Edit tour
Windows
Analysis Report
Set-Up.exe
Overview
General Information
| Sample name: | Set-Up.exe |
| Analysis ID: | 1591971 |
| MD5: | 76f313ad20bd3da35ef5a7460caf4f95 |
| SHA1: | 49143bd00a24052d706b743fe7b5bc22c20c3316 |
| SHA256: | e876204ffcf70dda59de05b571e800f5bdfe096c9fbc3714470366201e8e40d1 |
| Tags: | de-pumpedexeuser-abuse_ch |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
Set-Up.exe (PID: 7352 cmdline: "C:\Users\ user\Deskt op\Set-Up. exe" MD5: 76F313AD20BD3DA35EF5A7460CAF4F95)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["finickypwk.lat", "washyceehsu.lat", "miniatureyu.lat", "shoefeatthe.lat", "kickykiduz.lat", "skatestringje.click", "bloodyswif.lat", "leggelatez.lat", "savorraiykj.lat"], "Build id": "c2CoW0--Ledgerlive"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-15T16:00:24.847971+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:25.936479+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:27.348911+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:28.931914+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:30.837224+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49739 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:32.588655+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49741 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:34.421280+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49742 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:36.208851+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49743 | 104.21.75.15 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-15T16:00:25.414691+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:26.445797+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.75.15 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-15T16:00:25.414691+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.75.15 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-15T16:00:26.445797+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.75.15 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-15T16:00:33.116234+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49741 | 104.21.75.15 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_026A1263 | |
| Source: | Code function: | 0_2_0268D233 | |
| Source: | Code function: | 0_2_0268A21C | |
| Source: | Code function: | 0_2_0267A2C3 | |
| Source: | Code function: | 0_2_026A1343 | |
| Source: | Code function: | 0_2_0268E06F | |
| Source: | Code function: | 0_2_0268E02D | |
| Source: | Code function: | 0_2_0266E03A | |
| Source: | Code function: | 0_2_0268A0FA | |
| Source: | Code function: | 0_2_026670F3 | |
| Source: | Code function: | 0_2_026670F3 | |
| Source: | Code function: | 0_2_0268E084 | |
| Source: | Code function: | 0_2_0266C173 | |
| Source: | Code function: | 0_2_0266C173 | |
| Source: | Code function: | 0_2_0267915A | |
| Source: | Code function: | 0_2_0266B1C3 | |
| Source: | Code function: | 0_2_0268D6DF | |
| Source: | Code function: | 0_2_0268D6DF | |
| Source: | Code function: | 0_2_0268B723 | |
| Source: | Code function: | 0_2_0268E7C1 | |
| Source: | Code function: | 0_2_0268E7C1 | |
| Source: | Code function: | 0_2_0268D7B7 | |
| Source: | Code function: | 0_2_0268A781 | |
| Source: | Code function: | 0_2_02698403 | |
| Source: | Code function: | 0_2_0269B583 | |
| Source: | Code function: | 0_2_0268DA0D | |
| Source: | Code function: | 0_2_0268DA0D | |
| Source: | Code function: | 0_2_0269BA03 | |
| Source: | Code function: | 0_2_0269DBC3 | |
| Source: | Code function: | 0_2_0266D863 | |
| Source: | Code function: | 0_2_0267A853 | |
| Source: | Code function: | 0_2_0267A853 | |
| Source: | Code function: | 0_2_0268E852 | |
| Source: | Code function: | 0_2_02682813 | |
| Source: | Code function: | 0_2_0269A943 | |
| Source: | Code function: | 0_2_0269A943 | |
| Source: | Code function: | 0_2_0267E9E3 | |
| Source: | Code function: | 0_2_02674E33 | |
| Source: | Code function: | 0_2_02674E33 | |
| Source: | Code function: | 0_2_0269DEF3 | |
| Source: | Code function: | 0_2_0267BEFB | |
| Source: | Code function: | 0_2_0268DF6F | |
| Source: | Code function: | 0_2_0269DF63 | |
| Source: | Code function: | 0_2_02676F38 | |
| Source: | Code function: | 0_2_0267AF0D | |
| Source: | Code function: | 0_2_02668C73 | |
| Source: | Code function: | 0_2_02668C73 | |
| Source: | Code function: | 0_2_0267EC53 | |
| Source: | Code function: | 0_2_0268AC53 | |
| Source: | Code function: | 0_2_02677C3F | |
| Source: | Code function: | 0_2_02675CBB | |
| Source: | Code function: | 0_2_0268CD73 | |
| Source: | Code function: | 0_2_0266AD43 | |
| Source: | Code function: | 0_2_0267AD5E | |
| Source: | Code function: | 0_2_0268ED3A | |
| Source: | Code function: | 0_2_02686D03 | |
| Source: | Code function: | 0_2_0269DD13 | |
| Source: | Code function: | 0_2_02676DDB | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_026AF556 | |
| Source: | Code function: | 0_2_02660396 | |
| Source: | Code function: | 0_2_026AF556 | |
| Source: | Code function: | 0_2_026952C4 | |
| Source: | Code function: | 0_2_02688293 | |
| Source: | Code function: | 0_2_026A1343 | |
| Source: | Code function: | 0_2_02682343 | |
| Source: | Code function: | 0_2_0268E02D | |
| Source: | Code function: | 0_2_026670F3 | |
| Source: | Code function: | 0_2_026650F3 | |
| Source: | Code function: | 0_2_026720FF | |
| Source: | Code function: | 0_2_0267F0C3 | |
| Source: | Code function: | 0_2_0268E084 | |
| Source: | Code function: | 0_2_0266C173 | |
| Source: | Code function: | 0_2_0268411E | |
| Source: | Code function: | 0_2_026901E3 | |
| Source: | Code function: | 0_2_026646D3 | |
| Source: | Code function: | 0_2_0268D6DF | |
| Source: | Code function: | 0_2_02679773 | |
| Source: | Code function: | 0_2_026A1723 | |
| Source: | Code function: | 0_2_02681733 | |
| Source: | Code function: | 0_2_0268A781 | |
| Source: | Code function: | 0_2_0269A4F3 | |
| Source: | Code function: | 0_2_026774A7 | |
| Source: | Code function: | 0_2_02693487 | |
| Source: | Code function: | 0_2_0267A503 | |
| Source: | Code function: | 0_2_0266E5AA | |
| Source: | Code function: | 0_2_0269B583 | |
| Source: | Code function: | 0_2_02691A0D | |
| Source: | Code function: | 0_2_02667A03 | |
| Source: | Code function: | 0_2_026A1A13 | |
| Source: | Code function: | 0_2_0269AAE3 | |
| Source: | Code function: | 0_2_0267BAC5 | |
| Source: | Code function: | 0_2_02665AA3 | |
| Source: | Code function: | 0_2_02693A93 | |
| Source: | Code function: | 0_2_02694B6B | |
| Source: | Code function: | 0_2_0269BB73 | |
| Source: | Code function: | 0_2_02672866 | |
| Source: | Code function: | 0_2_02680853 | |
| Source: | Code function: | 0_2_026778D7 | |
| Source: | Code function: | 0_2_02681E63 | |
| Source: | Code function: | 0_2_02695E53 | |
| Source: | Code function: | 0_2_0267CE13 | |
| Source: | Code function: | 0_2_02669ED3 | |
| Source: | Code function: | 0_2_02667E93 | |
| Source: | Code function: | 0_2_0268DF6F | |
| Source: | Code function: | 0_2_0269DF63 | |
| Source: | Code function: | 0_2_02668C73 | |
| Source: | Code function: | 0_2_02672C33 | |
| Source: | Code function: | 0_2_026A1CD3 | |
| Source: | Code function: | 0_2_02675CBB | |
| Source: | Code function: | 0_2_0266AD43 | |
| Source: | Code function: | 0_2_02685DBC | |
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_02660AA6 | |
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_00B067C9 | |
| Source: | Code function: | 0_3_00AC4067 | |
| Source: | Code function: | 0_3_00B067C9 | |
| Source: | Code function: | 0_3_00AC4067 | |
| Source: | Code function: | 0_3_00B067C9 | |
| Source: | Code function: | 0_3_00AC4067 | |
| Source: | Code function: | 0_3_00B067C9 | |
| Source: | Code function: | 0_3_00B067C9 | |
| Source: | Code function: | 0_3_00AC4067 | |
| Source: | Code function: | 0_2_0267E026 | |
| Source: | Code function: | 0_2_026A08D5 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_02660396 | |
| Source: | Code function: | 0_2_02660956 | |
| Source: | Code function: | 0_2_02660FA6 | |
| Source: | Code function: | 0_2_02660FA5 | |
| Source: | Code function: | 0_2_02660D06 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 Query Registry | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 221 Security Software Discovery | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 3 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 22 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 5% | ReversingLabs | Win32.Trojan.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| skatestringje.click | 104.21.75.15 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.75.15 | skatestringje.click | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1591971 |
| Start date and time: | 2025-01-15 15:59:13 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 38s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Set-Up.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45, 4.245.163.56
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 10:00:24 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Phisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | PureCrypter, LummaC, LummaC Stealer | Browse |
| ||
| Get hash | malicious | PureCrypter, LummaC, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.78818972799906 |
| TrID: |
|
| File name: | Set-Up.exe |
| File size: | 4'180'480 bytes |
| MD5: | 76f313ad20bd3da35ef5a7460caf4f95 |
| SHA1: | 49143bd00a24052d706b743fe7b5bc22c20c3316 |
| SHA256: | e876204ffcf70dda59de05b571e800f5bdfe096c9fbc3714470366201e8e40d1 |
| SHA512: | ff65504bbf473b9417e456e2cf4bd8d1efd5104af6bd2f77e267d82c2b228795c9780e11d7a2e56001b08d090879503c73782f136b8021fbd2bacc7a81f75e79 |
| SSDEEP: | 49152:LoBfXRxe0XP/kSmciUHmk9kHUuoea2cUKwTKJ74uO7tTV:LotjX9pNi0uoea2NKuuOZZ |
| TLSH: | 13167D23B385553EC8AA073A5837A654AD3F762136369C4F6AF44D4C9F361802B3B74B |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 0686929296964012 |
| Entrypoint: | 0x701178 |
| Entrypoint Section: | .itext |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| DLL Characteristics: | |
| Time Stamp: | 0x5F455700 [Tue Aug 25 18:22:56 2020 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | ba8c2ef14d8c5cf1cbcc3bca811bd263 |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| push ebx |
| mov eax, 006F6510h |
| call 00007FC0009AF6F8h |
| push 007011F8h |
| push 00000001h |
| push 00000000h |
| push 00000000h |
| call 00007FC0009B3B40h |
| mov ebx, eax |
| test ebx, ebx |
| je 00007FC000CA06DCh |
| call 00007FC0009B3C65h |
| cmp eax, 000000B7h |
| je 00007FC000CA06D0h |
| mov eax, dword ptr [0071DF2Ch] |
| mov eax, dword ptr [eax] |
| call 00007FC000BA2606h |
| mov eax, dword ptr [0071DF2Ch] |
| mov eax, dword ptr [eax] |
| xor edx, edx |
| call 00007FC000BA4340h |
| mov ecx, dword ptr [0071E094h] |
| mov eax, dword ptr [0071DF2Ch] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [006F2BB0h] |
| call 00007FC000BA25F8h |
| mov eax, dword ptr [0071DF2Ch] |
| mov eax, dword ptr [eax] |
| call 00007FC000BA2748h |
| push ebx |
| call 00007FC0009B3A9Ah |
| pop ebx |
| call 00007FC0009AA0F4h |
| add byte ptr [eax], al |
| add byte ptr [ebx+00h], bh |
| inc edx |
| add byte ptr [ebx], dh |
| add byte ptr [44003900h], dh |
| add byte ptr [esi+00h], al |
| xor byte ptr [eax], al |
| inc ebp |
| add byte ptr [41003800h], ch |
| add byte ptr [eax+eax+31h], al |
| add byte ptr [35003400h], ch |
| add byte ptr [edx], dh |
| add byte ptr [edi], dh |
| add byte ptr [31003800h], ch |
| add byte ptr [esi+00h], al |
| xor eax, 46002D00h |
| add byte ptr [ecx+00h], al |
| cmp byte ptr [eax], al |
| xor al, 00h |
| inc ebx |
| add byte ptr [ebp+00h], al |
| inc esi |
| add byte ptr [esi+00h], al |
| inc ebx |
| add byte ptr [esi], dh |
| add byte ptr [eax+eax], dh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x352000 | 0x7d | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x34c000 | 0x4138 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x397000 | 0x9a400 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x28cfedf8 | 0x2f68 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x355000 | 0x41278 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x354000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x34cc04 | 0xa10 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x351000 | 0xa8e | .didata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2fd330 | 0x2fd400 | 0dd4cf72dd79dd42a6e6826fa5bc5eea | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0x2ff000 | 0x2248 | 0x2400 | 5b21e1f84dbc1222b746825775fcb6c0 | False | 0.494140625 | data | 6.050330167413764 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x302000 | 0x1c24c | 0x1c400 | dfca59b96aa7a1a3b7893fbd53fc8f35 | False | 0.2870143113938053 | data | 5.608868591059476 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x31f000 | 0x2cff4 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x34c000 | 0x4138 | 0x4200 | 839f34fc0718f638548fb409bda055ce | False | 0.31019176136363635 | data | 5.227274724912847 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .didata | 0x351000 | 0xa8e | 0xc00 | 4013e764f6cf0185ccaf591a307674ce | False | 0.3203125 | data | 3.8640332491361935 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x352000 | 0x7d | 0x200 | 9c877d3ec62b360e1547502fe81fd195 | False | 0.216796875 | data | 1.5311475320385028 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tls | 0x353000 | 0x4c | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x354000 | 0x5d | 0x200 | 21e564d90e1a827f7e00c4e232a9f325 | False | 0.189453125 | data | 1.364558174968107 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x355000 | 0x41278 | 0x41400 | 8216932dbffa341b0735501425d7a829 | False | 0.5633156728927203 | data | 6.722327249661793 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x397000 | 0x9a400 | 0x9a400 | 4c133402447961129806f1ca47914803 | False | 0.5059543405591572 | data | 6.779058353732661 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x398fe8 | 0x134 | data | English | United States | 0.43506493506493504 |
| RT_CURSOR | 0x39911c | 0x134 | data | English | United States | 0.4642857142857143 |
| RT_CURSOR | 0x399250 | 0x134 | data | English | United States | 0.4805194805194805 |
| RT_CURSOR | 0x399384 | 0x134 | data | English | United States | 0.38311688311688313 |
| RT_CURSOR | 0x3994b8 | 0x134 | data | English | United States | 0.36038961038961037 |
| RT_CURSOR | 0x3995ec | 0x134 | data | English | United States | 0.4090909090909091 |
| RT_CURSOR | 0x399720 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | English | United States | 0.4967532467532468 |
| RT_CURSOR | 0x399854 | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | English | United States | 0.38636363636363635 |
| RT_BITMAP | 0x399988 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | English | United States | 0.43103448275862066 |
| RT_BITMAP | 0x399b58 | 0x1e4 | Device independent bitmap graphic, 36 x 19 x 4, image size 380 | English | United States | 0.46487603305785125 |
| RT_BITMAP | 0x399d3c | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | English | United States | 0.43103448275862066 |
| RT_BITMAP | 0x399f0c | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | English | United States | 0.39870689655172414 |
| RT_BITMAP | 0x39a0dc | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | English | United States | 0.4245689655172414 |
| RT_BITMAP | 0x39a2ac | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | English | United States | 0.5021551724137931 |
| RT_BITMAP | 0x39a47c | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | English | United States | 0.5064655172413793 |
| RT_BITMAP | 0x39a64c | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | English | United States | 0.39655172413793105 |
| RT_BITMAP | 0x39a81c | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | English | United States | 0.5344827586206896 |
| RT_BITMAP | 0x39a9ec | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | English | United States | 0.39655172413793105 |
| RT_BITMAP | 0x39abbc | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.5208333333333334 |
| RT_BITMAP | 0x39ac7c | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.42857142857142855 |
| RT_BITMAP | 0x39ad5c | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.4955357142857143 |
| RT_BITMAP | 0x39ae3c | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.38392857142857145 |
| RT_BITMAP | 0x39af1c | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.4947916666666667 |
| RT_BITMAP | 0x39afdc | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.484375 |
| RT_BITMAP | 0x39b09c | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.42410714285714285 |
| RT_BITMAP | 0x39b17c | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.5104166666666666 |
| RT_BITMAP | 0x39b23c | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.5 |
| RT_BITMAP | 0x39b31c | 0xc0 | Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors | English | United States | 0.4895833333333333 |
| RT_BITMAP | 0x39b3dc | 0xe0 | Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors | English | United States | 0.3794642857142857 |
| RT_ICON | 0x39b4bc | 0x962 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.8776019983347211 |
| RT_ICON | 0x39be20 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.01937182065538862 |
| RT_ICON | 0x3ac648 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.08309128630705394 |
| RT_ICON | 0x3aebf0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.08466228893058161 |
| RT_ICON | 0x3afc98 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.11790780141843972 |
| RT_ICON | 0x3b0100 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.5623827392120075 |
| RT_ICON | 0x3b11a8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.6229508196721312 |
| RT_ICON | 0x3b1b30 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.6285460992907801 |
| RT_ICON | 0x3b1f98 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.38506224066390043 |
| RT_ICON | 0x3b4540 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.5581613508442776 |
| RT_ICON | 0x3b55e8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.6344262295081967 |
| RT_ICON | 0x3b5f70 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.62677304964539 |
| RT_ICON | 0x3b63d8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5322614107883817 |
| RT_ICON | 0x3b8980 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.6894934333958724 |
| RT_ICON | 0x3b9a28 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.7204918032786886 |
| RT_ICON | 0x3ba3b0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.8182624113475178 |
| RT_ICON | 0x3ba818 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.4315352697095436 |
| RT_ICON | 0x3bcdc0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.3543621013133208 |
| RT_ICON | 0x3bde68 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.3782786885245902 |
| RT_ICON | 0x3be7f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.5203900709219859 |
| RT_ICON | 0x3bec58 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.725177304964539 |
| RT_ICON | 0x3bf0c0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.5836065573770491 |
| RT_ICON | 0x3bfa48 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.48334896810506567 |
| RT_ICON | 0x3c0af0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.37946058091286305 |
| RT_ICON | 0x3c3098 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors | English | United States | 0.6020788912579957 |
| RT_ICON | 0x3c3f40 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors | English | United States | 0.7242779783393501 |
| RT_ICON | 0x3c47e8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 672, 256 important colors | English | United States | 0.630184331797235 |
| RT_ICON | 0x3c4eb0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors | English | United States | 0.4508670520231214 |
| RT_ICON | 0x3c5418 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors | English | United States | 0.5407782515991472 |
| RT_ICON | 0x3c62c0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors | English | United States | 0.730595667870036 |
| RT_ICON | 0x3c6b68 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 672, 256 important colors | English | United States | 0.6751152073732719 |
| RT_ICON | 0x3c7230 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors | English | United States | 0.4313583815028902 |
| RT_ICON | 0x3c7798 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors | English | United States | 0.5074626865671642 |
| RT_ICON | 0x3c8640 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors | English | United States | 0.7152527075812274 |
| RT_ICON | 0x3c8ee8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 672, 256 important colors | English | United States | 0.6514976958525346 |
| RT_ICON | 0x3c95b0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors | English | United States | 0.44508670520231214 |
| RT_ICON | 0x3c9b18 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors | English | United States | 0.6295309168443497 |
| RT_ICON | 0x3ca9c0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors | English | United States | 0.7369133574007221 |
| RT_ICON | 0x3cb268 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 672, 256 important colors | English | United States | 0.6607142857142857 |
| RT_ICON | 0x3cb930 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors | English | United States | 0.5072254335260116 |
| RT_ICON | 0x3cbe98 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors | English | United States | 0.5471748400852878 |
| RT_ICON | 0x3ccd40 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors | English | United States | 0.5555054151624549 |
| RT_ICON | 0x3cd5e8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 672, 256 important colors | English | United States | 0.4573732718894009 |
| RT_ICON | 0x3cdcb0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors | English | United States | 0.3699421965317919 |
| RT_ICON | 0x3ce218 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors | English | United States | 0.3947228144989339 |
| RT_ICON | 0x3cf0c0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors | English | United States | 0.4151624548736462 |
| RT_ICON | 0x3cf968 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 672, 256 important colors | English | United States | 0.396889400921659 |
| RT_ICON | 0x3d0030 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors | English | United States | 0.3157514450867052 |
| RT_ICON | 0x3d0598 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5226141078838175 |
| RT_ICON | 0x3d2b40 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.6083489681050657 |
| RT_ICON | 0x3d3be8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.6983606557377049 |
| RT_ICON | 0x3d4570 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.799645390070922 |
| RT_ICON | 0x3d49d8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.4228215767634855 |
| RT_STRING | 0x3d6f80 | 0xb0 | data | 0.6306818181818182 | ||
| RT_STRING | 0x3d7030 | 0x560 | DOS executable (COM, 0x8C-variant) | 0.4113372093023256 | ||
| RT_STRING | 0x3d7590 | 0xb5c | data | 0.2548143053645117 | ||
| RT_STRING | 0x3d80ec | 0x69c | data | 0.3120567375886525 | ||
| RT_STRING | 0x3d8788 | 0x2dc | data | 0.412568306010929 | ||
| RT_STRING | 0x3d8a64 | 0x240 | data | 0.4427083333333333 | ||
| RT_STRING | 0x3d8ca4 | 0x1c4 | data | 0.5309734513274337 | ||
| RT_STRING | 0x3d8e68 | 0x3e8 | data | 0.425 | ||
| RT_STRING | 0x3d9250 | 0x3ec | data | 0.3286852589641434 | ||
| RT_STRING | 0x3d963c | 0x2cc | data | 0.4553072625698324 | ||
| RT_STRING | 0x3d9908 | 0x464 | StarOffice Gallery theme l, 1677731072 objects, 1st l | 0.39768683274021355 | ||
| RT_STRING | 0x3d9d6c | 0xa0 | data | 0.7125 | ||
| RT_STRING | 0x3d9e0c | 0xe4 | data | 0.6359649122807017 | ||
| RT_STRING | 0x3d9ef0 | 0x114 | data | 0.6195652173913043 | ||
| RT_STRING | 0x3da004 | 0x3d0 | data | 0.38524590163934425 | ||
| RT_STRING | 0x3da3d4 | 0x414 | data | 0.3726053639846743 | ||
| RT_STRING | 0x3da7e8 | 0x3c0 | data | 0.3885416666666667 | ||
| RT_STRING | 0x3daba8 | 0x3d8 | data | 0.28252032520325204 | ||
| RT_STRING | 0x3daf80 | 0x3d8 | data | 0.4329268292682927 | ||
| RT_STRING | 0x3db358 | 0x430 | data | 0.36847014925373134 | ||
| RT_STRING | 0x3db788 | 0x664 | data | 0.31234718826405866 | ||
| RT_STRING | 0x3dbdec | 0x478 | data | 0.32604895104895104 | ||
| RT_STRING | 0x3dc264 | 0x34c | data | 0.42298578199052134 | ||
| RT_STRING | 0x3dc5b0 | 0x32c | data | 0.3645320197044335 | ||
| RT_STRING | 0x3dc8dc | 0x438 | data | 0.3907407407407407 | ||
| RT_STRING | 0x3dcd14 | 0x1ac | data | 0.4672897196261682 | ||
| RT_STRING | 0x3dcec0 | 0xcc | data | 0.6274509803921569 | ||
| RT_STRING | 0x3dcf8c | 0x198 | data | 0.5612745098039216 | ||
| RT_STRING | 0x3dd124 | 0x3c8 | data | 0.37913223140495866 | ||
| RT_STRING | 0x3dd4ec | 0x3b4 | data | 0.3407172995780591 | ||
| RT_STRING | 0x3dd8a0 | 0x354 | data | 0.3884976525821596 | ||
| RT_STRING | 0x3ddbf4 | 0x304 | data | 0.38212435233160624 | ||
| RT_RCDATA | 0x3ddef8 | 0x10 | data | 1.5 | ||
| RT_RCDATA | 0x3ddf08 | 0xaa4 | data | 0.5029368575624082 | ||
| RT_RCDATA | 0x3de9ac | 0x2 | data | English | United States | 5.0 |
| RT_RCDATA | 0x3de9b0 | 0x5b2 | Delphi compiled form 'TBaseSurveyForm' | 0.4828532235939643 | ||
| RT_RCDATA | 0x3def64 | 0x453 | Delphi compiled form 'TStyleSelectionForm' | 0.5121951219512195 | ||
| RT_RCDATA | 0x3df3b8 | 0x353 | Delphi compiled form 'TTrackBarDialog' | 0.5229142185663925 | ||
| RT_RCDATA | 0x3df70c | 0x958 | Delphi compiled form 'TUniversalToolbarForm' | 0.4088628762541806 | ||
| RT_GROUP_CURSOR | 0x3e0064 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
| RT_GROUP_CURSOR | 0x3e0078 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x3e008c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
| RT_GROUP_CURSOR | 0x3e00a0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x3e00b4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x3e00c8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x3e00dc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x3e00f0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_ICON | 0x3e0104 | 0x4c | data | English | United States | 0.7894736842105263 |
| RT_GROUP_ICON | 0x3e0150 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_GROUP_ICON | 0x3e0190 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_GROUP_ICON | 0x3e01d0 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_GROUP_ICON | 0x3e0210 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_GROUP_ICON | 0x3e0250 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_GROUP_ICON | 0x3e0290 | 0x3e | data | English | United States | 0.8387096774193549 |
| RT_GROUP_ICON | 0x3e02d0 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_GROUP_ICON | 0x3e0310 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_GROUP_ICON | 0x3e0350 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_GROUP_ICON | 0x3e0390 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_GROUP_ICON | 0x3e03d0 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_GROUP_ICON | 0x3e0410 | 0x3e | data | English | United States | 0.8870967741935484 |
| RT_VERSION | 0x3e0450 | 0x17c | data | English | United States | 0.5684210526315789 |
| RT_MANIFEST | 0x3e05cc | 0x2e9 | XML 1.0 document, ASCII text, with CRLF, LF line terminators | English | United States | 0.4993288590604027 |
| DLL | Import |
|---|---|
| oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
| advapi32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey |
| user32.dll | CharNextW, LoadStringW |
| kernel32.dll | Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, SetCurrentDirectoryW, GetCurrentDirectoryW, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle |
| kernel32.dll | GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary |
| user32.dll | SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWinEvent, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWinEventHook, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemRect, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetComboBoxInfo, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EndMenu, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIcon, CreateAcceleratorTableW, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, BeginDeferWindowPos, AdjustWindowRectEx, ActivateKeyboardLayout |
| gdi32.dll | UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWorldTransform, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetGraphicsMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetTextColor, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetCurrentObject, GetClipBox, GetBrushOrgEx, GetBkMode, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExtCreateRegion, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc |
| version.dll | VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW |
| kernel32.dll | lstrcmpW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, WaitForMultipleObjects, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, UnmapViewOfFile, TryEnterCriticalSection, SystemTimeToFileTime, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetPriorityClass, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OpenProcess, MultiByteToWideChar, MulDiv, MoveFileW, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalMemoryStatus, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetShortPathNameW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DosDateTimeToFileTime, DeleteFileW, DeleteCriticalSection, CreateThread, CreateSemaphoreW, CreateFileMappingW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CloseHandle |
| advapi32.dll | RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey, GetUserNameW |
| SHFolder.dll | SHGetFolderPathW |
| kernel32.dll | Sleep |
| netapi32.dll | NetWkstaGetInfo |
| oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit |
| oleaut32.dll | GetErrorInfo, GetActiveObject, SysFreeString |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID |
| comctl32.dll | InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls |
| user32.dll | EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow |
| msvcrt.dll | isxdigit, isupper, isspace, ispunct, isprint, islower, isgraph, isdigit, iscntrl, isalpha, isalnum, toupper, tolower, strchr, strlen, strncmp, memset, memcpy, memcmp |
| shell32.dll | SHGetFileInfoW, ShellExecuteW, Shell_NotifyIconW |
| wininet.dll | InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle |
| shell32.dll | SHGetFolderPathW, SHGetSpecialFolderPathW, SHGetPathFromIDListW, SHGetDesktopFolder |
| winspool.drv | OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter |
| winspool.drv | GetDefaultPrinterW |
| Name | Ordinal | Address |
|---|---|---|
| TMethodImplementationIntercept | 2 | 0x46451c |
| dbkFCallWrapperAddr | 1 | 0x721c5c |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-15T16:00:24.847971+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:25.414691+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:25.414691+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:25.936479+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:26.445797+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:26.445797+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:27.348911+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:28.931914+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:30.837224+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49739 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:32.588655+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49741 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:33.116234+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49741 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:34.421280+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49742 | 104.21.75.15 | 443 | TCP |
| 2025-01-15T16:00:36.208851+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49743 | 104.21.75.15 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 15, 2025 16:00:24.314404964 CET | 49730 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:24.314451933 CET | 443 | 49730 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:24.314538002 CET | 49730 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:24.340953112 CET | 49730 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:24.340971947 CET | 443 | 49730 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:24.847775936 CET | 443 | 49730 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:24.847970963 CET | 49730 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:24.853384972 CET | 49730 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:24.853396893 CET | 443 | 49730 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:24.853693962 CET | 443 | 49730 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:24.896075010 CET | 49730 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:24.999063969 CET | 49730 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:24.999106884 CET | 49730 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:24.999239922 CET | 443 | 49730 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:25.414693117 CET | 443 | 49730 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:25.414788961 CET | 443 | 49730 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:25.414904118 CET | 49730 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:25.432760000 CET | 49730 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:25.432799101 CET | 443 | 49730 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:25.450400114 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:25.450448990 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:25.450546980 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:25.451437950 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:25.451452017 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:25.936301947 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:25.936479092 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:25.938179016 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:25.938208103 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:25.938498974 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:25.940035105 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:25.940073013 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:25.940140963 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.445779085 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.445830107 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.445871115 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.445894957 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.445929050 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.445920944 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.445976019 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.446000099 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.446017027 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.446022034 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.446034908 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.446079016 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.446089029 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.446234941 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.446274996 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.446278095 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.446286917 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.446326971 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.450351954 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.489845991 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.539154053 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.539261103 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.539336920 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.539372921 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.539393902 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.539442062 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.539578915 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.539593935 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.539608002 CET | 49731 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.539614916 CET | 443 | 49731 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.843839884 CET | 49732 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.843883991 CET | 443 | 49732 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:26.843955040 CET | 49732 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.844322920 CET | 49732 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:26.844335079 CET | 443 | 49732 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:27.348839045 CET | 443 | 49732 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:27.348911047 CET | 49732 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:27.350403070 CET | 49732 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:27.350418091 CET | 443 | 49732 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:27.350651979 CET | 443 | 49732 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:27.352061987 CET | 49732 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:27.352251053 CET | 49732 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:27.352277994 CET | 443 | 49732 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:27.352333069 CET | 49732 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:27.352341890 CET | 443 | 49732 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:28.239523888 CET | 443 | 49732 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:28.239634991 CET | 443 | 49732 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:28.239892960 CET | 49732 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:28.240056038 CET | 49732 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:28.240080118 CET | 443 | 49732 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:28.432362080 CET | 49734 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:28.432425022 CET | 443 | 49734 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:28.432668924 CET | 49734 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:28.433001995 CET | 49734 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:28.433018923 CET | 443 | 49734 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:28.931799889 CET | 443 | 49734 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:28.931914091 CET | 49734 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:28.934040070 CET | 49734 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:28.934053898 CET | 443 | 49734 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:28.934395075 CET | 443 | 49734 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:28.936141968 CET | 49734 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:28.936378956 CET | 49734 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:28.936412096 CET | 443 | 49734 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:29.710129976 CET | 443 | 49734 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:29.710258961 CET | 443 | 49734 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:29.710305929 CET | 49734 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:29.710441113 CET | 49734 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:29.710464001 CET | 443 | 49734 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:30.315380096 CET | 49739 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:30.315438032 CET | 443 | 49739 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:30.315502882 CET | 49739 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:30.316034079 CET | 49739 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:30.316051006 CET | 443 | 49739 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:30.837142944 CET | 443 | 49739 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:30.837224007 CET | 49739 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:30.838898897 CET | 49739 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:30.838927031 CET | 443 | 49739 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:30.839215040 CET | 443 | 49739 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:30.848427057 CET | 49739 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:30.848567009 CET | 49739 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:30.848620892 CET | 443 | 49739 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:30.848694086 CET | 49739 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:30.848710060 CET | 443 | 49739 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:31.657031059 CET | 443 | 49739 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:31.657151937 CET | 443 | 49739 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:31.657206059 CET | 49739 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:31.657282114 CET | 49739 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:31.657303095 CET | 443 | 49739 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:32.093009949 CET | 49741 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:32.093074083 CET | 443 | 49741 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:32.093199968 CET | 49741 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:32.093547106 CET | 49741 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:32.093561888 CET | 443 | 49741 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:32.588531971 CET | 443 | 49741 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:32.588654995 CET | 49741 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:32.589922905 CET | 49741 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:32.589942932 CET | 443 | 49741 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:32.590244055 CET | 443 | 49741 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:32.598501921 CET | 49741 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:32.598596096 CET | 49741 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:32.598607063 CET | 443 | 49741 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:33.116240978 CET | 443 | 49741 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:33.116399050 CET | 443 | 49741 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:33.116501093 CET | 49741 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:33.116663933 CET | 49741 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:33.116689920 CET | 443 | 49741 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:33.931654930 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:33.931756020 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:33.931880951 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:33.932185888 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:33.932205915 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.421163082 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.421279907 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.422616005 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.422643900 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.422924042 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.424267054 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.425034046 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.425081015 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.425190926 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.425230980 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.425357103 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.425389051 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.425534010 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.425564051 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.425724030 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.425757885 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.425946951 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.425987005 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.426001072 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.426153898 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.426192045 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.435127020 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.435347080 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.435404062 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.435441017 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.435468912 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.435527086 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.435551882 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:34.435587883 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.435645103 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:34.440437078 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:36.068288088 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:36.068533897 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:36.068619013 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:36.068741083 CET | 49742 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:36.068767071 CET | 443 | 49742 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:36.101927042 CET | 49743 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:36.101977110 CET | 443 | 49743 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:36.102065086 CET | 49743 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:36.102350950 CET | 49743 | 443 | 192.168.2.4 | 104.21.75.15 |
| Jan 15, 2025 16:00:36.102366924 CET | 443 | 49743 | 104.21.75.15 | 192.168.2.4 |
| Jan 15, 2025 16:00:36.208851099 CET | 49743 | 443 | 192.168.2.4 | 104.21.75.15 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 15, 2025 16:00:24.292221069 CET | 63242 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 15, 2025 16:00:24.307174921 CET | 53 | 63242 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 15, 2025 16:00:24.292221069 CET | 192.168.2.4 | 1.1.1.1 | 0x8453 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 15, 2025 16:00:24.307174921 CET | 1.1.1.1 | 192.168.2.4 | 0x8453 | No error (0) | 104.21.75.15 | A (IP address) | IN (0x0001) | false | ||
| Jan 15, 2025 16:00:24.307174921 CET | 1.1.1.1 | 192.168.2.4 | 0x8453 | No error (0) | 172.67.166.121 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 104.21.75.15 | 443 | 7352 | C:\Users\user\Desktop\Set-Up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-15 15:00:24 UTC | 266 | OUT | |
| 2025-01-15 15:00:24 UTC | 8 | OUT | |
| 2025-01-15 15:00:25 UTC | 1130 | IN | |
| 2025-01-15 15:00:25 UTC | 7 | IN | |
| 2025-01-15 15:00:25 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 104.21.75.15 | 443 | 7352 | C:\Users\user\Desktop\Set-Up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-15 15:00:25 UTC | 267 | OUT | |
| 2025-01-15 15:00:25 UTC | 52 | OUT | |
| 2025-01-15 15:00:26 UTC | 1130 | IN | |
| 2025-01-15 15:00:26 UTC | 239 | IN | |
| 2025-01-15 15:00:26 UTC | 1369 | IN | |
| 2025-01-15 15:00:26 UTC | 1369 | IN | |
| 2025-01-15 15:00:26 UTC | 1369 | IN | |
| 2025-01-15 15:00:26 UTC | 1369 | IN | |
| 2025-01-15 15:00:26 UTC | 1369 | IN | |
| 2025-01-15 15:00:26 UTC | 1369 | IN | |
| 2025-01-15 15:00:26 UTC | 1369 | IN | |
| 2025-01-15 15:00:26 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 104.21.75.15 | 443 | 7352 | C:\Users\user\Desktop\Set-Up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-15 15:00:27 UTC | 275 | OUT | |
| 2025-01-15 15:00:27 UTC | 15331 | OUT | |
| 2025-01-15 15:00:27 UTC | 2777 | OUT | |
| 2025-01-15 15:00:28 UTC | 1133 | IN | |
| 2025-01-15 15:00:28 UTC | 20 | IN | |
| 2025-01-15 15:00:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49734 | 104.21.75.15 | 443 | 7352 | C:\Users\user\Desktop\Set-Up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-15 15:00:28 UTC | 285 | OUT | |
| 2025-01-15 15:00:28 UTC | 8795 | OUT | |
| 2025-01-15 15:00:29 UTC | 1134 | IN | |
| 2025-01-15 15:00:29 UTC | 20 | IN | |
| 2025-01-15 15:00:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49739 | 104.21.75.15 | 443 | 7352 | C:\Users\user\Desktop\Set-Up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-15 15:00:30 UTC | 285 | OUT | |
| 2025-01-15 15:00:30 UTC | 15331 | OUT | |
| 2025-01-15 15:00:30 UTC | 5111 | OUT | |
| 2025-01-15 15:00:31 UTC | 1141 | IN | |
| 2025-01-15 15:00:31 UTC | 20 | IN | |
| 2025-01-15 15:00:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 104.21.75.15 | 443 | 7352 | C:\Users\user\Desktop\Set-Up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-15 15:00:32 UTC | 285 | OUT | |
| 2025-01-15 15:00:32 UTC | 1422 | OUT | |
| 2025-01-15 15:00:33 UTC | 1127 | IN | |
| 2025-01-15 15:00:33 UTC | 20 | IN | |
| 2025-01-15 15:00:33 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49742 | 104.21.75.15 | 443 | 7352 | C:\Users\user\Desktop\Set-Up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-15 15:00:34 UTC | 286 | OUT | |
| 2025-01-15 15:00:34 UTC | 15331 | OUT | |
| 2025-01-15 15:00:34 UTC | 15331 | OUT | |
| 2025-01-15 15:00:34 UTC | 15331 | OUT | |
| 2025-01-15 15:00:34 UTC | 15331 | OUT | |
| 2025-01-15 15:00:34 UTC | 15331 | OUT | |
| 2025-01-15 15:00:34 UTC | 15331 | OUT | |
| 2025-01-15 15:00:34 UTC | 15331 | OUT | |
| 2025-01-15 15:00:34 UTC | 15331 | OUT | |
| 2025-01-15 15:00:34 UTC | 15331 | OUT | |
| 2025-01-15 15:00:34 UTC | 15331 | OUT | |
| 2025-01-15 15:00:36 UTC | 1136 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 10:00:10 |
| Start date: | 15/01/2025 |
| Path: | C:\Users\user\Desktop\Set-Up.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 4'180'480 bytes |
| MD5 hash: | 76F313AD20BD3DA35EF5A7460CAF4F95 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 1.5% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 31.6% |
| Total number of Nodes: | 117 |
| Total number of Limit Nodes: | 10 |
Graph
Function 026AF556 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02660396 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 399threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02660956 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026B01D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026AEE26 Relevance: 2.8, APIs: 2, Instructions: 325memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02672C33 Relevance: 88.1, Strings: 69, Instructions: 1868COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268411E Relevance: 65.4, Strings: 52, Instructions: 355COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02680853 Relevance: 16.7, Strings: 13, Instructions: 489COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026720FF Relevance: 13.0, Strings: 10, Instructions: 508COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0269AAE3 Relevance: 11.9, Strings: 9, Instructions: 697COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02681733 Relevance: 11.7, Strings: 9, Instructions: 469COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0266AD43 Relevance: 11.6, Strings: 9, Instructions: 352COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267BAC5 Relevance: 11.5, Strings: 9, Instructions: 275COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026952C4 Relevance: 9.1, Strings: 7, Instructions: 304COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02694B6B Relevance: 9.0, Strings: 7, Instructions: 295COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267915A Relevance: 8.8, Strings: 7, Instructions: 37COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0269DF63 Relevance: 5.7, Strings: 4, Instructions: 665COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0266C173 Relevance: 5.5, Strings: 4, Instructions: 500COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02672866 Relevance: 4.0, Strings: 3, Instructions: 271COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02675CBB Relevance: 4.0, Strings: 3, Instructions: 254COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02665AA3 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268A781 Relevance: 2.8, Strings: 2, Instructions: 303COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026774A7 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268E7C1 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267A853 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268E852 Relevance: 2.7, Strings: 2, Instructions: 170COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267AD5E Relevance: 2.6, Strings: 2, Instructions: 139COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02679773 Relevance: 2.2, Strings: 1, Instructions: 905COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0269B583 Relevance: 1.7, Strings: 1, Instructions: 428COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268CD73 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268D6DF Relevance: 1.6, Strings: 1, Instructions: 359COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02688293 Relevance: 1.6, Strings: 1, Instructions: 334COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268DA0D Relevance: 1.6, Strings: 1, Instructions: 306COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268DF6F Relevance: 1.6, Strings: 1, Instructions: 305COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267A503 Relevance: 1.6, Strings: 1, Instructions: 300COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026A1CD3 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267BEFB Relevance: 1.5, Strings: 1, Instructions: 297COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02674E33 Relevance: 1.5, Strings: 1, Instructions: 282COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026778D7 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02693A93 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0266E03A Relevance: 1.5, Strings: 1, Instructions: 246COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268D233 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0266E5AA Relevance: 1.5, Strings: 1, Instructions: 206COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0269A4F3 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0266B1C3 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0269DBC3 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026A1263 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026901E3 Relevance: .9, Instructions: 874COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267F0C3 Relevance: .8, Instructions: 782COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026646D3 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02667E93 Relevance: .7, Instructions: 665COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02668C73 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026650F3 Relevance: .6, Instructions: 600COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02682343 Relevance: .5, Instructions: 453COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026670F3 Relevance: .4, Instructions: 448COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02681E63 Relevance: .4, Instructions: 428COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026A1343 Relevance: .4, Instructions: 388COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267CE13 Relevance: .3, Instructions: 337COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02667A03 Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02693487 Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026A1723 Relevance: .3, Instructions: 273COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02691A0D Relevance: .3, Instructions: 269COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 026A1A13 Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02669ED3 Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02682813 Relevance: .2, Instructions: 249COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02695E53 Relevance: .2, Instructions: 211COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267E9E3 Relevance: .2, Instructions: 204COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268E084 Relevance: .2, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268E02D Relevance: .2, Instructions: 178COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0269DD13 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0269A943 Relevance: .2, Instructions: 163COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267A2C3 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268E06F Relevance: .2, Instructions: 156COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0269BA03 Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0269BB73 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02685DBC Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268A21C Relevance: .1, Instructions: 114COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02676F38 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02660FA6 Relevance: .1, Instructions: 107COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268AC53 Relevance: .1, Instructions: 106COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268ED3A Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02660FA5 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02698403 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268B723 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268A0FA Relevance: .1, Instructions: 60COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267AF0D Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02677C3F Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02676DDB Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0269DEF3 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02660D06 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0268D7B7 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 02686D03 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0267EC53 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0266D863 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|