Edit tour
Windows
Analysis Report
tesr.exe
Overview
General Information
| Sample name: | tesr.exe |
| Analysis ID: | 1589840 |
| MD5: | 4f96b4d0061d45b08d73e3526d82630f |
| SHA1: | 15d6d2445d55db393adf30f0bf7f4b649c098257 |
| SHA256: | 30bc5b4729f0ae6ea5e1eb44654e739040f29941b5e6d2436b10ae93a98e5e6b |
| Tags: | exeghd78sgithubuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
tesr.exe (PID: 2380 cmdline: "C:\Users\ user\Deskt op\tesr.ex e" MD5: 4F96B4D0061D45B08D73E3526D82630F) 
dxdiag.exe (PID: 5392 cmdline: "C:\Window s\SysWOW64 \dxdiag.ex e" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
- cleanup
{"C2 url": ["formy-spill.biz", "dare-curbys.biz", "covery-mover.biz", "mutterunurse.click", "zinc-sneark.biz", "se-blurry.biz", "impend-differ.biz", "dwell-exclaim.biz", "print-vexer.biz"], "Build id": "xMnLq7--RLC"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-13T08:34:24.941198+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49720 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:26.202678+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49722 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:27.447402+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49723 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:29.402372+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49725 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:30.626463+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49731 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:32.081543+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49742 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:33.660210+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49753 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:35.821669+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49770 | 104.21.90.18 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-13T08:34:25.476622+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49720 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:26.690310+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49722 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:36.285586+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49770 | 104.21.90.18 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-13T08:34:25.476622+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49720 | 104.21.90.18 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-13T08:34:26.690310+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49722 | 104.21.90.18 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-13T08:34:28.392365+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49723 | 104.21.90.18 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-13T08:34:33.702654+0100 | 2843864 | 1 | A Network Trojan was detected | 192.168.2.5 | 49753 | 104.21.90.18 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_00416B7E | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_0040A960 | |
| Source: | Code function: | 2_2_00426170 | |
| Source: | Code function: | 2_2_0040C36E | |
| Source: | Code function: | 2_2_0043DBD0 | |
| Source: | Code function: | 2_2_00409CC0 | |
| Source: | Code function: | 2_2_0043DCF0 | |
| Source: | Code function: | 2_2_0040CE55 | |
| Source: | Code function: | 2_2_0042C6D7 | |
| Source: | Code function: | 2_2_0042C6D7 | |
| Source: | Code function: | 2_2_0042C6D7 | |
| Source: | Code function: | 2_2_0042C6D7 | |
| Source: | Code function: | 2_2_00417E82 | |
| Source: | Code function: | 2_2_0043E690 | |
| Source: | Code function: | 2_2_0042BFD3 | |
| Source: | Code function: | 2_2_0042BFDA | |
| Source: | Code function: | 2_2_0042A060 | |
| Source: | Code function: | 2_2_00425F7D | |
| Source: | Code function: | 2_2_0041D074 | |
| Source: | Code function: | 2_2_0041D087 | |
| Source: | Code function: | 2_2_0042D085 | |
| Source: | Code function: | 2_2_0042D085 | |
| Source: | Code function: | 2_2_0041597D | |
| Source: | Code function: | 2_2_00416E97 | |
| Source: | Code function: | 2_2_00416E97 | |
| Source: | Code function: | 2_2_00405910 | |
| Source: | Code function: | 2_2_00405910 | |
| Source: | Code function: | 2_2_00425920 | |
| Source: | Code function: | 2_2_004286F0 | |
| Source: | Code function: | 2_2_00417190 | |
| Source: | Code function: | 2_2_00422270 | |
| Source: | Code function: | 2_2_0040C274 | |
| Source: | Code function: | 2_2_00425230 | |
| Source: | Code function: | 2_2_0043CAC0 | |
| Source: | Code function: | 2_2_004292D0 | |
| Source: | Code function: | 2_2_004292D0 | |
| Source: | Code function: | 2_2_0042AAD0 | |
| Source: | Code function: | 2_2_00415ADC | |
| Source: | Code function: | 2_2_0042536C | |
| Source: | Code function: | 2_2_00402B70 | |
| Source: | Code function: | 2_2_00427307 | |
| Source: | Code function: | 2_2_00436B20 | |
| Source: | Code function: | 2_2_0043CBD6 | |
| Source: | Code function: | 2_2_00407470 | |
| Source: | Code function: | 2_2_00407470 | |
| Source: | Code function: | 2_2_0042B475 | |
| Source: | Code function: | 2_2_00419C10 | |
| Source: | Code function: | 2_2_0043CCE0 | |
| Source: | Code function: | 2_2_0042B4BB | |
| Source: | Code function: | 2_2_0043CD60 | |
| Source: | Code function: | 2_2_004345F0 | |
| Source: | Code function: | 2_2_00427653 | |
| Source: | Code function: | 2_2_0043CE00 | |
| Source: | Code function: | 2_2_0042A630 | |
| Source: | Code function: | 2_2_004296D8 | |
| Source: | Code function: | 2_2_00415EE0 | |
| Source: | Code function: | 2_2_00421EE0 | |
| Source: | Code function: | 2_2_004266E7 | |
| Source: | Code function: | 2_2_004286F0 | |
| Source: | Code function: | 2_2_00416E97 | |
| Source: | Code function: | 2_2_00416E97 | |
| Source: | Code function: | 2_2_0041CEA5 | |
| Source: | Code function: | 2_2_00428F5D | |
| Source: | Code function: | 2_2_00425F7D | |
| Source: | Code function: | 2_2_00414F08 | |
| Source: | Code function: | 2_2_00414F08 | |
| Source: | Code function: | 2_2_00420717 | |
| Source: | Code function: | 2_2_00420717 | |
| Source: | Code function: | 2_2_0043DFB0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00431A30 | |
| Source: | Code function: | 2_2_00431A30 | |
| Source: | Code function: | 2_2_00431BB0 | |
| Source: | Code function: | 2_2_0040A960 | |
| Source: | Code function: | 2_2_00426170 | |
| Source: | Code function: | 2_2_0040E2A9 | |
| Source: | Code function: | 2_2_00416B7E | |
| Source: | Code function: | 2_2_00439B90 | |
| Source: | Code function: | 2_2_004233A0 | |
| Source: | Code function: | 2_2_00436C40 | |
| Source: | Code function: | 2_2_0043DCF0 | |
| Source: | Code function: | 2_2_004215F0 | |
| Source: | Code function: | 2_2_0042C6D7 | |
| Source: | Code function: | 2_2_0043E690 | |
| Source: | Code function: | 2_2_0042BFD3 | |
| Source: | Code function: | 2_2_00410FD6 | |
| Source: | Code function: | 2_2_0042BFDA | |
| Source: | Code function: | 2_2_004087F0 | |
| Source: | Code function: | 2_2_00436F90 | |
| Source: | Code function: | 2_2_004097B0 | |
| Source: | Code function: | 2_2_00425F7D | |
| Source: | Code function: | 2_2_00409070 | |
| Source: | Code function: | 2_2_0043A030 | |
| Source: | Code function: | 2_2_004038C0 | |
| Source: | Code function: | 2_2_004380D9 | |
| Source: | Code function: | 2_2_0041D8E0 | |
| Source: | Code function: | 2_2_0042D085 | |
| Source: | Code function: | 2_2_004280B0 | |
| Source: | Code function: | 2_2_0042297F | |
| Source: | Code function: | 2_2_0042A100 | |
| Source: | Code function: | 2_2_00437900 | |
| Source: | Code function: | 2_2_00416E97 | |
| Source: | Code function: | 2_2_00405910 | |
| Source: | Code function: | 2_2_00425920 | |
| Source: | Code function: | 2_2_004301D0 | |
| Source: | Code function: | 2_2_004081F0 | |
| Source: | Code function: | 2_2_00408990 | |
| Source: | Code function: | 2_2_00417190 | |
| Source: | Code function: | 2_2_00414A40 | |
| Source: | Code function: | 2_2_0041BA48 | |
| Source: | Code function: | 2_2_0040CA54 | |
| Source: | Code function: | 2_2_00404270 | |
| Source: | Code function: | 2_2_00422270 | |
| Source: | Code function: | 2_2_00406200 | |
| Source: | Code function: | 2_2_00423A00 | |
| Source: | Code function: | 2_2_0043CAC0 | |
| Source: | Code function: | 2_2_0043E2C0 | |
| Source: | Code function: | 2_2_004292D0 | |
| Source: | Code function: | 2_2_00415ADC | |
| Source: | Code function: | 2_2_0042BA8D | |
| Source: | Code function: | 2_2_004192BA | |
| Source: | Code function: | 2_2_0040B351 | |
| Source: | Code function: | 2_2_0041CB5A | |
| Source: | Code function: | 2_2_00409360 | |
| Source: | Code function: | 2_2_0041C360 | |
| Source: | Code function: | 2_2_00411B1B | |
| Source: | Code function: | 2_2_0043533A | |
| Source: | Code function: | 2_2_0043CBD6 | |
| Source: | Code function: | 2_2_0043A3F0 | |
| Source: | Code function: | 2_2_00404BA0 | |
| Source: | Code function: | 2_2_0040D44C | |
| Source: | Code function: | 2_2_00434C4D | |
| Source: | Code function: | 2_2_00407470 | |
| Source: | Code function: | 2_2_00419C10 | |
| Source: | Code function: | 2_2_00418C1E | |
| Source: | Code function: | 2_2_0041D420 | |
| Source: | Code function: | 2_2_0041DC20 | |
| Source: | Code function: | 2_2_00436430 | |
| Source: | Code function: | 2_2_0043CCE0 | |
| Source: | Code function: | 2_2_00422CF8 | |
| Source: | Code function: | 2_2_00427C9D | |
| Source: | Code function: | 2_2_0043CD60 | |
| Source: | Code function: | 2_2_00416571 | |
| Source: | Code function: | 2_2_00424D70 | |
| Source: | Code function: | 2_2_00423D30 | |
| Source: | Code function: | 2_2_0041DE40 | |
| Source: | Code function: | 2_2_00423E4B | |
| Source: | Code function: | 2_2_00405E60 | |
| Source: | Code function: | 2_2_00412670 | |
| Source: | Code function: | 2_2_00425670 | |
| Source: | Code function: | 2_2_0041AE00 | |
| Source: | Code function: | 2_2_0043CE00 | |
| Source: | Code function: | 2_2_00423E30 | |
| Source: | Code function: | 2_2_004156D0 | |
| Source: | Code function: | 2_2_00415EE0 | |
| Source: | Code function: | 2_2_004266E7 | |
| Source: | Code function: | 2_2_00406690 | |
| Source: | Code function: | 2_2_00436690 | |
| Source: | Code function: | 2_2_00416E97 | |
| Source: | Code function: | 2_2_00402EA0 | |
| Source: | Code function: | 2_2_004376B0 | |
| Source: | Code function: | 2_2_00426EBE | |
| Source: | Code function: | 2_2_00428F5D | |
| Source: | Code function: | 2_2_0042B763 | |
| Source: | Code function: | 2_2_00425F7D | |
| Source: | Code function: | 2_2_00414F08 | |
| Source: | Code function: | 2_2_00420717 | |
| Source: | Code function: | 2_2_00418731 | |
| Source: | Code function: | 2_2_0041EF30 | |
| Source: | Code function: | 2_2_004167A5 | |
| Source: | Code function: | 2_2_00418FAD | |
| Source: | Code function: | 2_2_0043DFB0 | |
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00436F90 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_00446062 | |
| Source: | Code function: | 2_2_0043CA63 | |
| Source: | Code function: | 2_2_00445A31 | |
| Source: | Code function: | 2_2_00442549 | |
| Source: | Code function: | 2_2_00446EA5 | |
| Source: | Code function: | 2_2_00439F7F | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_0043B480 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF79BC16E2C | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 23 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 35% | Virustotal | Browse | ||
| 29% | ReversingLabs | |||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.214.172 | true | false | high | |
| mutterunurse.click | 104.21.90.18 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.90.18 | mutterunurse.click | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1589840 |
| Start date and time: | 2025-01-13 08:33:18 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 22s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | tesr.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 40.126.32.133, 20.190.160.14, 40.126.32.140, 40.126.32.134, 40.126.32.138, 40.126.32.72, 40.126.32.136, 40.126.32.68, 13.107.246.45, 20.109.210.53
- Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
- Execution Graph export aborted for target tesr.exe, PID 2380 because there are no executed function
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 02:34:24 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.90.18 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC, DCRat, LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC, MicroClip | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.77469193495392 |
| TrID: |
|
| File name: | tesr.exe |
| File size: | 12'735'488 bytes |
| MD5: | 4f96b4d0061d45b08d73e3526d82630f |
| SHA1: | 15d6d2445d55db393adf30f0bf7f4b649c098257 |
| SHA256: | 30bc5b4729f0ae6ea5e1eb44654e739040f29941b5e6d2436b10ae93a98e5e6b |
| SHA512: | 6b50eb6e642adb840497b95e0dd5248054752027c15627c2a6262a4e7497c78d1a7eb7b1936c7d8c6f94557b99fcb465e5514f707e04f5f7cc1efee69216a372 |
| SSDEEP: | 393216:R34OXjrnjnEEQWbPbqeQ2K3G/JXa42gqf:R4I/njtQOr50Sqf |
| TLSH: | 2CD6E1187E77EDCAB03DD022C61516334EB1A51C4625EEFA72E61794EE0B4127FCA278 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...q.Xg.........."..................n.........@.....................................f....`........................................ |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x140066e18 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x6758B071 [Tue Dec 10 21:19:45 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 7bb4e8cef6a9f350a8f5dc71e7b3773c |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F82E11B6710h |
| dec eax |
| add esp, 28h |
| jmp 00007F82E11B657Fh |
| int3 |
| int3 |
| dec eax |
| mov dword ptr [esp+18h], ebx |
| push ebp |
| dec eax |
| mov ebp, esp |
| dec eax |
| sub esp, 30h |
| dec eax |
| mov eax, dword ptr [00B70A00h] |
| dec eax |
| mov ebx, 2DDFA232h |
| cdq |
| sub eax, dword ptr [eax] |
| add byte ptr [eax+3Bh], cl |
| ret |
| jne 00007F82E11B6776h |
| dec eax |
| and dword ptr [ebp+10h], 00000000h |
| dec eax |
| lea ecx, dword ptr [ebp+10h] |
| call dword ptr [00A3E11Ah] |
| dec eax |
| mov eax, dword ptr [ebp+10h] |
| dec eax |
| mov dword ptr [ebp-10h], eax |
| call dword ptr [00A3E09Ch] |
| mov eax, eax |
| dec eax |
| xor dword ptr [ebp-10h], eax |
| call dword ptr [00A3E088h] |
| mov eax, eax |
| dec eax |
| lea ecx, dword ptr [ebp+18h] |
| dec eax |
| xor dword ptr [ebp-10h], eax |
| call dword ptr [00A3E180h] |
| mov eax, dword ptr [ebp+18h] |
| dec eax |
| lea ecx, dword ptr [ebp-10h] |
| dec eax |
| shl eax, 20h |
| dec eax |
| xor eax, dword ptr [ebp+18h] |
| dec eax |
| xor eax, dword ptr [ebp-10h] |
| dec eax |
| xor eax, ecx |
| dec eax |
| mov ecx, FFFFFFFFh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xaa4b68 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xbe3000 | 0x1b4 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xbdc000 | 0x3258 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xbe4000 | 0x4a07c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xaa4190 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa9b320 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xaa4e30 | 0x2a0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x7cfc6 | 0x7d000 | 9bd07e9f870af6b2a93374d92225e849 | False | 0.46171875 | data | 6.514644020010848 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x7e000 | 0xa2b664 | 0xa2b800 | d68ac9f74804a89ba9c12bf99678925b | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xaaa000 | 0x131170 | 0x12e800 | 18097f8c28518d19c9fba9baafbb32b8 | False | 0.21474609375 | data | 4.622978380304724 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0xbdc000 | 0x3258 | 0x3400 | 5f446a04078b37ffb559d94a996777d7 | False | 0.4928635817307692 | data | 5.69877292703233 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .fptable | 0xbe0000 | 0x100 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xbe1000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| _RDATA | 0xbe2000 | 0x280 | 0x400 | 399b49436e7cb5738787fa9dc9ba498a | False | 0.28515625 | data | 3.1707268208177206 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0xbe3000 | 0x1b4 | 0x200 | c634d544e732093fbd6947fa98151acf | False | 0.48828125 | data | 5.103911525545503 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xbe4000 | 0x4a07c | 0x4a200 | 150eb429f11475a7b7f8df38ee407679 | False | 0.01363235139123103 | data | 5.429522885159793 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0xbe3058 | 0x15b | ASCII text, with CRLF line terminators | English | United States | 0.5446685878962536 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReleaseSRWLockExclusive, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualProtect, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-13T08:34:24.941198+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49720 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:25.476622+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49720 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:25.476622+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49720 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:26.202678+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49722 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:26.690310+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49722 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:26.690310+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49722 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:27.447402+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49723 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:28.392365+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49723 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:29.402372+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49725 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:30.626463+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49731 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:32.081543+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49742 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:33.660210+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49753 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:33.702654+0100 | 2843864 | ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 | 1 | 192.168.2.5 | 49753 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:35.821669+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49770 | 104.21.90.18 | 443 | TCP |
| 2025-01-13T08:34:36.285586+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49770 | 104.21.90.18 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 13, 2025 08:34:24.447635889 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:24.447679043 CET | 443 | 49720 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:24.447796106 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:24.449234962 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:24.449246883 CET | 443 | 49720 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:24.941124916 CET | 443 | 49720 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:24.941198111 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.003884077 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.003910065 CET | 443 | 49720 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:25.004364014 CET | 443 | 49720 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:25.058532953 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.072439909 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.072439909 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.072597980 CET | 443 | 49720 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:25.476537943 CET | 443 | 49720 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:25.476614952 CET | 443 | 49720 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:25.476690054 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.611721039 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.611721039 CET | 49720 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.611795902 CET | 443 | 49720 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:25.611829042 CET | 443 | 49720 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:25.736054897 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.736094952 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:25.736176968 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.736499071 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:25.736512899 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.202581882 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.202677965 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.216936111 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.216952085 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.217365026 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.218657970 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.218679905 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.218753099 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.690326929 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.690466881 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.690531969 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.690557003 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.690644026 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.690713882 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.690722942 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.690805912 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.690859079 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.690867901 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.690972090 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.691023111 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.691031933 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.691143990 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.691200018 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.691207886 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.694808960 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.694875956 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.694886923 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.746153116 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.776288986 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.776469946 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.776555061 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.776645899 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.776684999 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.776772022 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.776802063 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.776865959 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.777199030 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.777223110 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.777240992 CET | 49722 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.777247906 CET | 443 | 49722 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.969024897 CET | 49723 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.969048023 CET | 443 | 49723 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:26.969150066 CET | 49723 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.969614029 CET | 49723 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:26.969626904 CET | 443 | 49723 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:27.447218895 CET | 443 | 49723 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:27.447402000 CET | 49723 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:27.449387074 CET | 49723 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:27.449393034 CET | 443 | 49723 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:27.449726105 CET | 443 | 49723 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:27.455358982 CET | 49723 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:27.455599070 CET | 49723 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:27.455632925 CET | 443 | 49723 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:28.392370939 CET | 443 | 49723 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:28.392505884 CET | 443 | 49723 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:28.392608881 CET | 49723 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:28.420600891 CET | 49723 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:28.420613050 CET | 443 | 49723 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:28.942713022 CET | 49725 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:28.942771912 CET | 443 | 49725 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:28.942854881 CET | 49725 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:28.943284988 CET | 49725 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:28.943298101 CET | 443 | 49725 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:29.402265072 CET | 443 | 49725 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:29.402371883 CET | 49725 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:29.403919935 CET | 49725 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:29.403929949 CET | 443 | 49725 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:29.404290915 CET | 443 | 49725 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:29.405916929 CET | 49725 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:29.406136990 CET | 49725 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:29.406172991 CET | 443 | 49725 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:29.406234026 CET | 49725 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:29.406240940 CET | 443 | 49725 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:29.908862114 CET | 443 | 49725 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:29.908991098 CET | 443 | 49725 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:29.909046888 CET | 49725 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:29.909154892 CET | 49725 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:29.909184933 CET | 443 | 49725 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:30.146802902 CET | 49731 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:30.146914959 CET | 443 | 49731 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:30.147011042 CET | 49731 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:30.147393942 CET | 49731 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:30.147453070 CET | 443 | 49731 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:30.626389027 CET | 443 | 49731 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:30.626462936 CET | 49731 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:30.627723932 CET | 49731 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:30.627748013 CET | 443 | 49731 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:30.628026962 CET | 443 | 49731 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:30.629175901 CET | 49731 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:30.629355907 CET | 49731 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:30.629420996 CET | 443 | 49731 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:30.629492044 CET | 49731 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:30.629508972 CET | 443 | 49731 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:31.253917933 CET | 443 | 49731 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:31.254070044 CET | 443 | 49731 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:31.254132032 CET | 49731 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:31.254228115 CET | 49731 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:31.254265070 CET | 443 | 49731 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:31.625596046 CET | 49742 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:31.625643015 CET | 443 | 49742 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:31.625725985 CET | 49742 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:31.626015902 CET | 49742 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:31.626033068 CET | 443 | 49742 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:32.081274033 CET | 443 | 49742 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:32.081542969 CET | 49742 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:32.082801104 CET | 49742 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:32.082807064 CET | 443 | 49742 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:32.083050013 CET | 443 | 49742 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:32.084333897 CET | 49742 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:32.084393024 CET | 49742 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:32.084399939 CET | 443 | 49742 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:32.570246935 CET | 443 | 49742 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:32.570327997 CET | 443 | 49742 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:32.570600033 CET | 49742 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:32.570683956 CET | 49742 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:32.570702076 CET | 443 | 49742 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.204983950 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.205049038 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.205140114 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.205498934 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.205513954 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.660139084 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.660209894 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.661497116 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.661508083 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.661746025 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.701472044 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.702179909 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.702214003 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.702333927 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.702363968 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.702497959 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.702573061 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.702719927 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.702759027 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.702924013 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.702953100 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.703125954 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.703156948 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.703169107 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.703186035 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.703335047 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.703356028 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.703385115 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.703520060 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.703553915 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.712446928 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.712611914 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.712646961 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.712682009 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.712712049 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.712745905 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:33.712798119 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:33.712821007 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:35.310048103 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:35.310156107 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:35.310209990 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:35.310828924 CET | 49753 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:35.310838938 CET | 443 | 49753 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:35.363749027 CET | 49770 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:35.363787889 CET | 443 | 49770 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:35.363887072 CET | 49770 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:35.364439011 CET | 49770 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:35.364468098 CET | 443 | 49770 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:35.821491957 CET | 443 | 49770 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:35.821669102 CET | 49770 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:35.823514938 CET | 49770 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:35.823525906 CET | 443 | 49770 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:35.823883057 CET | 443 | 49770 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:35.825725079 CET | 49770 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:35.825787067 CET | 49770 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:35.825826883 CET | 443 | 49770 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:36.285614014 CET | 443 | 49770 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:36.285731077 CET | 443 | 49770 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:36.285836935 CET | 49770 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:36.286104918 CET | 49770 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:36.286145926 CET | 443 | 49770 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:36.286175966 CET | 49770 | 443 | 192.168.2.5 | 104.21.90.18 |
| Jan 13, 2025 08:34:36.286191940 CET | 443 | 49770 | 104.21.90.18 | 192.168.2.5 |
| Jan 13, 2025 08:34:41.067404985 CET | 49373 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 13, 2025 08:34:41.072734118 CET | 53 | 49373 | 1.1.1.1 | 192.168.2.5 |
| Jan 13, 2025 08:34:41.072819948 CET | 49373 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 13, 2025 08:34:41.080611944 CET | 53 | 49373 | 1.1.1.1 | 192.168.2.5 |
| Jan 13, 2025 08:34:41.517918110 CET | 49373 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 13, 2025 08:34:41.523590088 CET | 53 | 49373 | 1.1.1.1 | 192.168.2.5 |
| Jan 13, 2025 08:34:41.523649931 CET | 49373 | 53 | 192.168.2.5 | 1.1.1.1 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 13, 2025 08:34:24.417380095 CET | 51160 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 13, 2025 08:34:24.442120075 CET | 53 | 51160 | 1.1.1.1 | 192.168.2.5 |
| Jan 13, 2025 08:34:41.066189051 CET | 53 | 61715 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 13, 2025 08:34:24.417380095 CET | 192.168.2.5 | 1.1.1.1 | 0x2848 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 13, 2025 08:34:20.688806057 CET | 1.1.1.1 | 192.168.2.5 | 0x355b | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
| Jan 13, 2025 08:34:20.688806057 CET | 1.1.1.1 | 192.168.2.5 | 0x355b | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Jan 13, 2025 08:34:24.442120075 CET | 1.1.1.1 | 192.168.2.5 | 0x2848 | No error (0) | 104.21.90.18 | A (IP address) | IN (0x0001) | false | ||
| Jan 13, 2025 08:34:24.442120075 CET | 1.1.1.1 | 192.168.2.5 | 0x2848 | No error (0) | 172.67.151.5 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49720 | 104.21.90.18 | 443 | 5392 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-13 07:34:25 UTC | 265 | OUT | |
| 2025-01-13 07:34:25 UTC | 8 | OUT | |
| 2025-01-13 07:34:25 UTC | 1125 | IN | |
| 2025-01-13 07:34:25 UTC | 7 | IN | |
| 2025-01-13 07:34:25 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49722 | 104.21.90.18 | 443 | 5392 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-13 07:34:26 UTC | 266 | OUT | |
| 2025-01-13 07:34:26 UTC | 45 | OUT | |
| 2025-01-13 07:34:26 UTC | 1127 | IN | |
| 2025-01-13 07:34:26 UTC | 242 | IN | |
| 2025-01-13 07:34:26 UTC | 1369 | IN | |
| 2025-01-13 07:34:26 UTC | 1369 | IN | |
| 2025-01-13 07:34:26 UTC | 167 | IN | |
| 2025-01-13 07:34:26 UTC | 1369 | IN | |
| 2025-01-13 07:34:26 UTC | 1369 | IN | |
| 2025-01-13 07:34:26 UTC | 1369 | IN | |
| 2025-01-13 07:34:26 UTC | 1369 | IN | |
| 2025-01-13 07:34:26 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49723 | 104.21.90.18 | 443 | 5392 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-13 07:34:27 UTC | 279 | OUT | |
| 2025-01-13 07:34:27 UTC | 12803 | OUT | |
| 2025-01-13 07:34:28 UTC | 1138 | IN | |
| 2025-01-13 07:34:28 UTC | 20 | IN | |
| 2025-01-13 07:34:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49725 | 104.21.90.18 | 443 | 5392 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-13 07:34:29 UTC | 283 | OUT | |
| 2025-01-13 07:34:29 UTC | 15069 | OUT | |
| 2025-01-13 07:34:29 UTC | 1135 | IN | |
| 2025-01-13 07:34:29 UTC | 20 | IN | |
| 2025-01-13 07:34:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49731 | 104.21.90.18 | 443 | 5392 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-13 07:34:30 UTC | 281 | OUT | |
| 2025-01-13 07:34:30 UTC | 15331 | OUT | |
| 2025-01-13 07:34:30 UTC | 5216 | OUT | |
| 2025-01-13 07:34:31 UTC | 1133 | IN | |
| 2025-01-13 07:34:31 UTC | 20 | IN | |
| 2025-01-13 07:34:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49742 | 104.21.90.18 | 443 | 5392 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-13 07:34:32 UTC | 278 | OUT | |
| 2025-01-13 07:34:32 UTC | 1231 | OUT | |
| 2025-01-13 07:34:32 UTC | 1130 | IN | |
| 2025-01-13 07:34:32 UTC | 20 | IN | |
| 2025-01-13 07:34:32 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49753 | 104.21.90.18 | 443 | 5392 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-13 07:34:33 UTC | 284 | OUT | |
| 2025-01-13 07:34:33 UTC | 15331 | OUT | |
| 2025-01-13 07:34:33 UTC | 15331 | OUT | |
| 2025-01-13 07:34:33 UTC | 15331 | OUT | |
| 2025-01-13 07:34:33 UTC | 15331 | OUT | |
| 2025-01-13 07:34:33 UTC | 15331 | OUT | |
| 2025-01-13 07:34:33 UTC | 15331 | OUT | |
| 2025-01-13 07:34:33 UTC | 15331 | OUT | |
| 2025-01-13 07:34:33 UTC | 15331 | OUT | |
| 2025-01-13 07:34:33 UTC | 15331 | OUT | |
| 2025-01-13 07:34:33 UTC | 15331 | OUT | |
| 2025-01-13 07:34:35 UTC | 1143 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49770 | 104.21.90.18 | 443 | 5392 | C:\Windows\SysWOW64\dxdiag.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-13 07:34:35 UTC | 266 | OUT | |
| 2025-01-13 07:34:35 UTC | 80 | OUT | |
| 2025-01-13 07:34:36 UTC | 1125 | IN | |
| 2025-01-13 07:34:36 UTC | 54 | IN | |
| 2025-01-13 07:34:36 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 02:34:22 |
| Start date: | 13/01/2025 |
| Path: | C:\Users\user\Desktop\tesr.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff79bbb0000 |
| File size: | 12'735'488 bytes |
| MD5 hash: | 4F96B4D0061D45B08D73E3526D82630F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 02:34:23 |
| Start date: | 13/01/2025 |
| Path: | C:\Windows\SysWOW64\dxdiag.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa50000 |
| File size: | 222'720 bytes |
| MD5 hash: | 24D3F0DB6CCF0C341EA4F6B206DF2EDF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | true |
Function 00007FF79BC16E2C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 10.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 68.2% |
| Total number of Nodes: | 289 |
| Total number of Limit Nodes: | 24 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436F90 Relevance: 35.6, APIs: 11, Strings: 9, Instructions: 571memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004215F0 Relevance: 28.1, Strings: 22, Instructions: 608COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A960 Relevance: 9.2, Strings: 7, Instructions: 401COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CE55 Relevance: 9.0, Strings: 7, Instructions: 275COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004087F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436C40 Relevance: 6.5, Strings: 5, Instructions: 265COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C36E Relevance: 6.5, Strings: 5, Instructions: 203COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004097B0 Relevance: 5.4, Strings: 4, Instructions: 396COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426170 Relevance: 5.3, Strings: 4, Instructions: 318COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416B7E Relevance: 1.8, APIs: 1, Instructions: 335COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E690 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B480 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417E82 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DBD0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409CC0 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410FD6 Relevance: .9, Instructions: 882COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DCF0 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439B90 Relevance: .2, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B720 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B420 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430879 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E343 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CDF0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CE23 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439B60 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439B40 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423E4B Relevance: 34.4, Strings: 27, Instructions: 700COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436690 Relevance: 19.0, Strings: 15, Instructions: 246COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424D70 Relevance: 14.4, Strings: 11, Instructions: 627COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425920 Relevance: 12.9, Strings: 10, Instructions: 398COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431A30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409360 Relevance: 10.4, Strings: 8, Instructions: 405COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004296D8 Relevance: 9.1, Strings: 7, Instructions: 340COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DE40 Relevance: 8.4, Strings: 6, Instructions: 886COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C360 Relevance: 8.1, Strings: 6, Instructions: 626COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D085 Relevance: 6.6, Strings: 5, Instructions: 368COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004280B0 Relevance: 5.4, Strings: 4, Instructions: 440COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043533A Relevance: 5.4, Strings: 4, Instructions: 405COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415ADC Relevance: 5.4, Strings: 4, Instructions: 398COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418731 Relevance: 4.1, Strings: 3, Instructions: 330COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418FAD Relevance: 4.1, Strings: 3, Instructions: 307COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004192BA Relevance: 4.0, Strings: 3, Instructions: 300COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D44C Relevance: 3.9, Strings: 3, Instructions: 187COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420717 Relevance: 3.4, Strings: 2, Instructions: 854COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404BA0 Relevance: 3.3, Strings: 2, Instructions: 815COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A3F0 Relevance: 3.2, Strings: 2, Instructions: 711COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414F08 Relevance: 3.1, Strings: 2, Instructions: 609COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422270 Relevance: 3.0, Strings: 2, Instructions: 501COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422CF8 Relevance: 2.9, Strings: 2, Instructions: 399COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427C9D Relevance: 2.9, Strings: 2, Instructions: 357COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404270 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409070 Relevance: 2.8, Strings: 2, Instructions: 292COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423A00 Relevance: 2.8, Strings: 2, Instructions: 287COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BA48 Relevance: 2.8, Strings: 2, Instructions: 254COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D074 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D087 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004376B0 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042536C Relevance: 2.7, Strings: 2, Instructions: 185COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427653 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415EE0 Relevance: 1.9, Strings: 1, Instructions: 625COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437900 Relevance: 1.7, Strings: 1, Instructions: 497COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414A40 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004266E7 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042297F Relevance: 1.7, Strings: 1, Instructions: 408COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A630 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417190 Relevance: 1.6, Strings: 1, Instructions: 375COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426EBE Relevance: 1.6, Strings: 1, Instructions: 350COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421EE0 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434C4D Relevance: 1.6, Strings: 1, Instructions: 311COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CB5A Relevance: 1.6, Strings: 1, Instructions: 304COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004301D0 Relevance: 1.5, Strings: 1, Instructions: 285COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D420 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E60 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A030 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A100 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AAD0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416571 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004156D0 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA8D Relevance: 1.5, Strings: 1, Instructions: 216COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423D30 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423E30 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425F7D Relevance: 1.4, Strings: 1, Instructions: 153COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B4BB Relevance: 1.4, Strings: 1, Instructions: 138COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425230 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402EA0 Relevance: .7, Instructions: 675COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406690 Relevance: .7, Instructions: 665COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041EF30 Relevance: .6, Instructions: 647COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407470 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411B1B Relevance: .6, Instructions: 612COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038C0 Relevance: .6, Instructions: 600COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CAC0 Relevance: .5, Instructions: 548COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CBD6 Relevance: .5, Instructions: 461COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405910 Relevance: .4, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004380D9 Relevance: .4, Instructions: 422COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004081F0 Relevance: .4, Instructions: 408COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CCE0 Relevance: .4, Instructions: 394COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004286F0 Relevance: .4, Instructions: 392COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CD60 Relevance: .4, Instructions: 355COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E2C0 Relevance: .3, Instructions: 349COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CE00 Relevance: .3, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416E97 Relevance: .3, Instructions: 316COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418C1E Relevance: .3, Instructions: 307COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406200 Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DFB0 Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428F5D Relevance: .3, Instructions: 257COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CA54 Relevance: .2, Instructions: 247COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B351 Relevance: .2, Instructions: 243COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004167A5 Relevance: .2, Instructions: 233COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D8E0 Relevance: .2, Instructions: 227COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425670 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436430 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CEA5 Relevance: .2, Instructions: 188COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AE00 Relevance: .2, Instructions: 186COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DC20 Relevance: .2, Instructions: 184COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427307 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408990 Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004292D0 Relevance: .1, Instructions: 119COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436B20 Relevance: .1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041597D Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004345F0 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A060 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402B70 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B475 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C274 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|