Edit tour
Windows
Analysis Report
Setup.exe
Overview
General Information
| Sample name: | Setup.exe |
| Analysis ID: | 1585372 |
| MD5: | b42457dd108a4b0032a35391be8c1a4e |
| SHA1: | f28ee5d70cd6bbb66351e7fd6da2fe8e22fdbdba |
| SHA256: | 853df9767577da1c0ad5a6589f5b33d61e282675cc0abcae55d24aaf74193623 |
| Tags: | exeLummaStealeruser-aachum |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
Setup.exe (PID: 4440 cmdline: "C:\Users\ user\Deskt op\Setup.e xe" MD5: B42457DD108A4B0032A35391BE8C1A4E)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["wholersorie.shop", "noisycuttej.shop", "cloudewahsj.shop", "tirepublicerj.shop", "nearycrepso.shop", "framekgirus.shop", "monkeycutte.cyou", "abruptyopsn.shop", "rabidcowse.shop"], "Build id": "hRjzG3--GAS"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-07T15:33:21.220650+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49796 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:22.442940+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49802 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:23.996113+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49813 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:25.650141+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49824 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:26.862006+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49830 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:28.305033+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49841 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:29.329728+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49851 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:30.283912+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49859 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:31.545509+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49865 | 185.161.251.21 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-07T15:33:21.977021+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49796 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:22.939365+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49802 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:30.771218+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49859 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-07T15:33:21.977021+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.6 | 49796 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-07T15:33:22.939365+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.6 | 49802 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-07T15:33:25.060322+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49813 | 188.114.96.3 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_004667C0 | |
| Source: | Code function: | 0_2_00466C3C | |
| Source: | Code function: | 0_2_0049AD48 | |
| Source: | Code function: | 0_2_00465248 | |
| Source: | Code function: | 0_2_0045562C | |
| Source: | Code function: | 0_2_0047777C | |
| Source: | Code function: | 0_2_0317E31A | |
| Source: | Code function: | 0_2_0317E31A | |
| Source: | Code function: | 0_2_031843BA | |
| Source: | Code function: | 0_2_031503E4 | |
| Source: | Code function: | 0_2_0315A25A | |
| Source: | Code function: | 0_2_0317E246 | |
| Source: | Code function: | 0_2_03150242 | |
| Source: | Code function: | 0_2_0316124A | |
| Source: | Code function: | 0_2_0316A2DA | |
| Source: | Code function: | 0_2_0316B2E6 | |
| Source: | Code function: | 0_2_0316A251 | |
| Source: | Code function: | 0_2_03182169 | |
| Source: | Code function: | 0_2_031711BD | |
| Source: | Code function: | 0_2_031721DF | |
| Source: | Code function: | 0_2_03173057 | |
| Source: | Code function: | 0_2_0316B099 | |
| Source: | Code function: | 0_2_0314C08D | |
| Source: | Code function: | 0_2_031570C8 | |
| Source: | Code function: | 0_2_0314E715 | |
| Source: | Code function: | 0_2_0317E70A | |
| Source: | Code function: | 0_2_0318175A | |
| Source: | Code function: | 0_2_0315879C | |
| Source: | Code function: | 0_2_0315879C | |
| Source: | Code function: | 0_2_0316167A | |
| Source: | Code function: | 0_2_0316E66A | |
| Source: | Code function: | 0_2_031836CA | |
| Source: | Code function: | 0_2_0315D6FB | |
| Source: | Code function: | 0_2_0315D6FB | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_00423A90 | |
| Source: | Code function: | 0_2_0044C328 | |
| Source: | Code function: | 0_2_004303D4 | |
| Source: | Code function: | 0_2_004125DC | |
| Source: | Code function: | 0_2_004125AD | |
| Source: | Code function: | 0_2_0047AC70 | |
| Source: | Code function: | 0_2_0042F230 | |
| Source: | Code function: | 0_2_00459DE0 | |
| Source: | Code function: | 0_2_03192D8D | |
| Source: | Code function: | 0_2_0042E644 | |
| Source: | Code function: | 0_2_0045806C | |
| Source: | Code function: | 0_2_0049688C | |
| Source: | Code function: | 0_2_004314A4 | |
| Source: | Code function: | 0_2_004900DC | |
| Source: | Code function: | 0_2_0043015C | |
| Source: | Code function: | 0_2_004321C8 | |
| Source: | Code function: | 0_2_00444194 | |
| Source: | Code function: | 0_2_004882D0 | |
| Source: | Code function: | 0_2_0048240C | |
| Source: | Code function: | 0_2_00454588 | |
| Source: | Code function: | 0_2_0044473C | |
| Source: | Code function: | 0_2_00434BAC | |
| Source: | Code function: | 0_2_00430BB4 | |
| Source: | Code function: | 0_2_00430CF4 | |
| Source: | Code function: | 0_2_00444E34 | |
| Source: | Code function: | 0_2_004310AC | |
| Source: | Code function: | 0_2_0047316C | |
| Source: | Code function: | 0_2_00431104 | |
| Source: | Code function: | 0_2_00445258 | |
| Source: | Code function: | 0_2_00489204 | |
| Source: | Code function: | 0_2_00431760 | |
| Source: | Code function: | 0_2_00431738 | |
| Source: | Code function: | 0_2_0043DA1C | |
| Source: | Code function: | 0_2_00461B20 | |
| Source: | Code function: | 0_2_0045DC7C | |
| Source: | Code function: | 0_2_00469E70 | |
| Source: | Code function: | 0_2_0046BED4 | |
| Source: | Code function: | 0_2_00433EA8 | |
| Source: | Code function: | 0_2_031403CD | |
| Source: | Code function: | 0_2_03192D8D | |
| Source: | Code function: | 0_2_0317E31A | |
| Source: | Code function: | 0_2_0314B31A | |
| Source: | Code function: | 0_2_0315F31A | |
| Source: | Code function: | 0_2_0317D30A | |
| Source: | Code function: | 0_2_0314F390 | |
| Source: | Code function: | 0_2_031443BA | |
| Source: | Code function: | 0_2_031473AA | |
| Source: | Code function: | 0_2_031703EA | |
| Source: | Code function: | 0_2_0314A2AA | |
| Source: | Code function: | 0_2_0315C2FA | |
| Source: | Code function: | 0_2_031642EA | |
| Source: | Code function: | 0_2_0315E152 | |
| Source: | Code function: | 0_2_0317B160 | |
| Source: | Code function: | 0_2_0314519A | |
| Source: | Code function: | 0_2_031831C9 | |
| Source: | Code function: | 0_2_031481FA | |
| Source: | Code function: | 0_2_0315C01A | |
| Source: | Code function: | 0_2_03140000 | |
| Source: | Code function: | 0_2_03173057 | |
| Source: | Code function: | 0_2_0315404A | |
| Source: | Code function: | 0_2_031780B3 | |
| Source: | Code function: | 0_2_0317671A | |
| Source: | Code function: | 0_2_0315F71A | |
| Source: | Code function: | 0_2_0317B75F | |
| Source: | Code function: | 0_2_0315879C | |
| Source: | Code function: | 0_2_0317879A | |
| Source: | Code function: | 0_2_0314479A | |
| Source: | Code function: | 0_2_0316762A | |
| Source: | Code function: | 0_2_031696C2 | |
| Source: | Code function: | 0_2_031466CA | |
| Source: | Code function: | 0_2_0315350F | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_0045806C | |
| Source: | Code function: | 0_2_004588A8 | |
| Source: | Code function: | 0_2_03140ADD | |
| Source: | Code function: | 0_2_00470494 | |
| Source: | Code function: | 0_2_0040AFD8 | |
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Code function: | 0_2_00448314 | |
| Source: | Code function: | 0_3_03E7C69E | |
| Source: | Code function: | 0_3_03E7C69E | |
| Source: | Code function: | 0_3_03E7E71B | |
| Source: | Code function: | 0_3_03E7E71B | |
| Source: | Code function: | 0_3_03E7C69E | |
| Source: | Code function: | 0_3_03E7C69E | |
| Source: | Code function: | 0_3_03E7E71B | |
| Source: | Code function: | 0_3_03E7E71B | |
| Source: | Code function: | 0_2_0045A81C | |
| Source: | Code function: | 0_2_00409989 | |
| Source: | Code function: | 0_2_0040A050 | |
| Source: | Code function: | 0_2_0040A04D | |
| Source: | Code function: | 0_2_00406255 | |
| Source: | Code function: | 0_2_004543EF | |
| Source: | Code function: | 0_2_0045458D | |
| Source: | Code function: | 0_2_004106E5 | |
| Source: | Code function: | 0_2_0046277C | |
| Source: | Code function: | 0_2_00412987 | |
| Source: | Code function: | 0_2_0044CA01 | |
| Source: | Code function: | 0_2_00486D71 | |
| Source: | Code function: | 0_2_0040D03A | |
| Source: | Code function: | 0_2_00443110 | |
| Source: | Code function: | 0_2_00405409 | |
| Source: | Code function: | 0_2_004056A1 | |
| Source: | Code function: | 0_2_004056A1 | |
| Source: | Code function: | 0_2_0040F59A | |
| Source: | Code function: | 0_2_004056A1 | |
| Source: | Code function: | 0_2_004056A1 | |
| Source: | Code function: | 0_2_004857CA | |
| Source: | Code function: | 0_2_004979F5 | |
| Source: | Code function: | 0_2_00419BBD | |
| Source: | Code function: | 0_2_00423B18 | |
| Source: | Code function: | 0_2_00423B18 | |
| Source: | Code function: | 0_2_004240E8 | |
| Source: | Code function: | 0_2_004240A0 | |
| Source: | Code function: | 0_2_00418310 | |
| Source: | Code function: | 0_2_0042276C | |
| Source: | Code function: | 0_2_004850B0 | |
| Source: | Code function: | 0_2_00417534 | |
| Source: | Code function: | 0_2_00417C5A | |
| Source: | Code function: | 0_2_00417C5C | |
| Source: | Code function: | 0_2_0044E498 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_004667C0 | |
| Source: | Code function: | 0_2_00466C3C | |
| Source: | Code function: | 0_2_0049AD48 | |
| Source: | Code function: | 0_2_00465248 | |
| Source: | Code function: | 0_2_0045562C | |
| Source: | Code function: | 0_2_0047777C | |
| Source: | Code function: | 0_2_004851F0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00448314 | |
| Source: | Code function: | 0_2_031403CD | |
| Source: | Code function: | 0_2_0314098D | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_0047A6B4 | |
| Source: | Code function: | 0_2_0045F664 | |
| Source: | Code function: | 0_2_00408570 | |
| Source: | Code function: | 0_2_004085BC | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0045B300 | |
| Source: | Code function: | 0_2_0045A1FC | |
| Source: | Code function: | 0_2_00458024 | |
| Source: | Code function: | 0_2_0044E444 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 11 Deobfuscate/Decode Files or Information | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 3 Obfuscated Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 41 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 2 Command and Scripting Interpreter | Logon Script (Windows) | 1 Access Token Manipulation | 1 DLL Side-Loading | Security Account Manager | 11 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | 1 PowerShell | Login Hook | 1 Process Injection | 21 Virtualization/Sandbox Evasion | NTDS | 36 System Information Discovery | Distributed Component Object Model | Input Capture | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Access Token Manipulation | LSA Secrets | 221 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Process Injection | Cached Domain Credentials | 21 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 1 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 18% | ReversingLabs | Win32.Infostealer.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| cegu.shop | 185.161.251.21 | true | false | high | |
| monkeycutte.cyou | 188.114.96.3 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| true |
| unknown | |
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.96.3 | monkeycutte.cyou | European Union | 13335 | CLOUDFLARENETUS | true | |
| 185.161.251.21 | cegu.shop | United Kingdom | 5089 | NTLGB | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1585372 |
| Start date and time: | 2025-01-07 15:32:11 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 16s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Setup.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
- Excluded IPs from analysis (whitelisted): 13.107.253.45, 172.202.163.200
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Setup.exe
| Time | Type | Description |
|---|---|---|
| 09:33:21 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.96.3 | Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| 185.161.251.21 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| cegu.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | CAPTCHA Scam ClickFix | Browse |
| ||
| Get hash | malicious | Metasploit | Browse |
| ||
| NTLGB | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, PrivateLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 0.44302827183095866 |
| TrID: |
|
| File name: | Setup.exe |
| File size: | 74'584'245 bytes |
| MD5: | b42457dd108a4b0032a35391be8c1a4e |
| SHA1: | f28ee5d70cd6bbb66351e7fd6da2fe8e22fdbdba |
| SHA256: | 853df9767577da1c0ad5a6589f5b33d61e282675cc0abcae55d24aaf74193623 |
| SHA512: | c40afa00b922f50fe42282747b67b2184e745030426f077f4ded6b387c440d2ccfcec1e65bed08a94a5f93147971e3f093f97529fb3468f74f2de20de755b43b |
| SSDEEP: | 24576:T+QSkqg/8QNDa5lZe9fvyErqPW+UHx+/8cRTpEDidI6X:T7XqCB9f7qw2pE+d/X |
| TLSH: | B6F77C3D660033A78B43D5EB4B2697D99B949110231234FFE3AB0E4BC66B4D8437697B |
| File Content Preview: | MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 2d2e3797b32b2b99 |
| Entrypoint: | 0x49b840 |
| Entrypoint Section: | CODE |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 1 |
| OS Version Minor: | 0 |
| File Version Major: | 1 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 1 |
| Subsystem Version Minor: | 0 |
| Import Hash: | c1220b6b9a0c9ddea463bab3a99b594f |
| Signature Valid: | false |
| Signature Issuer: | CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | F7219078FBE20BC1B98BF8A86BFC0396 |
| Thumbprint SHA-1: | 30632EA310114105969D0BDA28FDCE267104754F |
| Thumbprint SHA-256: | 1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2 |
| Serial: | 14781BC862E8DC503A559346F5DCC518 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF4h |
| push ebx |
| push esi |
| push edi |
| call 00007FC374D6BC83h |
| call 00007FC374D6DF52h |
| call 00007FC374D6EC09h |
| call 00007FC374D7229Ch |
| call 00007FC374D724CBh |
| call 00007FC374D792A2h |
| call 00007FC374D79315h |
| call 00007FC374D7B260h |
| call 00007FC374D818FFh |
| call 00007FC374D8D776h |
| call 00007FC374D97D3Dh |
| call 00007FC374D992A0h |
| call 00007FC374DB52CFh |
| call 00007FC374DBAE72h |
| call 00007FC374DBB311h |
| call 00007FC374DBCCD0h |
| call 00007FC374DBE6C3h |
| call 00007FC374DC221Ah |
| call 00007FC374DC30E9h |
| call 00007FC374DC485Ch |
| call 00007FC374DCF9CBh |
| call 00007FC374DD7B16h |
| call 00007FC374DE36B9h |
| call 00007FC374DEDFD8h |
| call 00007FC374E011D7h |
| xor eax, eax |
| push ebp |
| push 0049B904h |
| push dword ptr fs:[eax] |
| mov dword ptr fs:[eax], esp |
| push 00000001h |
| call 00007FC374D6E2EEh |
| call 00007FC374E03EC5h |
| mov eax, 0049B580h |
| push eax |
| push 0049B58Ch |
| mov eax, dword ptr [0049E624h] |
| call 00007FC374D8CC90h |
| call 00007FC374E03EF3h |
| xor eax, eax |
| pop edx |
| pop ecx |
| pop ecx |
| mov dword ptr fs:[eax], edx |
| jmp 00007FC374E041BBh |
| jmp 00007FC375D6B6F4h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa0000 | 0x2622 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xae000 | 0x64200 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x471d6f5 | 0x39c0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xa4000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| CODE | 0x1000 | 0x9aa88 | 0x9ac00 | 4eee057a7ff5c464ab5150e206bab99b | False | 0.5045767492932148 | data | 6.6263127828582356 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| DATA | 0x9c000 | 0x1160 | 0x1200 | dad9cae5d49bb93a2321cc456fdf7b30 | False | 0.4505208333333333 | data | 4.472841393973581 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| BSS | 0x9e000 | 0x1500 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0xa0000 | 0x2622 | 0x2800 | 6a6036a0f19131189537424c828f6b45 | False | 0.36884765625 | data | 4.911486635960526 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xa3000 | 0x8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0xa4000 | 0x18 | 0x200 | f0c87208c92fd0d7fee2e7f2dca8ed20 | False | 0.05078125 | MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J" | 0.2108262677871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .reloc | 0xa5000 | 0x8d1c | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .rsrc | 0xae000 | 0x64200 | 0x64200 | 75b2ac89598308a72c12f74514d64498 | False | 0.6300595934769039 | data | 7.481350440673158 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0xaebf0 | 0x134 | data | 0.4805194805194805 | ||
| RT_CURSOR | 0xaed24 | 0x134 | data | 0.38311688311688313 | ||
| RT_CURSOR | 0xaee58 | 0x134 | data | 0.36038961038961037 | ||
| RT_CURSOR | 0xaef8c | 0x134 | data | 0.4090909090909091 | ||
| RT_CURSOR | 0xaf0c0 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | 0.4967532467532468 | ||
| RT_CURSOR | 0xaf1f4 | 0x134 | data | 0.4642857142857143 | ||
| RT_BITMAP | 0xaf328 | 0x4e8 | Device independent bitmap graphic, 48 x 48 x 4, image size 1152 | 0.2945859872611465 | ||
| RT_BITMAP | 0xaf810 | 0xe8 | Device independent bitmap graphic, 16 x 16 x 4, image size 128 | 0.521551724137931 | ||
| RT_ICON | 0xaf8f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.5675675675675675 |
| RT_ICON | 0xafa20 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States | 0.4486994219653179 |
| RT_ICON | 0xaff88 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.4637096774193548 |
| RT_ICON | 0xb0270 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States | 0.3935018050541516 |
| RT_STRING | 0xb0b18 | 0x178 | data | 0.7420212765957447 | ||
| RT_STRING | 0xb0c90 | 0x122 | data | 0.7103448275862069 | ||
| RT_STRING | 0xb0db4 | 0x170 | data | 0.8125 | ||
| RT_STRING | 0xb0f24 | 0x1a8 | data | 0.6981132075471698 | ||
| RT_STRING | 0xb10cc | 0x124 | data | 0.8356164383561644 | ||
| RT_STRING | 0xb11f0 | 0x150 | data | 0.7678571428571429 | ||
| RT_STRING | 0xb1340 | 0xf6 | data | 0.7642276422764228 | ||
| RT_STRING | 0xb1438 | 0xcc | data | 0.9019607843137255 | ||
| RT_STRING | 0xb1504 | 0xb4 | data | 0.8 | ||
| RT_STRING | 0xb15b8 | 0xe8 | data | 0.8663793103448276 | ||
| RT_STRING | 0xb16a0 | 0x154 | data | 0.7558823529411764 | ||
| RT_STRING | 0xb17f4 | 0x16a | data | 0.8425414364640884 | ||
| RT_STRING | 0xb1960 | 0x3c | data | 0.6833333333333333 | ||
| RT_STRING | 0xb199c | 0x140 | data | 0.796875 | ||
| RT_STRING | 0xb1adc | 0x142 | data | 0.6242236024844721 | ||
| RT_STRING | 0xb1c20 | 0x116 | data | 0.7661870503597122 | ||
| RT_STRING | 0xb1d38 | 0xfe | AmigaOS bitmap font "\017_\034 %", 15464 elements, 2nd, 3rd | 0.8464566929133859 | ||
| RT_STRING | 0xb1e38 | 0x68 | data | 0.75 | ||
| RT_STRING | 0xb1ea0 | 0xb4 | data | 0.6277777777777778 | ||
| RT_STRING | 0xb1f54 | 0xae | data | 0.5344827586206896 | ||
| RT_RCDATA | 0xb2004 | 0x1800 | PE32+ executable (console) x86-64, for MS Windows | Chinese | China | 0.3826497395833333 |
| RT_RCDATA | 0xb3804 | 0x1000 | PE32 executable (GUI) Intel 80386, for MS Windows | Chinese | China | 0.36474609375 |
| RT_RCDATA | 0xb4804 | 0x5b10 | PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows | Chinese | China | 0.3255404941660947 |
| RT_RCDATA | 0xba314 | 0x11c | Delphi compiled form 'TMainForm' | 0.7676056338028169 | ||
| RT_RCDATA | 0xba430 | 0x399 | Delphi compiled form 'TNewDiskForm' | 0.5276872964169381 | ||
| RT_RCDATA | 0xba7cc | 0x317 | Delphi compiled form 'TSelectFolderForm' | 0.5372945638432364 | ||
| RT_RCDATA | 0xbaae4 | 0x2f7 | Delphi compiled form 'TSelectLanguageForm' | 0.5704874835309618 | ||
| RT_RCDATA | 0xbaddc | 0x5d0 | Delphi compiled form 'TUninstallProgressForm' | 0.4576612903225806 | ||
| RT_RCDATA | 0xbb3ac | 0x458 | Delphi compiled form 'TUninstSharedFileForm' | 0.43345323741007197 | ||
| RT_RCDATA | 0xbb804 | 0x1fa6 | Delphi compiled form 'TWizardForm' | 0.23019007652431497 | ||
| RT_GROUP_CURSOR | 0xbd7ac | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0xbd7c0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.25 | ||
| RT_GROUP_CURSOR | 0xbd7d4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.25 | ||
| RT_GROUP_CURSOR | 0xbd7e8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0xbd7fc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0xbd810 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_ICON | 0xbd824 | 0x3e | data | English | United States | 0.8387096774193549 |
| RT_VERSION | 0xbd864 | 0x144 | data | Chinese | China | 0.5833333333333334 |
| RT_MANIFEST | 0xbd9a8 | 0x462 | XML 1.0 document, ASCII text, with very long lines (1120), with CRLF line terminators | Chinese | China | 0.4839572192513369 |
| DLL | Import |
|---|---|
| kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle |
| user32.dll | MessageBoxA |
| oleaut32.dll | SafeArrayPutElement, SafeArrayCreate, VariantChangeTypeEx, VariantCopy, VariantClear, SysStringLen, SysAllocStringLen |
| advapi32.dll | RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumValueA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid |
| kernel32.dll | lstrcmpA, WriteProfileStringA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualFree, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TransactNamedPipe, TerminateThread, TerminateProcess, Sleep, SizeofResource, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesA, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, RemoveDirectoryA, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileExA, MoveFileA, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExA, LoadLibraryA, IsDBCSLeadByte, IsBadWritePtr, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetTickCount, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetShortPathNameA, GetProfileStringA, GetProcAddress, GetPrivateProfileStringA, GetOverlappedResult, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetComputerNameA, GetCommandLineA, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FlushFileBuffers, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumResourceLanguagesA, EndUpdateResourceA, DeviceIoControl, DeleteFileA, CreateThread, CreateProcessA, CreateNamedPipeA, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CompareFileTime, CloseHandle, BeginUpdateResourceA |
| mpr.dll | WNetOpenEnumA, WNetGetUniversalNameA, WNetGetConnectionA, WNetEnumResourceA, WNetCloseEnum |
| version.dll | VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA |
| gdi32.dll | UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceA, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetCurrentPositionEx, GetClipBox, GetBitmapBits, ExtFloodFill, ExcludeClipRect, EnumFontsA, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateFontIndirectA, CreateDIBitmap, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceA |
| user32.dll | WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenuEx, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendNotifyMessageA, SendMessageTimeoutA, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollPos, GetPropA, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassInfoW, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcW, CallWindowProcA, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuA, CharPrevA, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemBuffA, AdjustWindowRectEx |
| comctl32.dll | ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Create, InitCommonControls |
| ole32.dll | CoTaskMemFree, CLSIDFromProgID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID |
| oleaut32.dll | GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString |
| shell32.dll | ShellExecuteExA, ShellExecuteA, SHGetFileInfoA, ExtractIconA |
| shell32.dll | SHChangeNotify, SHBrowseForFolder, SHGetPathFromIDList, SHGetMalloc |
| comdlg32.dll | GetSaveFileNameA, GetOpenFileNameA |
| ole32.dll | CoDisconnectObject |
| advapi32.dll | AdjustTokenPrivileges |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
| Chinese | China |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-07T15:33:21.220650+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49796 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:21.977021+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.6 | 49796 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:21.977021+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49796 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:22.442940+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49802 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:22.939365+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.6 | 49802 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:22.939365+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49802 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:23.996113+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49813 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:25.060322+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.6 | 49813 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:25.650141+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49824 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:26.862006+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49830 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:28.305033+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49841 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:29.329728+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49851 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:30.283912+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49859 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:30.771218+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49859 | 188.114.96.3 | 443 | TCP |
| 2025-01-07T15:33:31.545509+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49865 | 185.161.251.21 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 7, 2025 15:33:20.754892111 CET | 49796 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:20.754933119 CET | 443 | 49796 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:20.754996061 CET | 49796 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:20.759207010 CET | 49796 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:20.759221077 CET | 443 | 49796 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:21.220580101 CET | 443 | 49796 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:21.220649958 CET | 49796 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:21.222338915 CET | 49796 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:21.222347975 CET | 443 | 49796 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:21.222611904 CET | 443 | 49796 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:21.275284052 CET | 49796 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:21.275398016 CET | 49796 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:21.275414944 CET | 443 | 49796 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:21.977027893 CET | 443 | 49796 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:21.977124929 CET | 443 | 49796 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:21.977288961 CET | 49796 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:21.979422092 CET | 49796 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:21.979443073 CET | 443 | 49796 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:21.979512930 CET | 49796 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:21.979517937 CET | 443 | 49796 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:21.987063885 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:21.987103939 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:21.987411976 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:21.987670898 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:21.987685919 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.442868948 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.442939997 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.444545984 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.444559097 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.444808006 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.446069956 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.446104050 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.446157932 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.939395905 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.939460039 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.939490080 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.939515114 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.939564943 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.939601898 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.939615011 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.939909935 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.939933062 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.939982891 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.939990044 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.940051079 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.944011927 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.944073915 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.944104910 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.944128036 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.944133997 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.944140911 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.944166899 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.944205999 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.944252968 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.971950054 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.971971989 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:22.971981049 CET | 49802 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:22.971987963 CET | 443 | 49802 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:23.539444923 CET | 49813 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:23.539482117 CET | 443 | 49813 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:23.539563894 CET | 49813 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:23.539906979 CET | 49813 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:23.539920092 CET | 443 | 49813 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:23.996054888 CET | 443 | 49813 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:23.996113062 CET | 49813 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:23.997505903 CET | 49813 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:23.997512102 CET | 443 | 49813 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:23.997755051 CET | 443 | 49813 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:23.999190092 CET | 49813 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:23.999325037 CET | 49813 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:23.999349117 CET | 443 | 49813 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:25.060350895 CET | 443 | 49813 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:25.060447931 CET | 443 | 49813 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:25.060642004 CET | 49813 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.060642004 CET | 49813 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.174307108 CET | 49824 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.174350023 CET | 443 | 49824 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:25.174444914 CET | 49824 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.174761057 CET | 49824 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.174774885 CET | 443 | 49824 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:25.365869999 CET | 49813 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.365900993 CET | 443 | 49813 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:25.650063038 CET | 443 | 49824 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:25.650141001 CET | 49824 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.658817053 CET | 49824 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.658823013 CET | 443 | 49824 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:25.659101963 CET | 443 | 49824 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:25.660969973 CET | 49824 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.661113024 CET | 49824 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.661145926 CET | 443 | 49824 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:25.662472010 CET | 49824 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:25.703320980 CET | 443 | 49824 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:26.141704082 CET | 443 | 49824 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:26.141805887 CET | 443 | 49824 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:26.141851902 CET | 49824 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:26.142057896 CET | 49824 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:26.142069101 CET | 443 | 49824 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:26.354561090 CET | 49830 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:26.354608059 CET | 443 | 49830 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:26.354686022 CET | 49830 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:26.354958057 CET | 49830 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:26.354973078 CET | 443 | 49830 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:26.861901045 CET | 443 | 49830 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:26.862005949 CET | 49830 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:26.863261938 CET | 49830 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:26.863270044 CET | 443 | 49830 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:26.863531113 CET | 443 | 49830 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:26.864748001 CET | 49830 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:26.864892960 CET | 49830 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:26.864923954 CET | 443 | 49830 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:26.864993095 CET | 49830 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:26.865000963 CET | 443 | 49830 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:27.486404896 CET | 443 | 49830 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:27.486507893 CET | 443 | 49830 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:27.486567974 CET | 49830 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:27.486694098 CET | 49830 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:27.486705065 CET | 443 | 49830 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:27.844221115 CET | 49841 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:27.844260931 CET | 443 | 49841 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:27.844336033 CET | 49841 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:27.844660997 CET | 49841 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:27.844672918 CET | 443 | 49841 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:28.304939032 CET | 443 | 49841 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:28.305032969 CET | 49841 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:28.306330919 CET | 49841 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:28.306338072 CET | 443 | 49841 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:28.306571007 CET | 443 | 49841 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:28.307818890 CET | 49841 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:28.307998896 CET | 49841 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:28.308005095 CET | 443 | 49841 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:28.773766994 CET | 443 | 49841 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:28.773904085 CET | 443 | 49841 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:28.774008989 CET | 49841 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:28.774065018 CET | 49841 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:28.774077892 CET | 443 | 49841 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:28.850255013 CET | 49851 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:28.850274086 CET | 443 | 49851 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:28.850327015 CET | 49851 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:28.850574970 CET | 49851 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:28.850584030 CET | 443 | 49851 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:29.329569101 CET | 443 | 49851 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:29.329727888 CET | 49851 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:29.331007957 CET | 49851 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:29.331017971 CET | 443 | 49851 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:29.331214905 CET | 443 | 49851 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:29.332530975 CET | 49851 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:29.332617998 CET | 49851 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:29.332623959 CET | 443 | 49851 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:29.799927950 CET | 443 | 49851 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:29.800009012 CET | 443 | 49851 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:29.800116062 CET | 49851 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:29.800188065 CET | 49851 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:29.800204992 CET | 443 | 49851 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:29.809658051 CET | 49859 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:29.809695005 CET | 443 | 49859 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:29.809781075 CET | 49859 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:29.810076952 CET | 49859 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:29.810087919 CET | 443 | 49859 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.283833027 CET | 443 | 49859 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.283911943 CET | 49859 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:30.285253048 CET | 49859 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:30.285259962 CET | 443 | 49859 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.285480022 CET | 443 | 49859 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.286659956 CET | 49859 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:30.286679029 CET | 49859 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:30.286720991 CET | 443 | 49859 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.771220922 CET | 443 | 49859 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.771328926 CET | 443 | 49859 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.771418095 CET | 49859 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:30.771523952 CET | 49859 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:30.771537066 CET | 443 | 49859 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.771600008 CET | 49859 | 443 | 192.168.2.6 | 188.114.96.3 |
| Jan 7, 2025 15:33:30.771604061 CET | 443 | 49859 | 188.114.96.3 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.884856939 CET | 49865 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 7, 2025 15:33:30.884891033 CET | 443 | 49865 | 185.161.251.21 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.884994984 CET | 49865 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 7, 2025 15:33:30.885358095 CET | 49865 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 7, 2025 15:33:30.885370016 CET | 443 | 49865 | 185.161.251.21 | 192.168.2.6 |
| Jan 7, 2025 15:33:31.545428038 CET | 443 | 49865 | 185.161.251.21 | 192.168.2.6 |
| Jan 7, 2025 15:33:31.545509100 CET | 49865 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 7, 2025 15:33:31.547091961 CET | 49865 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 7, 2025 15:33:31.547097921 CET | 443 | 49865 | 185.161.251.21 | 192.168.2.6 |
| Jan 7, 2025 15:33:31.547302008 CET | 443 | 49865 | 185.161.251.21 | 192.168.2.6 |
| Jan 7, 2025 15:33:31.548499107 CET | 49865 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 7, 2025 15:33:31.595330000 CET | 443 | 49865 | 185.161.251.21 | 192.168.2.6 |
| Jan 7, 2025 15:33:31.813369989 CET | 443 | 49865 | 185.161.251.21 | 192.168.2.6 |
| Jan 7, 2025 15:33:31.813426018 CET | 443 | 49865 | 185.161.251.21 | 192.168.2.6 |
| Jan 7, 2025 15:33:31.813623905 CET | 49865 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 7, 2025 15:33:31.813657999 CET | 49865 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 7, 2025 15:33:31.813674927 CET | 443 | 49865 | 185.161.251.21 | 192.168.2.6 |
| Jan 7, 2025 15:33:31.813687086 CET | 49865 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 7, 2025 15:33:31.813694000 CET | 443 | 49865 | 185.161.251.21 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 7, 2025 15:33:20.737042904 CET | 61480 | 53 | 192.168.2.6 | 1.1.1.1 |
| Jan 7, 2025 15:33:20.749195099 CET | 53 | 61480 | 1.1.1.1 | 192.168.2.6 |
| Jan 7, 2025 15:33:30.774308920 CET | 60676 | 53 | 192.168.2.6 | 1.1.1.1 |
| Jan 7, 2025 15:33:30.883927107 CET | 53 | 60676 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 7, 2025 15:33:20.737042904 CET | 192.168.2.6 | 1.1.1.1 | 0xfe7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 7, 2025 15:33:30.774308920 CET | 192.168.2.6 | 1.1.1.1 | 0x6a02 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 7, 2025 15:33:20.749195099 CET | 1.1.1.1 | 192.168.2.6 | 0xfe7 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
| Jan 7, 2025 15:33:20.749195099 CET | 1.1.1.1 | 192.168.2.6 | 0xfe7 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
| Jan 7, 2025 15:33:30.883927107 CET | 1.1.1.1 | 192.168.2.6 | 0x6a02 | No error (0) | 185.161.251.21 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49796 | 188.114.96.3 | 443 | 4440 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-07 14:33:21 UTC | 263 | OUT | |
| 2025-01-07 14:33:21 UTC | 8 | OUT | |
| 2025-01-07 14:33:21 UTC | 1127 | IN | |
| 2025-01-07 14:33:21 UTC | 7 | IN | |
| 2025-01-07 14:33:21 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49802 | 188.114.96.3 | 443 | 4440 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-07 14:33:22 UTC | 264 | OUT | |
| 2025-01-07 14:33:22 UTC | 77 | OUT | |
| 2025-01-07 14:33:22 UTC | 1127 | IN | |
| 2025-01-07 14:33:22 UTC | 242 | IN | |
| 2025-01-07 14:33:22 UTC | 899 | IN | |
| 2025-01-07 14:33:22 UTC | 1369 | IN | |
| 2025-01-07 14:33:22 UTC | 1369 | IN | |
| 2025-01-07 14:33:22 UTC | 1369 | IN | |
| 2025-01-07 14:33:22 UTC | 1369 | IN | |
| 2025-01-07 14:33:22 UTC | 1369 | IN | |
| 2025-01-07 14:33:22 UTC | 1369 | IN | |
| 2025-01-07 14:33:22 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49813 | 188.114.96.3 | 443 | 4440 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-07 14:33:23 UTC | 280 | OUT | |
| 2025-01-07 14:33:23 UTC | 12845 | OUT | |
| 2025-01-07 14:33:25 UTC | 1127 | IN | |
| 2025-01-07 14:33:25 UTC | 20 | IN | |
| 2025-01-07 14:33:25 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49824 | 188.114.96.3 | 443 | 4440 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-07 14:33:25 UTC | 278 | OUT | |
| 2025-01-07 14:33:25 UTC | 15079 | OUT | |
| 2025-01-07 14:33:26 UTC | 1118 | IN | |
| 2025-01-07 14:33:26 UTC | 20 | IN | |
| 2025-01-07 14:33:26 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49830 | 188.114.96.3 | 443 | 4440 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-07 14:33:26 UTC | 282 | OUT | |
| 2025-01-07 14:33:26 UTC | 15331 | OUT | |
| 2025-01-07 14:33:26 UTC | 4630 | OUT | |
| 2025-01-07 14:33:27 UTC | 1128 | IN | |
| 2025-01-07 14:33:27 UTC | 20 | IN | |
| 2025-01-07 14:33:27 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.6 | 49841 | 188.114.96.3 | 443 | 4440 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-07 14:33:28 UTC | 278 | OUT | |
| 2025-01-07 14:33:28 UTC | 1207 | OUT | |
| 2025-01-07 14:33:28 UTC | 1118 | IN | |
| 2025-01-07 14:33:28 UTC | 20 | IN | |
| 2025-01-07 14:33:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.6 | 49851 | 188.114.96.3 | 443 | 4440 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-07 14:33:29 UTC | 278 | OUT | |
| 2025-01-07 14:33:29 UTC | 1084 | OUT | |
| 2025-01-07 14:33:29 UTC | 1122 | IN | |
| 2025-01-07 14:33:29 UTC | 20 | IN | |
| 2025-01-07 14:33:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.6 | 49859 | 188.114.96.3 | 443 | 4440 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-07 14:33:30 UTC | 265 | OUT | |
| 2025-01-07 14:33:30 UTC | 112 | OUT | |
| 2025-01-07 14:33:30 UTC | 1124 | IN | |
| 2025-01-07 14:33:30 UTC | 218 | IN | |
| 2025-01-07 14:33:30 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.6 | 49865 | 185.161.251.21 | 443 | 4440 | C:\Users\user\Desktop\Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-07 14:33:31 UTC | 201 | OUT | |
| 2025-01-07 14:33:31 UTC | 249 | IN | |
| 2025-01-07 14:33:31 UTC | 329 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 09:32:59 |
| Start date: | 07/01/2025 |
| Path: | C:\Users\user\Desktop\Setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 74'584'245 bytes |
| MD5 hash: | B42457DD108A4B0032A35391BE8C1A4E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 2.3% |
| Dynamic/Decrypted Code Coverage: | 11.9% |
| Signature Coverage: | 26.2% |
| Total number of Nodes: | 478 |
| Total number of Limit Nodes: | 21 |
Graph
Function 00423B18 Relevance: 21.4, APIs: 14, Instructions: 395COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004314A4 Relevance: 18.6, APIs: 2, Strings: 8, Instructions: 1125librarymemoryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431738 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 944librarymemoryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431760 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 934librarymemoryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03192D8D Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031403CD Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 399threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0314098D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00408570 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423A90 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004321C8 Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062BC Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00455DBC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004308CC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423598 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418EC8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422FD4 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00459918 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03193A0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00423148 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E168 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004014DC Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004085E4 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0319265D Relevance: 1.6, APIs: 1, Instructions: 325memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042E5D8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406288 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423558 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E1C3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F344 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044E498 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004900DC Relevance: 136.6, APIs: 22, Strings: 55, Instructions: 1871COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004882D0 Relevance: 105.4, Strings: 84, Instructions: 424COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045B300 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 186pipeprocessfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004851F0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 68libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045F664 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00489204 Relevance: 17.6, Strings: 14, Instructions: 76COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418310 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00469E70 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1649windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045806C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47shutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0315350F Relevance: 11.8, Strings: 9, Instructions: 564COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0049AD48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0314B31A Relevance: 10.4, Strings: 8, Instructions: 387COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0048240C Relevance: 9.4, Strings: 7, Instructions: 603COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004588A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417C5C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0314E715 Relevance: 7.6, Strings: 6, Instructions: 149COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004667C0 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00466C3C Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E644 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0315C01A Relevance: 6.4, Strings: 5, Instructions: 189COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004850B0 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0317D30A Relevance: 5.2, Strings: 4, Instructions: 181COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00465248 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004240E8 Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 031642EA Relevance: 4.3, Strings: 3, Instructions: 509COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0315E152 Relevance: 4.1, Strings: 3, Instructions: 392COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 031466CA Relevance: 3.3, Strings: 2, Instructions: 792COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040AFD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417C5A Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045562C Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417534 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00470494 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045A1FC Relevance: 3.0, APIs: 2, Instructions: 23timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004240A0 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03173057 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044C328 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004125DC Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0317E31A Relevance: 1.6, Strings: 1, Instructions: 365COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0047AC70 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 031696C2 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004125AD Relevance: 1.6, APIs: 1, Instructions: 80nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0315F71A Relevance: 1.5, Strings: 1, Instructions: 296COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004303D4 Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044E444 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004085BC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00458024 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F230 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0314A2AA Relevance: 1.5, Strings: 1, Instructions: 258COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0318175A Relevance: 1.5, Strings: 1, Instructions: 243COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0317671A Relevance: 1.5, Strings: 1, Instructions: 241COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031711BD Relevance: 1.4, Strings: 1, Instructions: 194COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0317E70A Relevance: 1.4, Strings: 1, Instructions: 166COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031721DF Relevance: 1.3, Strings: 1, Instructions: 93COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031843BA Relevance: 1.3, Strings: 1, Instructions: 73COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043DA1C Relevance: .9, Instructions: 916COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454588 Relevance: .9, Instructions: 908COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 031481FA Relevance: .7, Instructions: 665COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0314479A Relevance: .7, Instructions: 657COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0314519A Relevance: .6, Instructions: 600COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00461B20 Relevance: .6, Instructions: 581COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 031473AA Relevance: .5, Instructions: 539COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00433EA8 Relevance: .4, Instructions: 445COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0317B160 Relevance: .4, Instructions: 388COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00444194 Relevance: .4, Instructions: 374COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434BAC Relevance: .4, Instructions: 354COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046BED4 Relevance: .3, Instructions: 340COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 031780B3 Relevance: .3, Instructions: 318COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0315F31A Relevance: .3, Instructions: 314COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0315879C Relevance: .3, Instructions: 310COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0317B75F Relevance: .3, Instructions: 299COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00445258 Relevance: .3, Instructions: 290COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00444E34 Relevance: .3, Instructions: 263COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0315D6FB Relevance: .2, Instructions: 245COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03140000 Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044473C Relevance: .2, Instructions: 199COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0315C2FA Relevance: .2, Instructions: 188COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043015C Relevance: .2, Instructions: 177COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0317879A Relevance: .2, Instructions: 177COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0314F390 Relevance: .2, Instructions: 162COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031831C9 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0315A25A Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031703EA Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0316762A Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0314C08D Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031443BA Relevance: .1, Instructions: 106COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031570C8 Relevance: .1, Instructions: 100COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00430BB4 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03150242 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0317E246 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0316167A Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0316E66A Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0316B2E6 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 03182169 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0316A251 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031503E4 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0316A2DA Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 031836CA Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0316B099 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0316124A Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00471C14 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 488registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00494C48 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F098 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045AB7C Relevance: 38.7, APIs: 11, Strings: 11, Instructions: 237filesynchronizationprocessCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DE70 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0049B074 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 251synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046B858 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00459000 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 264comCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004572FC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00456FB0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00499954 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EE98 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004654E8 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045C0E8 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 165registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045B8F8 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00459588 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F270 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90windowregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E1EC Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A2B Relevance: 15.1, APIs: 10, Instructions: 119fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045FD48 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044FFA8 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00469C4C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047EDC4 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00465928 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047A520 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042937C Relevance: 12.1, APIs: 8, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DDA4 Relevance: 12.1, APIs: 8, Instructions: 59windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00478E74 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B3FC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00458174 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 142registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046D9F8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C0C8 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004853E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B3E2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004019B4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00498070 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045FC1C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00460100 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044F61C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047ADD0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B5EC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B8BC Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B488 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00499218 Relevance: 9.1, APIs: 6, Instructions: 90sleepsynchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BD0C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045B754 Relevance: 9.1, APIs: 6, Instructions: 70sleepsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413640 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A78 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00480138 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B1F0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048318C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 170windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00472D1C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89registrywindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C8E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E7B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DC18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E72C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E6BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00479D64 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045255C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 16libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416BCC Relevance: 7.6, APIs: 5, Instructions: 104COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00459B28 Relevance: 7.6, APIs: 5, Instructions: 103windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004147C4 Relevance: 7.6, APIs: 5, Instructions: 99COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004296C8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BB38 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403C70 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004143B0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00456BA8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406FAC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045785C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00456488 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004163B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045C40C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00459464 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047A89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004584AC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00485338 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D768 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E864 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0049B600 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004670D8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00474A78 Relevance: 6.3, APIs: 4, Instructions: 263fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047F71C Relevance: 6.2, APIs: 4, Instructions: 194fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00481784 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421190 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413CC8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408A5C Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00479E30 Relevance: 6.1, APIs: 4, Instructions: 92windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004516E8 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0049866C Relevance: 6.1, APIs: 4, Instructions: 81COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004171B4 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416AE2 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00498320 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00457A04 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D210 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004836DC Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047ECAC Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047A3B4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042414C Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040620C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046D3B0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 261windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047B048 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00452F48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004599B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004990C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DB38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EA48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044C098 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47keyboardCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045BFF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047E5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DBF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0046F228 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00458110 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|