Edit tour
Windows
Analysis Report
5Setup.exe
Overview
General Information
| Sample name: | 5Setup.exe |
| Analysis ID: | 1541177 |
| MD5: | 535428c4f1622391fa1f79d1210a308e |
| SHA1: | f71f258f43d7734f92e6df408462c77db43e3ffa |
| SHA256: | 624c18c86535bd12147f839b0b40e68d1596d12e8c20248bf164f331319a7edf |
| Tags: | exeLummaStealerwingouser-ramirezrick2 |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
5Setup.exe (PID: 4960 cmdline: "C:\Users\ user\Deskt op\5Setup. exe" MD5: 535428C4F1622391FA1F79D1210A308E) 
BitLockerToGo.exe (PID: 6512 cmdline: "C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["fashionablei.sbs", "mediavelk.sbs", "ostracizez.sbs", "elaboretib.sbs", "arenbootk.sbs", "offybirhtdi.sbs", "strikebripm.sbs", "activedomest.sbs", "definitib.sbs"], "Build id": "tLYMe5--2"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-24T14:42:20.261247+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:42:23.149975+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49737 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:42:33.574427+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49745 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-24T14:42:20.261247+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-24T14:42:23.149975+0200 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49737 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-24T14:42:31.244380+0200 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49743 | 188.114.96.3 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 1_2_0041D667 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 1_2_00446040 | |
| Source: | Code function: | 1_2_00423330 | |
| Source: | Code function: | 1_2_00423330 | |
| Source: | Code function: | 1_2_004464F0 | |
| Source: | Code function: | 1_2_004309A1 | |
| Source: | Code function: | 1_2_004309A1 | |
| Source: | Code function: | 1_2_004309A1 | |
| Source: | Code function: | 1_2_00426B58 | |
| Source: | Code function: | 1_2_00420D60 | |
| Source: | Code function: | 1_2_00420D60 | |
| Source: | Code function: | 1_2_00446E50 | |
| Source: | Code function: | 1_2_0042EE3D | |
| Source: | Code function: | 1_2_0040FE86 | |
| Source: | Code function: | 1_2_0040FE86 | |
| Source: | Code function: | 1_2_0040DE90 | |
| Source: | Code function: | 1_2_00429FE0 | |
| Source: | Code function: | 1_2_00401000 | |
| Source: | Code function: | 1_2_00401000 | |
| Source: | Code function: | 1_2_00409006 | |
| Source: | Code function: | 1_2_0042C020 | |
| Source: | Code function: | 1_2_004110D7 | |
| Source: | Code function: | 1_2_00422090 | |
| Source: | Code function: | 1_2_00441100 | |
| Source: | Code function: | 1_2_00445120 | |
| Source: | Code function: | 1_2_0040D1F0 | |
| Source: | Code function: | 1_2_0040D1F0 | |
| Source: | Code function: | 1_2_0042F1A2 | |
| Source: | Code function: | 1_2_004012D5 | |
| Source: | Code function: | 1_2_0042D3EA | |
| Source: | Code function: | 1_2_0042D3EA | |
| Source: | Code function: | 1_2_0042C390 | |
| Source: | Code function: | 1_2_00430417 | |
| Source: | Code function: | 1_2_004454D0 | |
| Source: | Code function: | 1_2_00431495 | |
| Source: | Code function: | 1_2_0043D4B8 | |
| Source: | Code function: | 1_2_0043D4B8 | |
| Source: | Code function: | 1_2_004215AD | |
| Source: | Code function: | 1_2_00444640 | |
| Source: | Code function: | 1_2_00444640 | |
| Source: | Code function: | 1_2_004216C0 | |
| Source: | Code function: | 1_2_0041C692 | |
| Source: | Code function: | 1_2_0041C692 | |
| Source: | Code function: | 1_2_00425770 | |
| Source: | Code function: | 1_2_0042C7DC | |
| Source: | Code function: | 1_2_0042A7E2 | |
| Source: | Code function: | 1_2_00405850 | |
| Source: | Code function: | 1_2_00445800 | |
| Source: | Code function: | 1_2_0041F8A0 | |
| Source: | Code function: | 1_2_0041F8A0 | |
| Source: | Code function: | 1_2_0041F8A0 | |
| Source: | Code function: | 1_2_004218B0 | |
| Source: | Code function: | 1_2_00439970 | |
| Source: | Code function: | 1_2_0042D9C5 | |
| Source: | Code function: | 1_2_00443A33 | |
| Source: | Code function: | 1_2_0042EAF0 | |
| Source: | Code function: | 1_2_00423B40 | |
| Source: | Code function: | 1_2_00423B40 | |
| Source: | Code function: | 1_2_00446B70 | |
| Source: | Code function: | 1_2_00446B70 | |
| Source: | Code function: | 1_2_0040BC40 | |
| Source: | Code function: | 1_2_0040BC40 | |
| Source: | Code function: | 1_2_0042CC5F | |
| Source: | Code function: | 1_2_0043FC90 | |
| Source: | Code function: | 1_2_0042CD09 | |
| Source: | Code function: | 1_2_0042DE60 | |
| Source: | Code function: | 1_2_00443E80 | |
| Source: | Code function: | 1_2_0041CFDD | |
| Source: | Code function: | 1_2_00430FFE | |
| Source: | Code function: | 1_2_0042CD09 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 1_2_00436960 | |
| Source: | Code function: | 1_2_00436960 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 1_2_00410370 | |
| Source: | Code function: | 1_2_00423330 | |
| Source: | Code function: | 1_2_0042A4D0 | |
| Source: | Code function: | 1_2_0040F490 | |
| Source: | Code function: | 1_2_0041D667 | |
| Source: | Code function: | 1_2_00446600 | |
| Source: | Code function: | 1_2_004309A1 | |
| Source: | Code function: | 1_2_0043CAF0 | |
| Source: | Code function: | 1_2_00426B58 | |
| Source: | Code function: | 1_2_0042FD63 | |
| Source: | Code function: | 1_2_00420D60 | |
| Source: | Code function: | 1_2_00446E50 | |
| Source: | Code function: | 1_2_0040EE20 | |
| Source: | Code function: | 1_2_0042EE3D | |
| Source: | Code function: | 1_2_0040FE86 | |
| Source: | Code function: | 1_2_00429FE0 | |
| Source: | Code function: | 1_2_00407040 | |
| Source: | Code function: | 1_2_00401000 | |
| Source: | Code function: | 1_2_00409006 | |
| Source: | Code function: | 1_2_0040A020 | |
| Source: | Code function: | 1_2_0042C020 | |
| Source: | Code function: | 1_2_0042B03C | |
| Source: | Code function: | 1_2_004110D7 | |
| Source: | Code function: | 1_2_00422090 | |
| Source: | Code function: | 1_2_004260BA | |
| Source: | Code function: | 1_2_0043C152 | |
| Source: | Code function: | 1_2_00445120 | |
| Source: | Code function: | 1_2_0040B130 | |
| Source: | Code function: | 1_2_004441C0 | |
| Source: | Code function: | 1_2_004341D4 | |
| Source: | Code function: | 1_2_0043C180 | |
| Source: | Code function: | 1_2_0042F1A2 | |
| Source: | Code function: | 1_2_00413227 | |
| Source: | Code function: | 1_2_004012D5 | |
| Source: | Code function: | 1_2_00429340 | |
| Source: | Code function: | 1_2_0042B30E | |
| Source: | Code function: | 1_2_00401328 | |
| Source: | Code function: | 1_2_0043C3E0 | |
| Source: | Code function: | 1_2_0042D3EA | |
| Source: | Code function: | 1_2_0040D3F0 | |
| Source: | Code function: | 1_2_00430417 | |
| Source: | Code function: | 1_2_004454D0 | |
| Source: | Code function: | 1_2_00416493 | |
| Source: | Code function: | 1_2_00431495 | |
| Source: | Code function: | 1_2_0043D4B8 | |
| Source: | Code function: | 1_2_0040A500 | |
| Source: | Code function: | 1_2_00436520 | |
| Source: | Code function: | 1_2_004405D0 | |
| Source: | Code function: | 1_2_00444640 | |
| Source: | Code function: | 1_2_00429340 | |
| Source: | Code function: | 1_2_004156C1 | |
| Source: | Code function: | 1_2_0040971D | |
| Source: | Code function: | 1_2_00417736 | |
| Source: | Code function: | 1_2_0042A7E2 | |
| Source: | Code function: | 1_2_0040D780 | |
| Source: | Code function: | 1_2_00445800 | |
| Source: | Code function: | 1_2_004468C0 | |
| Source: | Code function: | 1_2_004038E0 | |
| Source: | Code function: | 1_2_0041E882 | |
| Source: | Code function: | 1_2_0041F8A0 | |
| Source: | Code function: | 1_2_0043B91D | |
| Source: | Code function: | 1_2_0040E920 | |
| Source: | Code function: | 1_2_004229C0 | |
| Source: | Code function: | 1_2_004259D0 | |
| Source: | Code function: | 1_2_004099A9 | |
| Source: | Code function: | 1_2_00407A60 | |
| Source: | Code function: | 1_2_00429ADE | |
| Source: | Code function: | 1_2_00409A81 | |
| Source: | Code function: | 1_2_0041CAB0 | |
| Source: | Code function: | 1_2_00446B70 | |
| Source: | Code function: | 1_2_0043DB76 | |
| Source: | Code function: | 1_2_0040ABC0 | |
| Source: | Code function: | 1_2_0040BC40 | |
| Source: | Code function: | 1_2_00422CE0 | |
| Source: | Code function: | 1_2_00429D3E | |
| Source: | Code function: | 1_2_00430FFE | |
| Source: | Code function: | 1_2_00404FB0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_0043CE40 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_0044C53E | |
| Source: | Code function: | 1_2_0044C699 | |
| Source: | Code function: | 1_2_0044C8C7 | |
| Source: | Code function: | 1_2_0041B929 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_00442710 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| fashionablei.sbs | 188.114.96.3 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.96.3 | fashionablei.sbs | European Union | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1541177 |
| Start date and time: | 2024-10-24 14:41:07 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 57s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 5Setup.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target 5Setup.exe, PID 4960 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: 5Setup.exe
| Time | Type | Description |
|---|---|---|
| 08:42:18 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.96.3 | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | PureLog Stealer | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Shikitega, Xmrig | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HtmlDropper | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, Stealc | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.438889818745099 |
| TrID: |
|
| File name: | 5Setup.exe |
| File size: | 15'018'496 bytes |
| MD5: | 535428c4f1622391fa1f79d1210a308e |
| SHA1: | f71f258f43d7734f92e6df408462c77db43e3ffa |
| SHA256: | 624c18c86535bd12147f839b0b40e68d1596d12e8c20248bf164f331319a7edf |
| SHA512: | edbd349c87d6427986597068d5ae8710f2b79692cf42ac6756cae3d039934434b9ae69acf17ca1c0c8119c075b48e12f9930bb88b1087a89a24c4c3aa195561a |
| SSDEEP: | 196608:4dgBg0nPLg8yalqxxvzMGsfdi/xVBpmR1hGPm:97zV0Jz6i/+GO |
| TLSH: | 9DE64940F9CB44FAE907583190ABA27F63345D098B25DBC7EB457F6AF837791093A209 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................o..........9............@..................................}....@................................ |
 | |
| Icon Hash: | 497971328ce1634d |
| Entrypoint: | 0x473910 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 1aae8bf580c846f39c71c05898e57e88 |
| Instruction |
|---|
| jmp 00007FAB9D221D40h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| sub esp, 28h |
| mov dword ptr [esp+1Ch], ebx |
| mov dword ptr [esp+10h], ebp |
| mov dword ptr [esp+14h], esi |
| mov dword ptr [esp+18h], edi |
| mov dword ptr [esp], eax |
| mov dword ptr [esp+04h], ecx |
| call 00007FAB9D1FD3A6h |
| mov eax, dword ptr [esp+08h] |
| mov edi, dword ptr [esp+18h] |
| mov esi, dword ptr [esp+14h] |
| mov ebp, dword ptr [esp+10h] |
| mov ebx, dword ptr [esp+1Ch] |
| add esp, 28h |
| retn 0004h |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| sub esp, 08h |
| mov ecx, dword ptr [esp+0Ch] |
| mov edx, dword ptr [ecx] |
| mov eax, esp |
| mov dword ptr [edx+04h], eax |
| sub eax, 00010000h |
| mov dword ptr [edx], eax |
| add eax, 00000BA0h |
| mov dword ptr [edx+08h], eax |
| mov dword ptr [edx+0Ch], eax |
| lea edi, dword ptr [ecx+34h] |
| mov dword ptr [edx+18h], ecx |
| mov dword ptr [edi], edx |
| mov dword ptr [esp+04h], edi |
| call 00007FAB9D2241A4h |
| cld |
| call 00007FAB9D22322Eh |
| call 00007FAB9D221E69h |
| add esp, 08h |
| ret |
| jmp 00007FAB9D224050h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov ebx, dword ptr [esp+04h] |
| mov ebp, esp |
| mov dword ptr fs:[00000034h], 00000000h |
| mov ecx, dword ptr [ebx+04h] |
| cmp ecx, 00000000h |
| je 00007FAB9D224051h |
| mov eax, ecx |
| shl eax, 02h |
| sub esp, eax |
| mov edi, esp |
| mov esi, dword ptr [ebx+08h] |
| cld |
| rep movsd |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xe33000 | 0x44c | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xe84000 | 0x4edc | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xe34000 | 0x4ebf0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xd5a900 | 0xb4 | .data |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6fe868 | 0x6fea00 | 97c0c8509a6b1f968425c6818412d0f3 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x700000 | 0x6581b8 | 0x658200 | 79f4f28dd48bd351d652e5476cb2f7a9 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xd59000 | 0xd9b78 | 0xa7600 | 4ce0fa36a8c078f08ea9adde6c897872 | False | 0.42130175270724424 | data | 6.174132406128503 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0xe33000 | 0x44c | 0x600 | 36cd91329e192ab53013cf542b9d2327 | False | 0.357421875 | OpenPGP Public Key | 3.860585918641242 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0xe34000 | 0x4ebf0 | 0x4ec00 | c35eb9cc3646caa31f1c994999cedbb1 | False | 0.5779637896825397 | data | 6.6433460216534925 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .symtab | 0xe83000 | 0x4 | 0x200 | 07b5472d347d42780469fb2654b7fc54 | False | 0.02734375 | data | 0.020393135236084953 | IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xe84000 | 0x4edc | 0x5000 | c2be3677d4e7076809476de08e3b4e27 | False | 0.14755859375 | data | 4.136539305625679 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xe84268 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | 0.21808510638297873 | ||
| RT_ICON | 0xe846d0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | 0.099906191369606 | ||
| RT_ICON | 0xe85778 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | 0.06109958506224066 | ||
| RT_ICON | 0xe87d20 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.42473118279569894 | ||
| RT_ICON | 0xe88008 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.35618279569892475 | ||
| RT_GROUP_ICON | 0xe882f0 | 0x30 | data | 0.8125 | ||
| RT_GROUP_ICON | 0xe88320 | 0x14 | data | 1.2 | ||
| RT_GROUP_ICON | 0xe88334 | 0x14 | data | 1.25 | ||
| RT_VERSION | 0xe88348 | 0x3ec | data | 0.4252988047808765 | ||
| RT_MANIFEST | 0xe88734 | 0x528 | XML 1.0 document, ASCII text, with CRLF line terminators | 0.4643939393939394 | ||
| RT_MANIFEST | 0xe88c5c | 0x280 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.553125 |
| DLL | Import |
|---|---|
| kernel32.dll | WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-24T14:42:20.261247+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:42:20.261247+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:42:23.149975+0200 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49737 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:42:23.149975+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49737 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:42:31.244380+0200 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49743 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:42:33.574427+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49745 | 188.114.96.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 24, 2024 14:42:19.087707996 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:19.087747097 CEST | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:19.087825060 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:19.090976954 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:19.091001987 CEST | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:19.701432943 CEST | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:19.701622009 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:19.707482100 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:19.707514048 CEST | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:19.707801104 CEST | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:19.757798910 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:19.776190042 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:19.776228905 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:19.776352882 CEST | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:20.261246920 CEST | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:20.261347055 CEST | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:20.261467934 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:20.332714081 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:20.332751036 CEST | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:20.332768917 CEST | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:20.332777023 CEST | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:21.055686951 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:21.055726051 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:21.055850983 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:21.056396961 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:21.056408882 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:21.681751013 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:21.681838989 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:21.683244944 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:21.683257103 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:21.683470964 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:21.685017109 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:21.685039043 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:21.685081005 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.149959087 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.150041103 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.150072098 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.150099993 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.150122881 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.150129080 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.150139093 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.150141001 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.150185108 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.150198936 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.150235891 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.150330067 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.150338888 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.156081915 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.156107903 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.156137943 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.156146049 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.156155109 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.156199932 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.156208038 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.156234026 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.156254053 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.156286955 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.156485081 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.156502008 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.156537056 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.156543970 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.310636997 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.310698032 CEST | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.310802937 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.311086893 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.311124086 CEST | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.936871052 CEST | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.937089920 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.938390017 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.938414097 CEST | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.938746929 CEST | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.939878941 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.940047026 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.940085888 CEST | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:23.940152884 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:23.940161943 CEST | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:24.601485968 CEST | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:24.601555109 CEST | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:24.601866961 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:24.601867914 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:24.688050032 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:24.688093901 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:24.688175917 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:24.688486099 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:24.688497066 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:24.914093971 CEST | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:24.914167881 CEST | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:25.311800003 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:25.311944962 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:25.313153028 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:25.313158989 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:25.313483000 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:25.314753056 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:25.314867020 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:25.314894915 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:25.876744986 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:25.876869917 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:25.876928091 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:25.877010107 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:25.877027988 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:26.047750950 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:26.047790051 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:26.048012972 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:26.048259974 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:26.048278093 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:26.665571928 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:26.665708065 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:26.667026997 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:26.667036057 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:26.667375088 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:26.668667078 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:26.668781996 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:26.668821096 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:26.668890953 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:26.668915033 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:27.376718044 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:27.376827002 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:27.376913071 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:27.377058983 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:27.377079964 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:27.790786028 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:27.790827990 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:27.790925026 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:27.791295052 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:27.791305065 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:28.392570972 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:28.392760992 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:28.394989014 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:28.394999981 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:28.395347118 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:28.397109032 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:28.397269011 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:28.397299051 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:28.726381063 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:28.726511955 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:28.726676941 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:28.726984024 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:28.727015018 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:28.838062048 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:28.838092089 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:28.838469028 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:28.838545084 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:28.838550091 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:29.455632925 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:29.455784082 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:29.457192898 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:29.457201958 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:29.458482027 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:29.462093115 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:29.462244034 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:29.462275982 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:29.969664097 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:29.969798088 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:29.969888926 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:29.970135927 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:29.970159054 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:30.123862028 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:30.123923063 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:30.124027967 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:30.124517918 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:30.124535084 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:30.749567032 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:30.749695063 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:30.752095938 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:30.752113104 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:30.752445936 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:30.758124113 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:30.758224964 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:30.758234978 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:31.244404078 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:31.244538069 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:31.244620085 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:31.244879961 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:31.244901896 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:31.324563980 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:31.324605942 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:31.324719906 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:31.324980021 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:31.324996948 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:31.939812899 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:31.939932108 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:31.941056967 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:31.941065073 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:31.941405058 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:31.944439888 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:31.944514036 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:31.944519997 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:32.465854883 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:32.465991974 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:32.466065884 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:32.466265917 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:32.466285944 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:32.493809938 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:32.493904114 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:32.493983984 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:32.494294882 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:32.494334936 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:33.104156971 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:33.104254007 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:33.105474949 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:33.105484009 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:33.105875969 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:33.107002974 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:33.107031107 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:33.107096910 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:33.574381113 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:33.574475050 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:33.574553013 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:33.574733973 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:33.574748039 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:42:33.574762106 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:42:33.574767113 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 24, 2024 14:42:19.062889099 CEST | 59751 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 24, 2024 14:42:19.077066898 CEST | 53 | 59751 | 1.1.1.1 | 192.168.2.4 |
| Oct 24, 2024 14:42:43.047709942 CEST | 53 | 64870 | 162.159.36.2 | 192.168.2.4 |
| Oct 24, 2024 14:42:43.690521002 CEST | 53 | 63338 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 24, 2024 14:42:19.062889099 CEST | 192.168.2.4 | 1.1.1.1 | 0xcdad | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 24, 2024 14:42:19.077066898 CEST | 1.1.1.1 | 192.168.2.4 | 0xcdad | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
| Oct 24, 2024 14:42:19.077066898 CEST | 1.1.1.1 | 192.168.2.4 | 0xcdad | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | 6512 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:42:19 UTC | 263 | OUT | |
| 2024-10-24 12:42:19 UTC | 8 | OUT | |
| 2024-10-24 12:42:20 UTC | 1013 | IN | |
| 2024-10-24 12:42:20 UTC | 7 | IN | |
| 2024-10-24 12:42:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49737 | 188.114.96.3 | 443 | 6512 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:42:21 UTC | 264 | OUT | |
| 2024-10-24 12:42:21 UTC | 75 | OUT | |
| 2024-10-24 12:42:23 UTC | 1009 | IN | |
| 2024-10-24 12:42:23 UTC | 360 | IN | |
| 2024-10-24 12:42:23 UTC | 896 | IN | |
| 2024-10-24 12:42:23 UTC | 1369 | IN | |
| 2024-10-24 12:42:23 UTC | 1369 | IN | |
| 2024-10-24 12:42:23 UTC | 1369 | IN | |
| 2024-10-24 12:42:23 UTC | 1369 | IN | |
| 2024-10-24 12:42:23 UTC | 876 | IN | |
| 2024-10-24 12:42:23 UTC | 1369 | IN | |
| 2024-10-24 12:42:23 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49738 | 188.114.96.3 | 443 | 6512 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:42:23 UTC | 282 | OUT | |
| 2024-10-24 12:42:23 UTC | 15331 | OUT | |
| 2024-10-24 12:42:23 UTC | 2828 | OUT | |
| 2024-10-24 12:42:24 UTC | 1008 | IN | |
| 2024-10-24 12:42:24 UTC | 23 | IN | |
| 2024-10-24 12:42:24 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49739 | 188.114.96.3 | 443 | 6512 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:42:25 UTC | 281 | OUT | |
| 2024-10-24 12:42:25 UTC | 8780 | OUT | |
| 2024-10-24 12:42:25 UTC | 1011 | IN | |
| 2024-10-24 12:42:25 UTC | 23 | IN | |
| 2024-10-24 12:42:25 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49740 | 188.114.96.3 | 443 | 6512 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:42:26 UTC | 282 | OUT | |
| 2024-10-24 12:42:26 UTC | 15331 | OUT | |
| 2024-10-24 12:42:26 UTC | 5102 | OUT | |
| 2024-10-24 12:42:27 UTC | 1009 | IN | |
| 2024-10-24 12:42:27 UTC | 23 | IN | |
| 2024-10-24 12:42:27 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 188.114.96.3 | 443 | 6512 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:42:28 UTC | 281 | OUT | |
| 2024-10-24 12:42:28 UTC | 7094 | OUT | |
| 2024-10-24 12:42:28 UTC | 1009 | IN | |
| 2024-10-24 12:42:28 UTC | 23 | IN | |
| 2024-10-24 12:42:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49742 | 188.114.96.3 | 443 | 6512 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:42:29 UTC | 281 | OUT | |
| 2024-10-24 12:42:29 UTC | 7126 | OUT | |
| 2024-10-24 12:42:29 UTC | 1011 | IN | |
| 2024-10-24 12:42:29 UTC | 23 | IN | |
| 2024-10-24 12:42:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49743 | 188.114.96.3 | 443 | 6512 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:42:30 UTC | 281 | OUT | |
| 2024-10-24 12:42:30 UTC | 1243 | OUT | |
| 2024-10-24 12:42:31 UTC | 1014 | IN | |
| 2024-10-24 12:42:31 UTC | 23 | IN | |
| 2024-10-24 12:42:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49744 | 188.114.96.3 | 443 | 6512 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:42:31 UTC | 281 | OUT | |
| 2024-10-24 12:42:31 UTC | 1117 | OUT | |
| 2024-10-24 12:42:32 UTC | 1018 | IN | |
| 2024-10-24 12:42:32 UTC | 23 | IN | |
| 2024-10-24 12:42:32 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.4 | 49745 | 188.114.96.3 | 443 | 6512 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:42:33 UTC | 265 | OUT | |
| 2024-10-24 12:42:33 UTC | 110 | OUT | |
| 2024-10-24 12:42:33 UTC | 1010 | IN | |
| 2024-10-24 12:42:33 UTC | 54 | IN | |
| 2024-10-24 12:42:33 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 08:41:57 |
| Start date: | 24/10/2024 |
| Path: | C:\Users\user\Desktop\5Setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2c0000 |
| File size: | 15'018'496 bytes |
| MD5 hash: | 535428C4F1622391FA1F79D1210A308E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 08:42:09 |
| Start date: | 24/10/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf40000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 5.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 61.3% |
| Total number of Nodes: | 282 |
| Total number of Limit Nodes: | 28 |
Graph
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00423330 Relevance: 14.4, Strings: 11, Instructions: 649COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040EE20 Relevance: 13.3, Strings: 10, Instructions: 762COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040F490 Relevance: 11.8, Strings: 9, Instructions: 528COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00420D60 Relevance: 10.3, Strings: 8, Instructions: 336COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043CAF0 Relevance: 9.0, Strings: 7, Instructions: 247COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429FE0 Relevance: 5.4, Strings: 4, Instructions: 422COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040FE86 Relevance: 4.2, Strings: 3, Instructions: 409COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004309A1 Relevance: 3.0, Strings: 2, Instructions: 534COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446E50 Relevance: 2.8, Strings: 2, Instructions: 305COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446600 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442710 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446040 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004464F0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042EE3D Relevance: .3, Instructions: 318COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040DE90 Relevance: .1, Instructions: 142COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D028 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 279memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040CED0 Relevance: 6.0, APIs: 4, Instructions: 42threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442630 Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043F710 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043F6A0 Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00442C8A Relevance: 1.5, APIs: 1, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D598 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004429E6 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043453D Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00435B85 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D5BB Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D004 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D492 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043B91D Relevance: 71.6, Strings: 57, Instructions: 312COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401000 Relevance: 19.5, Strings: 14, Instructions: 1989COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004012D5 Relevance: 16.0, Strings: 12, Instructions: 987COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041F8A0 Relevance: 15.3, Strings: 11, Instructions: 1540COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D3F0 Relevance: 14.0, Strings: 11, Instructions: 287COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042CD09 Relevance: 13.0, Strings: 10, Instructions: 452COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429340 Relevance: 8.1, Strings: 6, Instructions: 567COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D780 Relevance: 7.9, Strings: 6, Instructions: 392COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042A7E2 Relevance: 7.8, Strings: 6, Instructions: 286COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004260BA Relevance: 7.0, Strings: 5, Instructions: 791COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00444640 Relevance: 7.0, Strings: 5, Instructions: 763COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401328 Relevance: 6.6, Strings: 5, Instructions: 389COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E920 Relevance: 6.6, Strings: 5, Instructions: 367COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004218B0 Relevance: 6.6, Strings: 5, Instructions: 364COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040D1F0 Relevance: 6.4, Strings: 5, Instructions: 177COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004405D0 Relevance: 4.5, Strings: 3, Instructions: 703COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00430FFE Relevance: 4.1, Strings: 3, Instructions: 388COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00422CE0 Relevance: 2.9, Strings: 2, Instructions: 441COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004038E0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042C7DC Relevance: 2.9, Strings: 2, Instructions: 353COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443E80 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004110D7 Relevance: 2.8, Strings: 2, Instructions: 267COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004215AD Relevance: 2.6, Strings: 2, Instructions: 89COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004216C0 Relevance: 2.6, Strings: 2, Instructions: 84COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042C020 Relevance: 1.8, Strings: 1, Instructions: 566COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404FB0 Relevance: 1.8, Strings: 1, Instructions: 558COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00425770 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E882 Relevance: 1.7, Strings: 1, Instructions: 487COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004259D0 Relevance: 1.7, Strings: 1, Instructions: 463COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00423B40 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042D3EA Relevance: 1.7, Strings: 1, Instructions: 436COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041CAB0 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00445120 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00446B70 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A500 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004468C0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00441100 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004229C0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443A33 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429ADE Relevance: 1.4, Strings: 1, Instructions: 195COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00429D3E Relevance: 1.4, Strings: 1, Instructions: 195COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BC40 Relevance: .9, Instructions: 855COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00422090 Relevance: .7, Instructions: 720COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407040 Relevance: .7, Instructions: 671COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B130 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004454D0 Relevance: .6, Instructions: 644COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407A60 Relevance: .6, Instructions: 627COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043DB76 Relevance: .5, Instructions: 532COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A020 Relevance: .4, Instructions: 412COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409006 Relevance: .4, Instructions: 410COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040ABC0 Relevance: .4, Instructions: 407COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00445800 Relevance: .4, Instructions: 393COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042B30E Relevance: .4, Instructions: 385COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409A81 Relevance: .3, Instructions: 338COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043C3E0 Relevance: .3, Instructions: 335COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00431495 Relevance: .3, Instructions: 333COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042C390 Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040971D Relevance: .3, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004156C1 Relevance: .3, Instructions: 283COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D4B8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417736 Relevance: .3, Instructions: 259COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042EAF0 Relevance: .2, Instructions: 247COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416493 Relevance: .2, Instructions: 242COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004441C0 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004341D4 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413227 Relevance: .2, Instructions: 235COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436520 Relevance: .2, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042B03C Relevance: .2, Instructions: 194COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043FC90 Relevance: .2, Instructions: 192COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043C152 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043C180 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041C692 Relevance: .2, Instructions: 175COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00405850 Relevance: .2, Instructions: 167COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004099A9 Relevance: .1, Instructions: 119COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042D9C5 Relevance: .1, Instructions: 103COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00439970 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042DE60 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0042CC5F Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00435FD0 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 148memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041E134 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179threadwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|