Edit tour
Windows
Analysis Report
6wFwugeLNG.exe
Overview
General Information
| Sample name: | 6wFwugeLNG.exerenamed because original name is a hash value |
| Original sample name: | 16b7635bd33367d455f26adc148dbfc3.exe |
| Analysis ID: | 1581196 |
| MD5: | 16b7635bd33367d455f26adc148dbfc3 |
| SHA1: | 0ae5aa47351d1732e9a851761ac91796364e5f53 |
| SHA256: | 5f6e9e2cb25c557c1bc5ec4d56a4d3859a06d2d70dbccff887aa7cf115a91f98 |
| Tags: | exeRedLineStealeruser-abuse_ch |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match
query blbeacon for getting browser version
Classification
- System is w10x64
6wFwugeLNG.exe (PID: 2792 cmdline: "C:\Users\ user\Deskt op\6wFwuge LNG.exe" MD5: 16B7635BD33367D455F26ADC148DBFC3) 
reg.exe (PID: 4992 cmdline: reg query HKEY_CURRE NT_USER\So ftware\Goo gle\Chrome \BLBeacon /v version MD5: CDD462E86EC0F20DE2A1D781928B1B0C) 
conhost.exe (PID: 6472 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
BitLockerToGo.exe (PID: 612 cmdline: "C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["wrathful-jammy.cyou", "immureprech.biz", "awake-weaves.cyou", "sordid-snaked.cyou", "diffuculttan.xyz", "deafeninggeh.biz", "debonairnukk.xyz", "cycahao.shop", "effecterectz.xyz"], "Build id": "hRjzG3--VIKA"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
| Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:20:32.744504+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49754 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:34.720753+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49761 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:37.107387+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49767 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:39.415938+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49773 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:41.713969+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49779 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:44.156009+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49785 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:46.581923+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49791 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:50.072641+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49801 | 172.67.135.139 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:20:33.446130+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49754 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:35.533896+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49761 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:50.846469+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49801 | 172.67.135.139 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:20:33.446130+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.6 | 49754 | 172.67.135.139 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:20:35.533896+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.6 | 49761 | 172.67.135.139 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:20:32.744504+0100 | 2058278 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49754 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:34.720753+0100 | 2058278 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49761 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:37.107387+0100 | 2058278 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49767 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:39.415938+0100 | 2058278 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49773 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:41.713969+0100 | 2058278 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49779 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:44.156009+0100 | 2058278 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49785 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:46.581923+0100 | 2058278 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49791 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:50.072641+0100 | 2058278 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49801 | 172.67.135.139 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:20:31.189614+0100 | 2058277 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 56750 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:20:44.906387+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49785 | 172.67.135.139 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 5_2_00465890 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 5_2_0048D3C0 | |
| Source: | Code function: | 5_2_0048E3C0 | |
| Source: | Code function: | 5_2_0045C4C6 | |
| Source: | Code function: | 5_2_00487500 | |
| Source: | Code function: | 5_2_00487500 | |
| Source: | Code function: | 5_2_0048D640 | |
| Source: | Code function: | 5_2_0047C67D | |
| Source: | Code function: | 5_2_0045E6F2 | |
| Source: | Code function: | 5_2_004897E0 | |
| Source: | Code function: | 5_2_004897E0 | |
| Source: | Code function: | 5_2_00469804 | |
| Source: | Code function: | 5_2_00469804 | |
| Source: | Code function: | 5_2_0047281D | |
| Source: | Code function: | 5_2_0048C820 | |
| Source: | Code function: | 5_2_0047A0D0 | |
| Source: | Code function: | 5_2_004650DD | |
| Source: | Code function: | 5_2_004650DD | |
| Source: | Code function: | 5_2_004760F0 | |
| Source: | Code function: | 5_2_004760F0 | |
| Source: | Code function: | 5_2_0047B0F9 | |
| Source: | Code function: | 5_2_0046A0A0 | |
| Source: | Code function: | 5_2_004790BA | |
| Source: | Code function: | 5_2_0045A950 | |
| Source: | Code function: | 5_2_00473960 | |
| Source: | Code function: | 5_2_00467175 | |
| Source: | Code function: | 5_2_00467175 | |
| Source: | Code function: | 5_2_00455970 | |
| Source: | Code function: | 5_2_00455970 | |
| Source: | Code function: | 5_2_0046F100 | |
| Source: | Code function: | 5_2_0047B12E | |
| Source: | Code function: | 5_2_0048C930 | |
| Source: | Code function: | 5_2_004529C0 | |
| Source: | Code function: | 5_2_00478716 | |
| Source: | Code function: | 5_2_004781FB | |
| Source: | Code function: | 5_2_00489A60 | |
| Source: | Code function: | 5_2_0048C271 | |
| Source: | Code function: | 5_2_00477AAF | |
| Source: | Code function: | 5_2_00479B50 | |
| Source: | Code function: | 5_2_0048CB20 | |
| Source: | Code function: | 5_2_0048CBC0 | |
| Source: | Code function: | 5_2_00479BF0 | |
| Source: | Code function: | 5_2_00489B90 | |
| Source: | Code function: | 5_2_00473C00 | |
| Source: | Code function: | 5_2_0048BCCB | |
| Source: | Code function: | 5_2_004574D0 | |
| Source: | Code function: | 5_2_004574D0 | |
| Source: | Code function: | 5_2_0047B4EE | |
| Source: | Code function: | 5_2_00459490 | |
| Source: | Code function: | 5_2_0047B4A5 | |
| Source: | Code function: | 5_2_004834B0 | |
| Source: | Code function: | 5_2_0048DD00 | |
| Source: | Code function: | 5_2_0047151B | |
| Source: | Code function: | 5_2_00473DA0 | |
| Source: | Code function: | 5_2_00486600 | |
| Source: | Code function: | 5_2_0047760D | |
| Source: | Code function: | 5_2_00466628 | |
| Source: | Code function: | 5_2_00473E32 | |
| Source: | Code function: | 5_2_00473E32 | |
| Source: | Code function: | 5_2_00473E32 | |
| Source: | Code function: | 5_2_00489EF0 | |
| Source: | Code function: | 5_2_00489EF0 | |
| Source: | Code function: | 5_2_00489EF0 | |
| Source: | Code function: | 5_2_00471E80 | |
| Source: | Code function: | 5_2_00464752 | |
| Source: | Code function: | 5_2_0048BF6A | |
| Source: | Code function: | 5_2_0046E770 | |
| Source: | Code function: | 5_2_00478716 | |
| Source: | Code function: | 5_2_0048D7C0 | |
| Source: | Code function: | 5_2_00477FD1 | |
| Source: | Code function: | 5_2_004767EF | |
| Source: | Code function: | 5_2_004767EF | |
| Source: | Code function: | 5_2_0046C78C | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 5_2_00481190 | |
| Source: | Code function: | 5_2_00481190 | |
| Source: | Code function: | 5_2_004817B8 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 5_2_0047B824 | |
| Source: | Code function: | 5_2_00465890 | |
| Source: | Code function: | 5_2_00486950 | |
| Source: | Code function: | 5_2_0048DA40 | |
| Source: | Code function: | 5_2_0046CA00 | |
| Source: | Code function: | 5_2_0045DA13 | |
| Source: | Code function: | 5_2_004732A0 | |
| Source: | Code function: | 5_2_0048E3C0 | |
| Source: | Code function: | 5_2_004623E0 | |
| Source: | Code function: | 5_2_00487500 | |
| Source: | Code function: | 5_2_00475E00 | |
| Source: | Code function: | 5_2_00471620 | |
| Source: | Code function: | 5_2_0045AEC0 | |
| Source: | Code function: | 5_2_004897E0 | |
| Source: | Code function: | 5_2_0046F790 | |
| Source: | Code function: | 5_2_0048E040 | |
| Source: | Code function: | 5_2_00462058 | |
| Source: | Code function: | 5_2_00461876 | |
| Source: | Code function: | 5_2_00469804 | |
| Source: | Code function: | 5_2_0048C820 | |
| Source: | Code function: | 5_2_0047C82E | |
| Source: | Code function: | 5_2_0047C8C9 | |
| Source: | Code function: | 5_2_004590D0 | |
| Source: | Code function: | 5_2_004650DD | |
| Source: | Code function: | 5_2_0046E0E0 | |
| Source: | Code function: | 5_2_004760F0 | |
| Source: | Code function: | 5_2_0048408D | |
| Source: | Code function: | 5_2_0046A0A0 | |
| Source: | Code function: | 5_2_004790BA | |
| Source: | Code function: | 5_2_0045A950 | |
| Source: | Code function: | 5_2_00473960 | |
| Source: | Code function: | 5_2_00486160 | |
| Source: | Code function: | 5_2_00467175 | |
| Source: | Code function: | 5_2_00455970 | |
| Source: | Code function: | 5_2_0047B81F | |
| Source: | Code function: | 5_2_00453930 | |
| Source: | Code function: | 5_2_0048C930 | |
| Source: | Code function: | 5_2_0047C93D | |
| Source: | Code function: | 5_2_00478716 | |
| Source: | Code function: | 5_2_004721F0 | |
| Source: | Code function: | 5_2_004781FB | |
| Source: | Code function: | 5_2_0046D190 | |
| Source: | Code function: | 5_2_00458250 | |
| Source: | Code function: | 5_2_00456260 | |
| Source: | Code function: | 5_2_0048C271 | |
| Source: | Code function: | 5_2_0046DA00 | |
| Source: | Code function: | 5_2_00484A23 | |
| Source: | Code function: | 5_2_0045D2C3 | |
| Source: | Code function: | 5_2_004542E0 | |
| Source: | Code function: | 5_2_00487290 | |
| Source: | Code function: | 5_2_00487B60 | |
| Source: | Code function: | 5_2_0048CB20 | |
| Source: | Code function: | 5_2_00467BC3 | |
| Source: | Code function: | 5_2_0048CBC0 | |
| Source: | Code function: | 5_2_004753D0 | |
| Source: | Code function: | 5_2_00479BF0 | |
| Source: | Code function: | 5_2_0048538D | |
| Source: | Code function: | 5_2_00468C46 | |
| Source: | Code function: | 5_2_00489C40 | |
| Source: | Code function: | 5_2_00466C76 | |
| Source: | Code function: | 5_2_00473C00 | |
| Source: | Code function: | 5_2_00454C10 | |
| Source: | Code function: | 5_2_00476C35 | |
| Source: | Code function: | 5_2_004574D0 | |
| Source: | Code function: | 5_2_0046DCD0 | |
| Source: | Code function: | 5_2_0047B4EE | |
| Source: | Code function: | 5_2_0046C492 | |
| Source: | Code function: | 5_2_0045EC90 | |
| Source: | Code function: | 5_2_00459490 | |
| Source: | Code function: | 5_2_0046849D | |
| Source: | Code function: | 5_2_0047CCB9 | |
| Source: | Code function: | 5_2_0046E500 | |
| Source: | Code function: | 5_2_0048DD00 | |
| Source: | Code function: | 5_2_0046B510 | |
| Source: | Code function: | 5_2_00480D10 | |
| Source: | Code function: | 5_2_00487D29 | |
| Source: | Code function: | 5_2_00464DAF | |
| Source: | Code function: | 5_2_0047F640 | |
| Source: | Code function: | 5_2_0047760D | |
| Source: | Code function: | 5_2_00466628 | |
| Source: | Code function: | 5_2_00473E32 | |
| Source: | Code function: | 5_2_00455EC0 | |
| Source: | Code function: | 5_2_00465EEF | |
| Source: | Code function: | 5_2_004566F0 | |
| Source: | Code function: | 5_2_00489EF0 | |
| Source: | Code function: | 5_2_00480F40 | |
| Source: | Code function: | 5_2_00464752 | |
| Source: | Code function: | 5_2_0046E770 | |
| Source: | Code function: | 5_2_00452F00 | |
| Source: | Code function: | 5_2_00485F00 | |
| Source: | Code function: | 5_2_00478716 | |
| Source: | Code function: | 5_2_00475730 | |
| Source: | Code function: | 5_2_004687C1 | |
| Source: | Code function: | 5_2_004767EF | |
| Source: | Code function: | 5_2_00476F8F | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Code function: | 5_2_00486950 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 5_2_00489B9E | |
| Source: | Code function: | 5_2_0048C7B4 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 5_2_0048AFD0 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 Software | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 1 Modify Registry | 2 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 311 Process Injection | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Deobfuscate/Decode Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 23 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 68% | ReversingLabs | Win32.Trojan.LummaStealer | ||
| 43% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| cycahao.shop | 172.67.135.139 | true | true | unknown | |
| kliptizq.shop | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.135.139 | cycahao.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1581196 |
| Start date and time: | 2024-12-27 08:19:12 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 1s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 6wFwugeLNG.exerenamed because original name is a hash value |
| Original Sample Name: | 16b7635bd33367d455f26adc148dbfc3.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/0@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target 6wFwugeLNG.exe, PID 2792 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 02:20:32 | API Interceptor |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| cycahao.shop | Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Gozi, Ursnif | Browse |
| ||
| Get hash | malicious | NetSupport RAT, LummaC, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 4.238731288797472 |
| TrID: |
|
| File name: | 6wFwugeLNG.exe |
| File size: | 11'141'120 bytes |
| MD5: | 16b7635bd33367d455f26adc148dbfc3 |
| SHA1: | 0ae5aa47351d1732e9a851761ac91796364e5f53 |
| SHA256: | 5f6e9e2cb25c557c1bc5ec4d56a4d3859a06d2d70dbccff887aa7cf115a91f98 |
| SHA512: | d4c050b5a7aae6bbf8aa176b640c0ca072308283419b9bbad9ef217e37d5da5079b0e439657b71966768bf03e39344d797823f6e9f117b0ae8768b252c24b0f4 |
| SSDEEP: | 98304:leKwA2N3ZL8ciDlpOzI0KnOddh7vtNEzUmMLm/n:MI2N3ZgcK0KnOd70n |
| TLSH: | 83B63880F9DB04B5EA03183144A7A23F27345E058F24CB97FA5C7F5AEB77BA24932549 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........._..............P-..........I....... Z...@..........................Pd......^a...@................................ |
 | |
| Icon Hash: | 3b6120282c4c5a1f |
| Entrypoint: | 0x4649c0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 9cbefe68f395e67356e2a5d8d1b285c0 |
| Instruction |
|---|
| jmp 00007F60F4B0AC50h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov ecx, dword ptr [esp+04h] |
| sub esp, 28h |
| mov dword ptr [esp+1Ch], ebx |
| mov dword ptr [esp+10h], ebp |
| mov dword ptr [esp+14h], esi |
| mov dword ptr [esp+18h], edi |
| mov esi, eax |
| mov edx, dword ptr fs:[00000014h] |
| cmp edx, 00000000h |
| jne 00007F60F4B0CFA9h |
| mov eax, 00000000h |
| jmp 00007F60F4B0D006h |
| mov edx, dword ptr [edx+00000000h] |
| cmp edx, 00000000h |
| jne 00007F60F4B0CFA7h |
| call 00007F60F4B0D099h |
| mov dword ptr [esp+20h], edx |
| mov dword ptr [esp+24h], esp |
| mov ebx, dword ptr [edx+18h] |
| mov ebx, dword ptr [ebx] |
| cmp edx, ebx |
| je 00007F60F4B0CFBAh |
| mov ebp, dword ptr fs:[00000014h] |
| mov dword ptr [ebp+00000000h], ebx |
| mov edi, dword ptr [ebx+1Ch] |
| sub edi, 28h |
| mov dword ptr [edi+24h], esp |
| mov esp, edi |
| mov ebx, dword ptr [ecx] |
| mov ecx, dword ptr [ecx+04h] |
| mov dword ptr [esp], ebx |
| mov dword ptr [esp+04h], ecx |
| mov dword ptr [esp+08h], edx |
| call esi |
| mov eax, dword ptr [esp+0Ch] |
| mov esp, dword ptr [esp+24h] |
| mov edx, dword ptr [esp+20h] |
| mov ebp, dword ptr fs:[00000014h] |
| mov dword ptr [ebp+00000000h], edx |
| mov edi, dword ptr [esp+18h] |
| mov esi, dword ptr [esp+14h] |
| mov ebp, dword ptr [esp+10h] |
| mov ebx, dword ptr [esp+1Ch] |
| add esp, 28h |
| retn 0004h |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov ecx, dword ptr [esp+04h] |
| mov edx, dword ptr [ecx] |
| mov eax, esp |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x60b000 | 0x3dc | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x630000 | 0x14c70 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x60c000 | 0x220e8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x5a2820 | 0xa0 | .data |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2d4e55 | 0x2d5000 | fb70d63baa5757045e50ced4a260cd96 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2d6000 | 0x2cb920 | 0x2cba00 | 670ac2b218d478936498cd3952bfa6ca | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x5a2000 | 0x68628 | 0x39a00 | 93e15d48bdc8d14d6719de73da1d18d4 | False | 0.4503626626898048 | data | 5.675197947212246 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x60b000 | 0x3dc | 0x400 | 316e6960f94a1dea81def2338192ea7c | False | 0.490234375 | data | 4.663264085783635 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x60c000 | 0x220e8 | 0x22200 | 5632af940e650855b9a9e92288b55e3b | False | 0.6016268887362637 | data | 6.6582272277435255 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .symtab | 0x62f000 | 0x4 | 0x200 | 07b5472d347d42780469fb2654b7fc54 | False | 0.02734375 | data | 0.020393135236084953 | IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x630000 | 0x14c70 | 0x14e00 | ed361b80b11277fa9c4dfe801f8bd6b1 | False | 0.8335399513473054 | data | 7.4262992221870086 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x6302f4 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.3225609756097561 |
| RT_ICON | 0x63095c | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.41263440860215056 |
| RT_ICON | 0x630c44 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.5574324324324325 |
| RT_ICON | 0x630d6c | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.6223347547974414 |
| RT_ICON | 0x631c14 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.7369133574007221 |
| RT_ICON | 0x6324bc | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.3829479768786127 |
| RT_ICON | 0x632a24 | 0xd9d2 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 1.0004662673505254 |
| RT_ICON | 0x6403f8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5300829875518672 |
| RT_ICON | 0x6429a0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.6137429643527205 |
| RT_ICON | 0x643a48 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.425531914893617 |
| RT_GROUP_ICON | 0x643eb0 | 0x92 | data | English | United States | 0.6438356164383562 |
| RT_VERSION | 0x643f44 | 0x584 | data | English | United States | 0.26912181303116145 |
| RT_MANIFEST | 0x6444c8 | 0x7a8 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.3377551020408163 |
| DLL | Import |
|---|---|
| kernel32.dll | WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:20:31.189614+0100 | 2058277 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cycahao .shop) | 1 | 192.168.2.6 | 56750 | 1.1.1.1 | 53 | UDP |
| 2024-12-27T08:20:32.744504+0100 | 2058278 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (cycahao .shop in TLS SNI) | 1 | 192.168.2.6 | 49754 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:32.744504+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49754 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:33.446130+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.6 | 49754 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:33.446130+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49754 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:34.720753+0100 | 2058278 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (cycahao .shop in TLS SNI) | 1 | 192.168.2.6 | 49761 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:34.720753+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49761 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:35.533896+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.6 | 49761 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:35.533896+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49761 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:37.107387+0100 | 2058278 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (cycahao .shop in TLS SNI) | 1 | 192.168.2.6 | 49767 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:37.107387+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49767 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:39.415938+0100 | 2058278 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (cycahao .shop in TLS SNI) | 1 | 192.168.2.6 | 49773 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:39.415938+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49773 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:41.713969+0100 | 2058278 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (cycahao .shop in TLS SNI) | 1 | 192.168.2.6 | 49779 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:41.713969+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49779 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:44.156009+0100 | 2058278 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (cycahao .shop in TLS SNI) | 1 | 192.168.2.6 | 49785 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:44.156009+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49785 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:44.906387+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.6 | 49785 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:46.581923+0100 | 2058278 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (cycahao .shop in TLS SNI) | 1 | 192.168.2.6 | 49791 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:46.581923+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49791 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:50.072641+0100 | 2058278 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (cycahao .shop in TLS SNI) | 1 | 192.168.2.6 | 49801 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:50.072641+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49801 | 172.67.135.139 | 443 | TCP |
| 2024-12-27T08:20:50.846469+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49801 | 172.67.135.139 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 27, 2024 08:20:31.513531923 CET | 49754 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:31.513575077 CET | 443 | 49754 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:31.513676882 CET | 49754 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:31.516716957 CET | 49754 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:31.516731024 CET | 443 | 49754 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:32.744426012 CET | 443 | 49754 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:32.744503975 CET | 49754 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:32.748336077 CET | 49754 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:32.748349905 CET | 443 | 49754 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:32.748603106 CET | 443 | 49754 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:32.794840097 CET | 49754 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:32.794877052 CET | 49754 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:32.794960976 CET | 443 | 49754 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:33.446147919 CET | 443 | 49754 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:33.446274996 CET | 443 | 49754 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:33.446336031 CET | 49754 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:33.448318958 CET | 49754 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:33.448338985 CET | 443 | 49754 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:33.448350906 CET | 49754 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:33.448355913 CET | 443 | 49754 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:33.509329081 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:33.509363890 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:33.509433985 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:33.509726048 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:33.509737968 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:34.720675945 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:34.720752954 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:34.721872091 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:34.721880913 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:34.722127914 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:34.723299026 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:34.723330975 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:34.723385096 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.533900023 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.533958912 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.533998966 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.534010887 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.534048080 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.534085989 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.534086943 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.534101009 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.534148932 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.534156084 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.543443918 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.543490887 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.543498993 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.551768064 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.551821947 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.551830053 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.593363047 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.593377113 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.640275002 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.725630045 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.729789019 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.729854107 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.729870081 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.730047941 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.730098963 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.730104923 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.730149984 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.730197906 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.730259895 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.730283022 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.730293036 CET | 49761 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.730298996 CET | 443 | 49761 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.849680901 CET | 49767 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.849731922 CET | 443 | 49767 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:35.849855900 CET | 49767 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.850152969 CET | 49767 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:35.850167036 CET | 443 | 49767 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:37.107300997 CET | 443 | 49767 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:37.107387066 CET | 49767 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:37.108697891 CET | 49767 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:37.108704090 CET | 443 | 49767 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:37.108938932 CET | 443 | 49767 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:37.110656977 CET | 49767 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:37.110774040 CET | 49767 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:37.110806942 CET | 443 | 49767 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:37.931690931 CET | 443 | 49767 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:37.931792021 CET | 443 | 49767 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:37.931868076 CET | 49767 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:37.932008028 CET | 49767 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:37.932018995 CET | 443 | 49767 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:38.055432081 CET | 49773 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:38.055475950 CET | 443 | 49773 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:38.055546045 CET | 49773 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:38.055896997 CET | 49773 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:38.055907965 CET | 443 | 49773 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:39.415868998 CET | 443 | 49773 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:39.415937901 CET | 49773 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:39.417216063 CET | 49773 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:39.417228937 CET | 443 | 49773 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:39.417447090 CET | 443 | 49773 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:39.418689966 CET | 49773 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:39.418826103 CET | 49773 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:39.418848991 CET | 443 | 49773 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:39.418906927 CET | 49773 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:39.418911934 CET | 443 | 49773 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:40.227823973 CET | 443 | 49773 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:40.227910042 CET | 443 | 49773 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:40.228107929 CET | 49773 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:40.228122950 CET | 49773 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:40.452939987 CET | 49779 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:40.452977896 CET | 443 | 49779 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:40.453066111 CET | 49779 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:40.453430891 CET | 49779 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:40.453447104 CET | 443 | 49779 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:41.713898897 CET | 443 | 49779 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:41.713968992 CET | 49779 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:41.715305090 CET | 49779 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:41.715320110 CET | 443 | 49779 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:41.715553045 CET | 443 | 49779 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:41.716696024 CET | 49779 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:41.717051029 CET | 49779 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:41.717072010 CET | 443 | 49779 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:41.717129946 CET | 49779 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:41.717135906 CET | 443 | 49779 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:42.606658936 CET | 443 | 49779 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:42.606785059 CET | 443 | 49779 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:42.606848001 CET | 49779 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:42.606986046 CET | 49779 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:42.607002020 CET | 443 | 49779 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:42.828325987 CET | 49785 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:42.828358889 CET | 443 | 49785 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:42.828460932 CET | 49785 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:42.828727961 CET | 49785 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:42.828744888 CET | 443 | 49785 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:44.155941963 CET | 443 | 49785 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:44.156008959 CET | 49785 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:44.157394886 CET | 49785 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:44.157399893 CET | 443 | 49785 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:44.157617092 CET | 443 | 49785 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:44.159008026 CET | 49785 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:44.159102917 CET | 49785 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:44.159107924 CET | 443 | 49785 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:44.906394958 CET | 443 | 49785 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:44.906485081 CET | 443 | 49785 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:44.906546116 CET | 49785 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:44.906649113 CET | 49785 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:44.906663895 CET | 443 | 49785 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:45.369602919 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:45.369662046 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:45.369760036 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:45.370138884 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:45.370171070 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.581720114 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.581923008 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.583044052 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.583058119 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.583302021 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.592448950 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.593169928 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.593209028 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.593301058 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.593333960 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.593445063 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.593486071 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.593596935 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.593627930 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.593713999 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.593744040 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.593871117 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.593897104 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.593904972 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.594036102 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.594064951 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.639333963 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.639507055 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.639540911 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.639548063 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.687381983 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.687596083 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.687647104 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.687669992 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.731332064 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.731436014 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:46.775338888 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:46.952884912 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:48.754611015 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:48.754724979 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:48.754817009 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:48.759172916 CET | 49791 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:48.759196043 CET | 443 | 49791 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:48.768770933 CET | 49801 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:48.768805981 CET | 443 | 49801 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:48.768872023 CET | 49801 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:48.769167900 CET | 49801 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:48.769186974 CET | 443 | 49801 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:50.072513103 CET | 443 | 49801 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:50.072640896 CET | 49801 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:50.073941946 CET | 49801 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:50.073955059 CET | 443 | 49801 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:50.074481964 CET | 443 | 49801 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:50.077554941 CET | 49801 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:50.077574015 CET | 49801 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:50.077645063 CET | 443 | 49801 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:50.846494913 CET | 443 | 49801 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:50.846601963 CET | 443 | 49801 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:50.846664906 CET | 49801 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:50.846854925 CET | 49801 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:50.846868992 CET | 443 | 49801 | 172.67.135.139 | 192.168.2.6 |
| Dec 27, 2024 08:20:50.846879959 CET | 49801 | 443 | 192.168.2.6 | 172.67.135.139 |
| Dec 27, 2024 08:20:50.846887112 CET | 443 | 49801 | 172.67.135.139 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 27, 2024 08:20:31.189614058 CET | 56750 | 53 | 192.168.2.6 | 1.1.1.1 |
| Dec 27, 2024 08:20:31.508225918 CET | 53 | 56750 | 1.1.1.1 | 192.168.2.6 |
| Dec 27, 2024 08:20:50.848031998 CET | 58370 | 53 | 192.168.2.6 | 1.1.1.1 |
| Dec 27, 2024 08:20:51.070208073 CET | 53 | 58370 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 27, 2024 08:20:31.189614058 CET | 192.168.2.6 | 1.1.1.1 | 0x67c6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 27, 2024 08:20:50.848031998 CET | 192.168.2.6 | 1.1.1.1 | 0x3fa7 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 27, 2024 08:20:31.508225918 CET | 1.1.1.1 | 192.168.2.6 | 0x67c6 | No error (0) | 172.67.135.139 | A (IP address) | IN (0x0001) | false | ||
| Dec 27, 2024 08:20:31.508225918 CET | 1.1.1.1 | 192.168.2.6 | 0x67c6 | No error (0) | 104.21.7.3 | A (IP address) | IN (0x0001) | false | ||
| Dec 27, 2024 08:20:51.070208073 CET | 1.1.1.1 | 192.168.2.6 | 0x3fa7 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49754 | 172.67.135.139 | 443 | 612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:20:32 UTC | 259 | OUT | |
| 2024-12-27 07:20:32 UTC | 8 | OUT | |
| 2024-12-27 07:20:33 UTC | 1042 | IN | |
| 2024-12-27 07:20:33 UTC | 7 | IN | |
| 2024-12-27 07:20:33 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49761 | 172.67.135.139 | 443 | 612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:20:34 UTC | 260 | OUT | |
| 2024-12-27 07:20:34 UTC | 78 | OUT | |
| 2024-12-27 07:20:35 UTC | 1026 | IN | |
| 2024-12-27 07:20:35 UTC | 343 | IN | |
| 2024-12-27 07:20:35 UTC | 1369 | IN | |
| 2024-12-27 07:20:35 UTC | 1369 | IN | |
| 2024-12-27 07:20:35 UTC | 1369 | IN | |
| 2024-12-27 07:20:35 UTC | 1369 | IN | |
| 2024-12-27 07:20:35 UTC | 1369 | IN | |
| 2024-12-27 07:20:35 UTC | 1369 | IN | |
| 2024-12-27 07:20:35 UTC | 1369 | IN | |
| 2024-12-27 07:20:35 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49767 | 172.67.135.139 | 443 | 612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:20:37 UTC | 275 | OUT | |
| 2024-12-27 07:20:37 UTC | 12840 | OUT | |
| 2024-12-27 07:20:37 UTC | 1039 | IN | |
| 2024-12-27 07:20:37 UTC | 20 | IN | |
| 2024-12-27 07:20:37 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49773 | 172.67.135.139 | 443 | 612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:20:39 UTC | 278 | OUT | |
| 2024-12-27 07:20:39 UTC | 15104 | OUT | |
| 2024-12-27 07:20:40 UTC | 1031 | IN | |
| 2024-12-27 07:20:40 UTC | 20 | IN | |
| 2024-12-27 07:20:40 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49779 | 172.67.135.139 | 443 | 612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:20:41 UTC | 276 | OUT | |
| 2024-12-27 07:20:41 UTC | 15331 | OUT | |
| 2024-12-27 07:20:41 UTC | 4619 | OUT | |
| 2024-12-27 07:20:42 UTC | 1036 | IN | |
| 2024-12-27 07:20:42 UTC | 20 | IN | |
| 2024-12-27 07:20:42 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.6 | 49785 | 172.67.135.139 | 443 | 612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:20:44 UTC | 273 | OUT | |
| 2024-12-27 07:20:44 UTC | 1203 | OUT | |
| 2024-12-27 07:20:44 UTC | 1030 | IN | |
| 2024-12-27 07:20:44 UTC | 20 | IN | |
| 2024-12-27 07:20:44 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.6 | 49791 | 172.67.135.139 | 443 | 612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:20:46 UTC | 269 | OUT | |
| 2024-12-27 07:20:46 UTC | 15331 | OUT | |
| 2024-12-27 07:20:46 UTC | 15331 | OUT | |
| 2024-12-27 07:20:46 UTC | 15331 | OUT | |
| 2024-12-27 07:20:46 UTC | 15331 | OUT | |
| 2024-12-27 07:20:46 UTC | 15331 | OUT | |
| 2024-12-27 07:20:46 UTC | 15331 | OUT | |
| 2024-12-27 07:20:46 UTC | 15331 | OUT | |
| 2024-12-27 07:20:46 UTC | 15331 | OUT | |
| 2024-12-27 07:20:46 UTC | 15331 | OUT | |
| 2024-12-27 07:20:46 UTC | 15331 | OUT | |
| 2024-12-27 07:20:48 UTC | 1040 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.6 | 49801 | 172.67.135.139 | 443 | 612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:20:50 UTC | 261 | OUT | |
| 2024-12-27 07:20:50 UTC | 113 | OUT | |
| 2024-12-27 07:20:50 UTC | 1033 | IN | |
| 2024-12-27 07:20:50 UTC | 138 | IN | |
| 2024-12-27 07:20:50 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 02:20:04 |
| Start date: | 27/12/2024 |
| Path: | C:\Users\user\Desktop\6wFwugeLNG.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf40000 |
| File size: | 11'141'120 bytes |
| MD5 hash: | 16B7635BD33367D455F26ADC148DBFC3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 02:20:14 |
| Start date: | 27/12/2024 |
| Path: | C:\Windows\SysWOW64\reg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2a0000 |
| File size: | 59'392 bytes |
| MD5 hash: | CDD462E86EC0F20DE2A1D781928B1B0C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 02:20:14 |
| Start date: | 27/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 02:20:26 |
| Start date: | 27/12/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x930000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Function 00F73540 Relevance: 11.4, Strings: 9, Instructions: 172COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F83660 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 9.2% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 76.9% |
| Total number of Nodes: | 303 |
| Total number of Limit Nodes: | 23 |
Graph
Function 004623E0 Relevance: 96.8, Strings: 76, Instructions: 1838COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00486950 Relevance: 35.8, APIs: 11, Strings: 9, Instructions: 762memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045AEC0 Relevance: 18.0, Strings: 14, Instructions: 485COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00471620 Relevance: 13.0, Strings: 10, Instructions: 550COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046CA00 Relevance: 4.4, Strings: 3, Instructions: 619COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048E3C0 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048AFD0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048D3C0 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047C67D Relevance: 1.4, Strings: 1, Instructions: 108COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046F790 Relevance: .6, Instructions: 630COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00487500 Relevance: .5, Instructions: 457COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00475E00 Relevance: .3, Instructions: 257COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048DA40 Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004897E0 Relevance: .2, Instructions: 215COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045E6F2 Relevance: .2, Instructions: 164COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048D640 Relevance: .2, Instructions: 151COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045C4C6 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004587B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048AF60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004897A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00485E5D Relevance: 1.5, APIs: 1, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047E6F6 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00480485 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045CBB0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045CBE5 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00489780 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00484A23 Relevance: 56.6, Strings: 45, Instructions: 387COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004590D0 Relevance: 24.1, Strings: 19, Instructions: 363COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00473E32 Relevance: 22.3, Strings: 17, Instructions: 1060COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048408D Relevance: 20.3, Strings: 16, Instructions: 302COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048538D Relevance: 20.3, Strings: 16, Instructions: 299COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046E770 Relevance: 17.0, Strings: 13, Instructions: 750COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00486160 Relevance: 11.5, Strings: 9, Instructions: 259COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00467175 Relevance: 11.0, Strings: 8, Instructions: 979COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045A950 Relevance: 10.4, Strings: 8, Instructions: 436COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00465EEF Relevance: 9.3, Strings: 7, Instructions: 537COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004753D0 Relevance: 7.8, Strings: 6, Instructions: 274COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004781FB Relevance: 6.7, Strings: 5, Instructions: 420COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045D2C3 Relevance: 6.6, Strings: 5, Instructions: 303COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00473960 Relevance: 6.5, Strings: 5, Instructions: 261COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046C78C Relevance: 6.5, Strings: 5, Instructions: 201COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047B12E Relevance: 6.4, Strings: 5, Instructions: 172COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047760D Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 459fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00459490 Relevance: 5.4, Strings: 4, Instructions: 427COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00475730 Relevance: 5.4, Strings: 4, Instructions: 412COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047B0F9 Relevance: 5.2, Strings: 4, Instructions: 166COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004760F0 Relevance: 4.3, Strings: 3, Instructions: 575COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00469804 Relevance: 4.3, Strings: 3, Instructions: 553COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046D190 Relevance: 4.2, Strings: 3, Instructions: 438COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004721F0 Relevance: 4.2, Strings: 3, Instructions: 417COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00466C76 Relevance: 4.0, Strings: 3, Instructions: 297COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047B4EE Relevance: 4.0, Strings: 3, Instructions: 265COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047C82E Relevance: 4.0, Strings: 3, Instructions: 259COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047C8C9 Relevance: 4.0, Strings: 3, Instructions: 257COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047C93D Relevance: 4.0, Strings: 3, Instructions: 256COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047B4A5 Relevance: 4.0, Strings: 3, Instructions: 251COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047281D Relevance: 3.9, Strings: 3, Instructions: 149COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454C10 Relevance: 3.3, Strings: 2, Instructions: 825COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00466628 Relevance: 3.0, Strings: 2, Instructions: 490COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004542E0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00471E80 Relevance: 2.8, Strings: 2, Instructions: 320COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00467BC3 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048BCCB Relevance: 2.6, Strings: 2, Instructions: 139COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00489EF0 Relevance: 2.0, Strings: 1, Instructions: 708COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004790BA Relevance: 1.8, Strings: 1, Instructions: 586COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00478716 Relevance: 1.7, Strings: 1, Instructions: 477COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047A0D0 Relevance: 1.7, Strings: 1, Instructions: 402COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00476F8F Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046DA00 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455EC0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00473C00 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00464DAF Relevance: 1.5, Strings: 1, Instructions: 204COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00480D10 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00477FD1 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00473DA0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048BF6A Relevance: 1.3, Strings: 1, Instructions: 40COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00452F00 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00464752 Relevance: .7, Instructions: 675COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004566F0 Relevance: .7, Instructions: 665COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004574D0 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00461876 Relevance: .6, Instructions: 604COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00453930 Relevance: .6, Instructions: 600COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048C820 Relevance: .6, Instructions: 598COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00468C46 Relevance: .5, Instructions: 519COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048C930 Relevance: .5, Instructions: 509COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00487D29 Relevance: .5, Instructions: 476COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455970 Relevance: .4, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045EC90 Relevance: .4, Instructions: 435COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004650DD Relevance: .4, Instructions: 429COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00458250 Relevance: .4, Instructions: 386COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004767EF Relevance: .4, Instructions: 380COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048CB20 Relevance: .3, Instructions: 346COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004687C1 Relevance: .3, Instructions: 338COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046DCD0 Relevance: .3, Instructions: 337COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048E040 Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048CBC0 Relevance: .3, Instructions: 325COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00476C35 Relevance: .3, Instructions: 308COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048DD00 Relevance: .3, Instructions: 306COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00456260 Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046E0E0 Relevance: .3, Instructions: 296COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046849D Relevance: .3, Instructions: 296COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046C492 Relevance: .3, Instructions: 281COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00462058 Relevance: .3, Instructions: 278COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047F640 Relevance: .3, Instructions: 257COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046E500 Relevance: .2, Instructions: 216COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00480F40 Relevance: .2, Instructions: 214COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00487290 Relevance: .2, Instructions: 210COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00479BF0 Relevance: .2, Instructions: 207COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046F100 Relevance: .2, Instructions: 204COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00485F00 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00489C40 Relevance: .2, Instructions: 185COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046B510 Relevance: .2, Instructions: 181COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004529C0 Relevance: .2, Instructions: 167COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048D7C0 Relevance: .1, Instructions: 148COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00486600 Relevance: .1, Instructions: 127COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048C271 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00489A60 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00487B60 Relevance: .1, Instructions: 99COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00489B90 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004834B0 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00479B50 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047151B Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00477AAF Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|