |
| Source: | Code function: | 0_2_008365C0 | |
| Source: | Code function: | 0_2_00834E80 | |
| Source: | Code function: | 0_2_008356A0 | |
| Source: | Code function: | 0_2_00830E20 | |
| Source: | Code function: | 0_2_0081DF90 | |
| Source: | Code function: | 0_2_00813770 | |
| Source: | Code function: | 4_3_055640D0 | |
| Source: | Code function: | 4_3_055640D0 | |
| Source: | Code function: | 4_3_055640D0 | |
| Source: | Code function: | 4_3_05563F85 | |
| Source: | Code function: | 4_3_05563F85 | |
| Source: | Code function: | 4_3_05563F85 | |
| Source: | Code function: | 4_3_031D276A | |
| Source: | Code function: | 4_3_031DE16C | |
| Source: | Code function: | 4_3_031DE16C | |
| Source: | Code function: | 4_3_031DE19F | |
| Source: | Code function: | 4_3_031DE19F | |
| Source: | Code function: | 4_3_055640D0 | |
| Source: | Code function: | 4_3_055640D0 | |
| Source: | Code function: | 4_3_055640D0 | |
| Source: | Code function: | 4_3_05563F85 | |
| Source: | Code function: | 4_3_05563F85 | |
| Source: | Code function: | 4_3_05563F85 | |
| Source: | Code function: | 4_3_031DE16C | |
| Source: | Code function: | 4_3_031DE16C | |
| Source: | Code function: | 4_3_031DE19F | |
| Source: | Code function: | 4_3_031DE19F | |
| Source: | Code function: | 4_3_055640D0 | |
| Source: | Code function: | 4_3_055640D0 | |
| Source: | Code function: | 4_3_055640D0 | |
| Source: | Code function: | 4_3_05563F85 | |
| Source: | Code function: | 4_3_05563F85 | |
| Source: | Code function: | 4_3_05563F85 | |
| Source: | Code function: | 4_3_031D7002 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0081938A | |
| Source: | Code function: | 0_2_00829568 | |
| Source: | Code function: | 4_3_055636CA | |
| Source: | Code function: | 4_3_055636CA | |
| Source: | Code function: | 4_3_055636CA | |
| Source: | Code function: | 4_3_055626C2 | |
| Source: | Code function: | 4_3_055626C2 | |
| Source: | Code function: | 4_3_055626C2 | |
| Source: | Code function: | 4_3_05562F02 | |
| Source: | Code function: | 4_3_05562F02 | |
| Source: | Code function: | 4_3_05562F02 | |
| Source: | Code function: | 4_3_0556270A | |
| Source: | Code function: | 4_3_0556270A | |
| Source: | Code function: | 4_3_0556270A | |
| Source: | Code function: | 4_3_05562722 | |
| Source: | Code function: | 4_3_05562722 | |
| Source: | Code function: | 4_3_05562722 | |
| Source: | Code function: | 4_3_05563F22 | |
| Source: | Code function: | 4_3_05563F22 | |
| Source: | Code function: | 4_3_05563F22 | |
| Source: | Code function: | 4_3_031D0941 | |
| Source: | Code function: | 4_3_031D0B25 | |
| Source: | Code function: | 4_3_055636CA | |
| Source: | Code function: | 4_3_055636CA | |
| Source: | Code function: | 4_3_055636CA | |
| Source: | Code function: | 4_3_055626C2 | |
| Source: | Code function: | 4_3_055626C2 | |
| Source: | Code function: | 4_3_055626C2 | |
| Source: | Code function: | 4_3_05562F02 | |
| Source: | Code function: | 4_3_05562F02 | |
| Source: | Code function: | 4_3_05562F02 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00870AC0 | |
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00870AC0 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 131 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 47% | ReversingLabs | Win32.Trojan.LummaStealer | ||
| 36% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bithithol.click | 172.67.151.61 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.151.61 | bithithol.click | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1580259 |
| Start date and time: | 2024-12-24 08:15:06 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 33s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | txUcQFc0aJ.exerenamed because original name is a hash value |
| Original Sample Name: | 2e3ea061bac71f40040a84deb399f8ce7683f4b8.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@1/1 |
| EGA Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target BitLockerToGo.exe, PID 7764 because there are no executed function
- Execution Graph export aborted for target txUcQFc0aJ.exe, PID 7404 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 02:16:28 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Abobus Obfuscator, Braodo | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.323506534203698 |
| TrID: |
|
| File name: | txUcQFc0aJ.exe |
| File size: | 4'029'080 bytes |
| MD5: | 856fcc25696a214f54af0d37de84d818 |
| SHA1: | 2e3ea061bac71f40040a84deb399f8ce7683f4b8 |
| SHA256: | 92d457b286fb63d2f5ec9413fd234643448c5f8d2c0763e43ed5cf27ab47eb02 |
| SHA512: | 6a0820c26988d697146d71ce152216af79d657907daea4f26e51b34a95fcee2ddea799dafcc1a6b48400012cdeaf3056fae065ac2afa1191e356f58c4a7ca170 |
| SSDEEP: | 49152:Zhii8NmRFtujC5QQZIDc/jv/sAVwC/EEj4AMVc9XcKPQj:+i8oAeYc/zKc9cK4 |
| TLSH: | E4160641FA8B84F5D8031C70516A623F97315E098B38DB9BFA5C7B5AEB777920C32609 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B=..................\......0.........:...@...........................?.......=...@................................ |
 | |
| Icon Hash: | b8868baba9aba2d8 |
| Entrypoint: | 0x461830 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 1aae8bf580c846f39c71c05898e57e88 |
| Signature Valid: | true |
| Signature Issuer: | CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 5553578DD39A42AF5D525601DB481558 |
| Thumbprint SHA-1: | BE7156BD07DD7F72521FAE4A3D6F46C48DD2CE9E |
| Thumbprint SHA-256: | 279D3857570896F466BB8CE6343E9654BA7D9ED594E6E39E36D95FDB029D6567 |
| Serial: | 5608CAB7E2CE34D53ABCBB73 |
| Instruction |
|---|
| jmp 00007FFA14AB1630h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| sub esp, 28h |
| mov dword ptr [esp+1Ch], ebx |
| mov dword ptr [esp+10h], ebp |
| mov dword ptr [esp+14h], esi |
| mov dword ptr [esp+18h], edi |
| mov dword ptr [esp], eax |
| mov dword ptr [esp+04h], ecx |
| call 00007FFA14A92496h |
| mov eax, dword ptr [esp+08h] |
| mov edi, dword ptr [esp+18h] |
| mov esi, dword ptr [esp+14h] |
| mov ebp, dword ptr [esp+10h] |
| mov ebx, dword ptr [esp+1Ch] |
| add esp, 28h |
| retn 0004h |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| sub esp, 08h |
| mov ecx, dword ptr [esp+0Ch] |
| mov edx, dword ptr [ecx] |
| mov eax, esp |
| mov dword ptr [edx+04h], eax |
| sub eax, 00010000h |
| mov dword ptr [edx], eax |
| add eax, 000013A0h |
| mov dword ptr [edx+08h], eax |
| mov dword ptr [edx+0Ch], eax |
| lea edi, dword ptr [ecx+34h] |
| mov dword ptr [edx+18h], ecx |
| mov dword ptr [edi], edx |
| mov dword ptr [esp+04h], edi |
| call 00007FFA14AB3A94h |
| cld |
| call 00007FFA14AB2B1Eh |
| call 00007FFA14AB1759h |
| add esp, 08h |
| ret |
| jmp 00007FFA14AB3940h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov ebx, dword ptr [esp+04h] |
| mov ebp, esp |
| mov dword ptr fs:[00000034h], 00000000h |
| mov ecx, dword ptr [ebx+04h] |
| cmp ecx, 00000000h |
| je 00007FFA14AB3941h |
| mov eax, ecx |
| shl eax, 02h |
| sub esp, eax |
| mov edi, esp |
| mov esi, dword ptr [ebx+08h] |
| cld |
| rep movsd |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3e7000 | 0x44c | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3fe000 | 0xdbb | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x3d5200 | 0x2898 | .data |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3e8000 | 0x14e84 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x3ab2e0 | 0xb4 | .data |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1ccb58 | 0x1ccc00 | a55d62fea5f1a6e720238ba8a17ee01a | False | 0.4105404105059685 | data | 6.048439365847348 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x1ce000 | 0x1dcdb4 | 0x1dce00 | 48d54db011ff4ecdd7c51569f16443be | False | 0.4840258437090432 | data | 5.958432329338492 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3ab000 | 0x3b900 | 0x14e00 | 7f45d08ecb7d40940677ce562018c17f | False | 0.46423559131736525 | data | 4.995009550553892 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x3e7000 | 0x44c | 0x600 | 4c1f863405e23667b54bac8329eec6ab | False | 0.3580729166666667 | OpenPGP Public Key | 3.8150969146477673 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x3e8000 | 0x14e84 | 0x15000 | 95d30fd9f7f93a30e90a247316ee6f4f | False | 0.5861932663690477 | data | 6.593268593641417 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .symtab | 0x3fd000 | 0x4 | 0x200 | 07b5472d347d42780469fb2654b7fc54 | False | 0.02734375 | data | 0.020393135236084953 | IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x3fe000 | 0xdbb | 0xe00 | 60bc5e6f326733e1f647a4e019bd1187 | False | 0.36997767857142855 | data | 4.084514689383175 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x3fe1a8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.16532258064516128 |
| RT_ICON | 0x3fe490 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.32094594594594594 |
| RT_DIALOG | 0x3fe5b8 | 0x176 | data | English | United States | 0.5802139037433155 |
| RT_GROUP_ICON | 0x3fe730 | 0x22 | data | English | United States | 1.0 |
| RT_VERSION | 0x3fe754 | 0x244 | data | English | United States | 0.4827586206896552 |
| RT_MANIFEST | 0x3fe998 | 0x423 | XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators | English | United States | 0.5127478753541076 |
| DLL | Import |
|---|---|
| kernel32.dll | WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T08:16:28.440312+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49741 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:29.185397+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49741 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:29.185397+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49741 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:30.440036+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49742 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:31.217842+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49742 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:31.217842+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49742 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:32.898998+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49743 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:35.540667+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49744 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:36.361395+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49744 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:37.764019+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49745 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:40.257292+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49746 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:42.756989+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49747 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:46.380672+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49748 | 172.67.151.61 | 443 | TCP |
| 2024-12-24T08:16:47.143767+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49748 | 172.67.151.61 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 24, 2024 08:16:27.214071035 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:27.214109898 CET | 443 | 49741 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:27.214210987 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:27.217329025 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:27.217341900 CET | 443 | 49741 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:28.440207958 CET | 443 | 49741 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:28.440311909 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:28.444645882 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:28.444659948 CET | 443 | 49741 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:28.445053101 CET | 443 | 49741 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:28.500302076 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:28.529465914 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:28.529578924 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:28.529599905 CET | 443 | 49741 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:29.185384989 CET | 443 | 49741 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:29.185516119 CET | 443 | 49741 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:29.185575008 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:29.191900015 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:29.191947937 CET | 443 | 49741 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:29.191977024 CET | 49741 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:29.191992044 CET | 443 | 49741 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:29.225440979 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:29.225488901 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:29.225558043 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:29.227129936 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:29.227144957 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:30.439970970 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:30.440036058 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:30.441803932 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:30.441828012 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:30.442030907 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:30.443224907 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:30.443253994 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:30.443289042 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.217845917 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.217905045 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.217940092 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.217972994 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.217983007 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.218004942 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.218024969 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.225941896 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.225991011 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.226001978 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.240940094 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.240991116 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.240998983 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.281663895 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.337528944 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.341671944 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.341736078 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.341761112 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.390938044 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.409421921 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.413402081 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.413446903 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.413455009 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.413466930 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.413512945 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.413635015 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.413647890 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.413659096 CET | 49742 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.413664103 CET | 443 | 49742 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.684350967 CET | 49743 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.684441090 CET | 443 | 49743 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:31.684555054 CET | 49743 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.684863091 CET | 49743 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:31.684899092 CET | 443 | 49743 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:32.898909092 CET | 443 | 49743 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:32.898998022 CET | 49743 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:32.900257111 CET | 49743 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:32.900285959 CET | 443 | 49743 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:32.900633097 CET | 443 | 49743 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:32.901787996 CET | 49743 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:32.901952028 CET | 49743 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:32.902000904 CET | 443 | 49743 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:32.902085066 CET | 49743 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:32.902097940 CET | 443 | 49743 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:34.180155993 CET | 443 | 49743 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:34.180260897 CET | 443 | 49743 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:34.180356026 CET | 49743 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:34.180552959 CET | 49743 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:34.180592060 CET | 443 | 49743 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:34.326592922 CET | 49744 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:34.326643944 CET | 443 | 49744 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:34.326714993 CET | 49744 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:34.326992035 CET | 49744 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:34.327008009 CET | 443 | 49744 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:35.540599108 CET | 443 | 49744 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:35.540667057 CET | 49744 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:35.541949987 CET | 49744 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:35.541964054 CET | 443 | 49744 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:35.542304993 CET | 443 | 49744 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:35.543498993 CET | 49744 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:35.543844938 CET | 49744 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:35.543885946 CET | 443 | 49744 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:36.361401081 CET | 443 | 49744 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:36.361506939 CET | 443 | 49744 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:36.361569881 CET | 49744 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:36.361666918 CET | 49744 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:36.361681938 CET | 443 | 49744 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:36.544790983 CET | 49745 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:36.544831991 CET | 443 | 49745 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:36.544914007 CET | 49745 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:36.545308113 CET | 49745 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:36.545325041 CET | 443 | 49745 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:37.763886929 CET | 443 | 49745 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:37.764019012 CET | 49745 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:37.765316010 CET | 49745 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:37.765330076 CET | 443 | 49745 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:37.765666008 CET | 443 | 49745 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:37.766845942 CET | 49745 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:37.766961098 CET | 49745 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:37.766998053 CET | 443 | 49745 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:37.767077923 CET | 49745 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:37.767087936 CET | 443 | 49745 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:38.719449043 CET | 443 | 49745 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:38.719707012 CET | 443 | 49745 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:38.719769955 CET | 49745 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:38.719886065 CET | 49745 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:38.719907045 CET | 443 | 49745 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:39.031445026 CET | 49746 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:39.031487942 CET | 443 | 49746 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:39.031577110 CET | 49746 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:39.032054901 CET | 49746 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:39.032059908 CET | 443 | 49746 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:40.257191896 CET | 443 | 49746 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:40.257292032 CET | 49746 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:40.258440018 CET | 49746 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:40.258469105 CET | 443 | 49746 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:40.259557009 CET | 443 | 49746 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:40.263690948 CET | 49746 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:40.263797045 CET | 49746 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:40.263811111 CET | 443 | 49746 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:41.040251017 CET | 443 | 49746 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:41.040539026 CET | 443 | 49746 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:41.040607929 CET | 49746 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:41.040709972 CET | 49746 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:41.040733099 CET | 443 | 49746 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:41.536650896 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:41.536696911 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:41.536767006 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:41.537095070 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:41.537108898 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.756900072 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.756989002 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.758232117 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.758240938 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.759196043 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.771243095 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.771909952 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.771950006 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.772037983 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.772073984 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.772178888 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.772239923 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.772370100 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.772397041 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.772541046 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.772571087 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.772722960 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.772754908 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.772763968 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.772902012 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.772933006 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.815355062 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.815562010 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.815608978 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.815646887 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.859328032 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.859544992 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.859591961 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.859616995 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.907335043 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:42.907432079 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:42.951330900 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:43.228344917 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:45.100193024 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:45.100470066 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:45.100536108 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:45.100636959 CET | 49747 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:45.100650072 CET | 443 | 49747 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:45.143552065 CET | 49748 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:45.143640041 CET | 443 | 49748 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:45.143800974 CET | 49748 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:45.144103050 CET | 49748 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:45.144138098 CET | 443 | 49748 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:46.380487919 CET | 443 | 49748 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:46.380671978 CET | 49748 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:46.382208109 CET | 49748 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:46.382240057 CET | 443 | 49748 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:46.383289099 CET | 443 | 49748 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:46.384743929 CET | 49748 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:46.384788990 CET | 49748 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:46.384845972 CET | 443 | 49748 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:47.143848896 CET | 443 | 49748 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:47.144119024 CET | 443 | 49748 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:47.144195080 CET | 49748 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:47.144340992 CET | 49748 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:47.144385099 CET | 443 | 49748 | 172.67.151.61 | 192.168.2.4 |
| Dec 24, 2024 08:16:47.144419909 CET | 49748 | 443 | 192.168.2.4 | 172.67.151.61 |
| Dec 24, 2024 08:16:47.144437075 CET | 443 | 49748 | 172.67.151.61 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 24, 2024 08:16:26.899334908 CET | 54668 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 24, 2024 08:16:27.208863020 CET | 53 | 54668 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 24, 2024 08:16:26.899334908 CET | 192.168.2.4 | 1.1.1.1 | 0xcc04 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 24, 2024 08:16:27.208863020 CET | 1.1.1.1 | 192.168.2.4 | 0xcc04 | No error (0) | 172.67.151.61 | A (IP address) | IN (0x0001) | false | ||
| Dec 24, 2024 08:16:27.208863020 CET | 1.1.1.1 | 192.168.2.4 | 0xcc04 | No error (0) | 104.21.33.227 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49741 | 172.67.151.61 | 443 | 7764 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 07:16:28 UTC | 262 | OUT | |
| 2024-12-24 07:16:28 UTC | 8 | OUT | |
| 2024-12-24 07:16:29 UTC | 1137 | IN | |
| 2024-12-24 07:16:29 UTC | 7 | IN | |
| 2024-12-24 07:16:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49742 | 172.67.151.61 | 443 | 7764 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 07:16:30 UTC | 263 | OUT | |
| 2024-12-24 07:16:30 UTC | 51 | OUT | |
| 2024-12-24 07:16:31 UTC | 1121 | IN | |
| 2024-12-24 07:16:31 UTC | 248 | IN | |
| 2024-12-24 07:16:31 UTC | 891 | IN | |
| 2024-12-24 07:16:31 UTC | 1369 | IN | |
| 2024-12-24 07:16:31 UTC | 1369 | IN | |
| 2024-12-24 07:16:31 UTC | 1369 | IN | |
| 2024-12-24 07:16:31 UTC | 1369 | IN | |
| 2024-12-24 07:16:31 UTC | 1369 | IN | |
| 2024-12-24 07:16:31 UTC | 1369 | IN | |
| 2024-12-24 07:16:31 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49743 | 172.67.151.61 | 443 | 7764 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 07:16:32 UTC | 272 | OUT | |
| 2024-12-24 07:16:32 UTC | 15331 | OUT | |
| 2024-12-24 07:16:32 UTC | 2782 | OUT | |
| 2024-12-24 07:16:34 UTC | 1126 | IN | |
| 2024-12-24 07:16:34 UTC | 20 | IN | |
| 2024-12-24 07:16:34 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49744 | 172.67.151.61 | 443 | 7764 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 07:16:35 UTC | 278 | OUT | |
| 2024-12-24 07:16:35 UTC | 8776 | OUT | |
| 2024-12-24 07:16:36 UTC | 1125 | IN | |
| 2024-12-24 07:16:36 UTC | 20 | IN | |
| 2024-12-24 07:16:36 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49745 | 172.67.151.61 | 443 | 7764 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 07:16:37 UTC | 282 | OUT | |
| 2024-12-24 07:16:37 UTC | 15331 | OUT | |
| 2024-12-24 07:16:37 UTC | 5116 | OUT | |
| 2024-12-24 07:16:38 UTC | 1131 | IN | |
| 2024-12-24 07:16:38 UTC | 20 | IN | |
| 2024-12-24 07:16:38 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49746 | 172.67.151.61 | 443 | 7764 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 07:16:40 UTC | 277 | OUT | |
| 2024-12-24 07:16:40 UTC | 1244 | OUT | |
| 2024-12-24 07:16:41 UTC | 1132 | IN | |
| 2024-12-24 07:16:41 UTC | 20 | IN | |
| 2024-12-24 07:16:41 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49747 | 172.67.151.61 | 443 | 7764 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 07:16:42 UTC | 273 | OUT | |
| 2024-12-24 07:16:42 UTC | 15331 | OUT | |
| 2024-12-24 07:16:42 UTC | 15331 | OUT | |
| 2024-12-24 07:16:42 UTC | 15331 | OUT | |
| 2024-12-24 07:16:42 UTC | 15331 | OUT | |
| 2024-12-24 07:16:42 UTC | 15331 | OUT | |
| 2024-12-24 07:16:42 UTC | 15331 | OUT | |
| 2024-12-24 07:16:42 UTC | 15331 | OUT | |
| 2024-12-24 07:16:42 UTC | 15331 | OUT | |
| 2024-12-24 07:16:42 UTC | 15331 | OUT | |
| 2024-12-24 07:16:42 UTC | 15331 | OUT | |
| 2024-12-24 07:16:45 UTC | 1131 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49748 | 172.67.151.61 | 443 | 7764 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 07:16:46 UTC | 263 | OUT | |
| 2024-12-24 07:16:46 UTC | 86 | OUT | |
| 2024-12-24 07:16:47 UTC | 1117 | IN | |
| 2024-12-24 07:16:47 UTC | 54 | IN | |
| 2024-12-24 07:16:47 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 02:15:58 |
| Start date: | 24/12/2024 |
| Path: | C:\Users\user\Desktop\txUcQFc0aJ.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x810000 |
| File size: | 4'029'080 bytes |
| MD5 hash: | 856FCC25696A214F54AF0D37DE84D818 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 02:16:23 |
| Start date: | 24/12/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x550000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | true |
Function 0083A870 Relevance: 6.4, Strings: 5, Instructions: 121COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00834E80 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00833FD0 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00830E20 Relevance: .5, Instructions: 493COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008356A0 Relevance: .5, Instructions: 462COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0082C420 Relevance: .5, Instructions: 459COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0083EBB0 Relevance: .3, Instructions: 297COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0081EDC0 Relevance: .3, Instructions: 293COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008365C0 Relevance: .3, Instructions: 281COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00834900 Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00813770 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00833620 Relevance: .2, Instructions: 193COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00813170 Relevance: .2, Instructions: 162COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008373C0 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00837C70 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0081A4F0 Relevance: .1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0083BD40 Relevance: .1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0081DF90 Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00817BE0 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00828B70 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0086B8E0 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00870AC0 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00813590 Relevance: 18.8, Strings: 15, Instructions: 86COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00816B70 Relevance: 12.7, Strings: 10, Instructions: 199COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00811120 Relevance: 11.6, Strings: 9, Instructions: 326COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008115D0 Relevance: 9.2, Strings: 7, Instructions: 432COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0086EE70 Relevance: 8.9, Strings: 7, Instructions: 170COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0086EBE0 Relevance: 8.9, Strings: 7, Instructions: 150COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0083A3F0 Relevance: 6.5, Strings: 5, Instructions: 299COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00824010 Relevance: 6.5, Strings: 5, Instructions: 268COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00862100 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00853F90 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00825B40 Relevance: 5.1, Strings: 4, Instructions: 71COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|