Edit tour
Windows
Analysis Report
StudioDemo.exe
Overview
General Information
| Sample name: | StudioDemo.exe |
| Analysis ID: | 1541178 |
| MD5: | c2572a275e098d91a781656e6895a22e |
| SHA1: | e62db47eaf2e12f3cf628141f3cfb104650f151d |
| SHA256: | 792a9b5b55a9a6104d397296ca0e259d0f98f7991da7986cdc611e579232ac5a |
| Tags: | exeLummaStaleruser-ramirezrick2 |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
StudioDemo.exe (PID: 6740 cmdline: "C:\Users\ user\Deskt op\StudioD emo.exe" MD5: C2572A275E098D91A781656E6895A22E) 
BitLockerToGo.exe (PID: 6984 cmdline: "C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["elaboretib.sbs", "mediavelk.sbs", "ostracizez.sbs", "armretire.sbs", "offybirhtdi.sbs", "definitib.sbs", "arenbootk.sbs", "strikebripm.sbs", "activedomest.sbs"], "Build id": "tLYMe5--111"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-24T14:51:23.570477+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:51:25.212636+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49735 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:51:35.769185+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49745 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-24T14:51:23.570477+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-24T14:51:25.212636+0200 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49735 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-24T14:51:34.795385+0200 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49744 | 188.114.96.3 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 1_2_0041E9B6 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 1_2_004420E8 | |
| Source: | Code function: | 1_2_00406740 | |
| Source: | Code function: | 1_2_00445770 | |
| Source: | Code function: | 1_2_00445890 | |
| Source: | Code function: | 1_2_00428900 | |
| Source: | Code function: | 1_2_0041E9B6 | |
| Source: | Code function: | 1_2_0041E9B6 | |
| Source: | Code function: | 1_2_0041CA15 | |
| Source: | Code function: | 1_2_00431A22 | |
| Source: | Code function: | 1_2_0040DF60 | |
| Source: | Code function: | 1_2_0042FF9C | |
| Source: | Code function: | 1_2_0042FF9C | |
| Source: | Code function: | 1_2_0042FF9C | |
| Source: | Code function: | 1_2_0042FF9C | |
| Source: | Code function: | 1_2_00441FBE | |
| Source: | Code function: | 1_2_00442074 | |
| Source: | Code function: | 1_2_00401000 | |
| Source: | Code function: | 1_2_00401000 | |
| Source: | Code function: | 1_2_00440010 | |
| Source: | Code function: | 1_2_00425030 | |
| Source: | Code function: | 1_2_0042F1E0 | |
| Source: | Code function: | 1_2_004012D5 | |
| Source: | Code function: | 1_2_0042D2A0 | |
| Source: | Code function: | 1_2_0042D2A0 | |
| Source: | Code function: | 1_2_004393A0 | |
| Source: | Code function: | 1_2_004214C0 | |
| Source: | Code function: | 1_2_0042D485 | |
| Source: | Code function: | 1_2_0043F500 | |
| Source: | Code function: | 1_2_00442589 | |
| Source: | Code function: | 1_2_00443620 | |
| Source: | Code function: | 1_2_00429680 | |
| Source: | Code function: | 1_2_004436B0 | |
| Source: | Code function: | 1_2_00429731 | |
| Source: | Code function: | 1_2_0043C870 | |
| Source: | Code function: | 1_2_0042D8E0 | |
| Source: | Code function: | 1_2_0042BA62 | |
| Source: | Code function: | 1_2_0041FAD5 | |
| Source: | Code function: | 1_2_00427A8A | |
| Source: | Code function: | 1_2_00429B40 | |
| Source: | Code function: | 1_2_0042EB70 | |
| Source: | Code function: | 1_2_00428B15 | |
| Source: | Code function: | 1_2_0042D8E0 | |
| Source: | Code function: | 1_2_00429C41 | |
| Source: | Code function: | 1_2_0042EC10 | |
| Source: | Code function: | 1_2_00404CA0 | |
| Source: | Code function: | 1_2_00405CB0 | |
| Source: | Code function: | 1_2_00426DE0 | |
| Source: | Code function: | 1_2_0043EE40 | |
| Source: | Code function: | 1_2_00421E00 | |
| Source: | Code function: | 1_2_0041FED0 | |
| Source: | Code function: | 1_2_0041DF4C | |
| Source: | Code function: | 1_2_0041DF4C | |
| Source: | Code function: | 1_2_0042CF80 | |
| Source: | Code function: | 1_2_0042CF80 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 1_2_00436BC0 | |
| Source: | Code function: | 1_2_00436BC0 | |
| Source: | Code function: | 1_2_00437689 | |
| Source: | Code function: | 1_2_0043C0D9 | |
| Source: | Code function: | 1_2_004420E8 | |
| Source: | Code function: | 1_2_0043C0A8 | |
| Source: | Code function: | 1_2_00446140 | |
| Source: | Code function: | 1_2_004101A0 | |
| Source: | Code function: | 1_2_00426744 | |
| Source: | Code function: | 1_2_004108F0 | |
| Source: | Code function: | 1_2_00445890 | |
| Source: | Code function: | 1_2_0040F95D | |
| Source: | Code function: | 1_2_0041E9B6 | |
| Source: | Code function: | 1_2_0041CA15 | |
| Source: | Code function: | 1_2_00431A22 | |
| Source: | Code function: | 1_2_0042FA20 | |
| Source: | Code function: | 1_2_0043BB50 | |
| Source: | Code function: | 1_2_0040DF60 | |
| Source: | Code function: | 1_2_0042AF30 | |
| Source: | Code function: | 1_2_0042FF9C | |
| Source: | Code function: | 1_2_00427040 | |
| Source: | Code function: | 1_2_00401000 | |
| Source: | Code function: | 1_2_0040A008 | |
| Source: | Code function: | 1_2_0042E010 | |
| Source: | Code function: | 1_2_00440010 | |
| Source: | Code function: | 1_2_0041D0D0 | |
| Source: | Code function: | 1_2_004430B0 | |
| Source: | Code function: | 1_2_00407150 | |
| Source: | Code function: | 1_2_004441D0 | |
| Source: | Code function: | 1_2_0042F1E0 | |
| Source: | Code function: | 1_2_004232C0 | |
| Source: | Code function: | 1_2_004012D5 | |
| Source: | Code function: | 1_2_0040C2F0 | |
| Source: | Code function: | 1_2_0043B2A0 | |
| Source: | Code function: | 1_2_0040B310 | |
| Source: | Code function: | 1_2_00401328 | |
| Source: | Code function: | 1_2_004333C7 | |
| Source: | Code function: | 1_2_004093E0 | |
| Source: | Code function: | 1_2_0043C3FA | |
| Source: | Code function: | 1_2_00444380 | |
| Source: | Code function: | 1_2_00405460 | |
| Source: | Code function: | 1_2_0042B427 | |
| Source: | Code function: | 1_2_004214C0 | |
| Source: | Code function: | 1_2_0043A482 | |
| Source: | Code function: | 1_2_0042D485 | |
| Source: | Code function: | 1_2_0040A49A | |
| Source: | Code function: | 1_2_0043B500 | |
| Source: | Code function: | 1_2_0043F500 | |
| Source: | Code function: | 1_2_00407510 | |
| Source: | Code function: | 1_2_0043C5C0 | |
| Source: | Code function: | 1_2_0042A5CF | |
| Source: | Code function: | 1_2_004225F0 | |
| Source: | Code function: | 1_2_00442589 | |
| Source: | Code function: | 1_2_00444590 | |
| Source: | Code function: | 1_2_00443620 | |
| Source: | Code function: | 1_2_004436B0 | |
| Source: | Code function: | 1_2_00427767 | |
| Source: | Code function: | 1_2_0040A700 | |
| Source: | Code function: | 1_2_00429731 | |
| Source: | Code function: | 1_2_0040B7E0 | |
| Source: | Code function: | 1_2_00436780 | |
| Source: | Code function: | 1_2_0042F850 | |
| Source: | Code function: | 1_2_004038E0 | |
| Source: | Code function: | 1_2_0042D8E0 | |
| Source: | Code function: | 1_2_0043BA40 | |
| Source: | Code function: | 1_2_00434A4D | |
| Source: | Code function: | 1_2_00414A5E | |
| Source: | Code function: | 1_2_00442A70 | |
| Source: | Code function: | 1_2_0043CAF0 | |
| Source: | Code function: | 1_2_00427A8A | |
| Source: | Code function: | 1_2_00423AB0 | |
| Source: | Code function: | 1_2_00429B40 | |
| Source: | Code function: | 1_2_0043EB50 | |
| Source: | Code function: | 1_2_00445B60 | |
| Source: | Code function: | 1_2_00428B15 | |
| Source: | Code function: | 1_2_0042D8E0 | |
| Source: | Code function: | 1_2_00429C41 | |
| Source: | Code function: | 1_2_00442C90 | |
| Source: | Code function: | 1_2_00411D5F | |
| Source: | Code function: | 1_2_00445E50 | |
| Source: | Code function: | 1_2_0041FED0 | |
| Source: | Code function: | 1_2_0044AED2 | |
| Source: | Code function: | 1_2_0041DF4C | |
| Source: | Code function: | 1_2_00407F50 | |
| Source: | Code function: | 1_2_00417FCB | |
| Source: | Code function: | 1_2_0042CF80 | |
| Source: | Code function: | 1_2_00422F90 | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_0043BE60 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_00426007 | |
| Source: | Code function: | 1_2_0043EAAE | |
| Source: | Code function: | 1_2_0044BBEF | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_00441A80 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| armretire.sbs | 188.114.96.3 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.96.3 | armretire.sbs | European Union | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1541178 |
| Start date and time: | 2024-10-24 14:50:08 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 40s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | StudioDemo.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/4@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target StudioDemo.exe, PID 6740 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: StudioDemo.exe
| Time | Type | Description |
|---|---|---|
| 08:51:22 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.96.3 | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | PureLog Stealer | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Shikitega, Xmrig | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HtmlDropper | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, Stealc, Vidar | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\StudioDemo.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 138639 |
| Entropy (8bit): | 4.286369825068587 |
| Encrypted: | false |
| SSDEEP: | 1536:ZMjsdRCCXpnzopj7/5dLopnQPporDa6meL4xmJ:fenLo9QP+lmeL4IJ |
| MD5: | A7C8367F8B900617374F5D3FAC86DFD7 |
| SHA1: | 6BDEAB34FA632083B2578708EB0C50443ED5E9A9 |
| SHA-256: | E4F82DB7579D84B2DDB49B16A8CBD8256D86751473D1A86B4B31D1E3963BA0FA |
| SHA-512: | 2C2E9D5445F4BDFBCA7F35881E9D133373145B40D26ECB9B122E60DD343B580FA3BC70C8B981B4AE7E3D9B8C4EA90C6A77F7328A60CBE0F2515EE364AD0CB0A3 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\StudioDemo.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 218125 |
| Entropy (8bit): | 5.457704584855637 |
| Encrypted: | false |
| SSDEEP: | 3072:zKHyW445CPl85X3GJXlAnFhvMvOqGPUqdShdY5S8DoDT1JyBwJbMaky9nwe+L/Iq:LWY4KTvqd8dYQ8uJcwSy9nQ |
| MD5: | 0FEFBA04D8BBEDD2CFF7EB75C3834847 |
| SHA1: | 054D11200D77C1B5DFB3B98A33973623619D34BE |
| SHA-256: | DBBDB23093B0732EE1504F79D3835B1C6B2E3F526AB42A6DA381E6CEC2648AE5 |
| SHA-512: | 3CEAA01275E2DEC044BA5F8D41092EB4F28E62CDAD24A71C8F7F57E4C48B709568C8C376BF2B048DC989810FB8EB91F2D944379804D5D85480A26663FC3F90FE |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\StudioDemo.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 802466 |
| Entropy (8bit): | 4.298722687837962 |
| Encrypted: | false |
| SSDEEP: | 6144:Z6TjefxOXTNwk8mCkCbCp4wrZaWvZEIhU4FFEY+cbCtNYbIgoxrV2z1J:Z6TjefxOXTNUkCbCp42aW4NwL |
| MD5: | 4C6E1287B2F6060C1E0F386B0B47959A |
| SHA1: | 0FA0C721B6848D78C73FCF74BB37891A17FF0999 |
| SHA-256: | C8DB5A41C7EC02EB2F1F20A6CD544DB215246AD9D566EA9494D63521B9B1E271 |
| SHA-512: | 0FF6A037A413BE93DCB3C1B4C26CB9938025F34D9AA20818FBDED5B4B00BC89DCBA9EB58756BAFBA852CA972C058BDDB087E9CB58C9B442AC936C93590E14C13 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\StudioDemo.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1155588 |
| Entropy (8bit): | 5.4159552687244155 |
| Encrypted: | false |
| SSDEEP: | 12288:D2DUMiOfGYFO/1pf0ThVUhI2PoEMuCfzT/2ZoEC74RiCfulDlJ:MZFO/1pf9hI2EjT/2ZoEC74RiCfulDlJ |
| MD5: | BE06DF1EE810220598CAE6D42AE2FD77 |
| SHA1: | 5DD0B0F101FDE69B49E37947380431D75D26125C |
| SHA-256: | 09E18C6FA27068005DA8BCBB802C70B1C182866274478C684A4AB652ACAF2BBD |
| SHA-512: | BF40F52E37DFDBEE4AC4F562A28520893D3C8C13FDDB7A94E94458B1E8591162EADF3A4BE401A2FF6C2CE2449721F3F036C2B41571BB3C491E7F648595BAA8FA |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.036096665517919 |
| TrID: |
|
| File name: | StudioDemo.exe |
| File size: | 27'028'992 bytes |
| MD5: | c2572a275e098d91a781656e6895a22e |
| SHA1: | e62db47eaf2e12f3cf628141f3cfb104650f151d |
| SHA256: | 792a9b5b55a9a6104d397296ca0e259d0f98f7991da7986cdc611e579232ac5a |
| SHA512: | 714e6493dd1b2e73c3e238b72278778c238c0e09ab548cab550f8e60491a50278c2386d18118b92e389e5505bd2a638053e037ad23ba331f2e4ccba5cfba42d6 |
| SSDEEP: | 196608:8qxkmM72bIUREV4zLtcMiKSx64dpQRnJBV/LIIE1uoCkTF5L53CU:FtgJdpQRzoCkTFF53b |
| TLSH: | 6747F810EA8BA0F2FE43487114DF312F63345D059B298ACBF68D7A19FB77AA20677505 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........L........................................@.................................Mz....@................................ |
 | |
| Icon Hash: | 2d2e3797b32b2b99 |
| Entrypoint: | 0x46eed0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 4f2f006e2ecf7172ad368f8289dc96c1 |
| Instruction |
|---|
| jmp 00007F276CEE9F90h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| sub esp, 28h |
| mov dword ptr [esp+1Ch], ebx |
| mov dword ptr [esp+10h], ebp |
| mov dword ptr [esp+14h], esi |
| mov dword ptr [esp+18h], edi |
| mov dword ptr [esp], eax |
| mov dword ptr [esp+04h], ecx |
| call 00007F276CECF696h |
| mov eax, dword ptr [esp+08h] |
| mov edi, dword ptr [esp+18h] |
| mov esi, dword ptr [esp+14h] |
| mov ebp, dword ptr [esp+10h] |
| mov ebx, dword ptr [esp+1Ch] |
| add esp, 28h |
| retn 0004h |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| sub esp, 08h |
| mov ecx, dword ptr [esp+0Ch] |
| mov edx, dword ptr [ecx] |
| mov eax, esp |
| mov dword ptr [edx+04h], eax |
| sub eax, 00010000h |
| mov dword ptr [edx], eax |
| add eax, 00000BA0h |
| mov dword ptr [edx+08h], eax |
| mov dword ptr [edx+0Ch], eax |
| lea edi, dword ptr [ecx+34h] |
| mov dword ptr [edx+18h], ecx |
| mov dword ptr [edi], edx |
| mov dword ptr [esp+04h], edi |
| call 00007F276CEEC3C4h |
| cld |
| call 00007F276CEEB47Eh |
| call 00007F276CEEA0B9h |
| add esp, 08h |
| ret |
| mov ebx, dword ptr [esp+04h] |
| mov dword ptr fs:[00000034h], 00000000h |
| mov ebp, esp |
| mov ecx, dword ptr [ebx+04h] |
| mov eax, ecx |
| shl eax, 02h |
| sub esp, eax |
| mov edi, esp |
| mov esi, dword ptr [ebx+08h] |
| cld |
| rep movsd |
| call dword ptr [ebx] |
| mov esp, ebp |
| mov ebx, dword ptr [esp+04h] |
| mov dword ptr [ebx+0Ch], eax |
| mov dword ptr [ebx+10h], edx |
| mov eax, dword ptr fs:[00000034h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1966000 | 0x45e | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x19fa000 | 0x1f54 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1967000 | 0x91d32 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x18ebe40 | 0xb8 | .data |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x93b139 | 0x93b200 | ba6d7276561529c9f71bb1ece55b2761 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x93d000 | 0xfac35c | 0xfac400 | 382086016945d2f33aa99eec906d6441 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x18ea000 | 0x7b768 | 0x4ae00 | 5da3294dac2b31157edef7ed615aca23 | False | 0.4364109453255426 | data | 5.830213900990919 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x1966000 | 0x45e | 0x600 | c5b2da0d6cbe34f3d3cb3dec33644522 | False | 0.3626302083333333 | data | 4.024800328523657 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x1967000 | 0x91d32 | 0x91e00 | e729dc3ab66ddf65b235d04e1fd8e239 | False | 0.5050292550342759 | data | 6.717545360886359 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .symtab | 0x19f9000 | 0x4 | 0x200 | 07b5472d347d42780469fb2654b7fc54 | False | 0.02734375 | data | 0.020393135236084953 | IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x19fa000 | 0x1f54 | 0x2000 | 713519344a29cddf1c0b21d6163cb3e6 | False | 0.3343505859375 | data | 4.704956080753949 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x19fa1d4 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | United States | 0.5675675675675675 |
| RT_ICON | 0x19fa2fc | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States | 0.4486994219653179 |
| RT_ICON | 0x19fa864 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.4637096774193548 |
| RT_ICON | 0x19fab4c | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States | 0.3935018050541516 |
| RT_GROUP_ICON | 0x19fb3f4 | 0x3e | data | English | United States | 0.8387096774193549 |
| RT_VERSION | 0x19fb434 | 0x4f4 | data | English | United States | 0.2902208201892745 |
| RT_MANIFEST | 0x19fb928 | 0x62c | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4240506329113924 |
| DLL | Import |
|---|---|
| kernel32.dll | WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-24T14:51:23.570477+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49731 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:51:23.570477+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:51:25.212636+0200 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49735 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:51:25.212636+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49735 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:51:34.795385+0200 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49744 | 188.114.96.3 | 443 | TCP |
| 2024-10-24T14:51:35.769185+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49745 | 188.114.96.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 24, 2024 14:51:22.323471069 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:22.323527098 CEST | 443 | 49731 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:22.323594093 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:22.350166082 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:22.350198984 CEST | 443 | 49731 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:22.977049112 CEST | 443 | 49731 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:22.977133989 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:22.989047050 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:22.989089012 CEST | 443 | 49731 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:22.989428997 CEST | 443 | 49731 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:23.033340931 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:23.080705881 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:23.080739021 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:23.080863953 CEST | 443 | 49731 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:23.570466995 CEST | 443 | 49731 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:23.570569992 CEST | 443 | 49731 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:23.572776079 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:23.688705921 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:23.688705921 CEST | 49731 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:23.688729048 CEST | 443 | 49731 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:23.688743114 CEST | 443 | 49731 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:23.868454933 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:23.868546963 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:23.868702888 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:23.870040894 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:23.870078087 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:24.479135036 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:24.479227066 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:24.498879910 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:24.498917103 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:24.499726057 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:24.517396927 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:24.517425060 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:24.517575026 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.212646008 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.212698936 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.212729931 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.212753057 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.212764978 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.212791920 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.212807894 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.213057995 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.213095903 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.213103056 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.213141918 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.213179111 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.213185072 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.218076944 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.218122959 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.218132973 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.267754078 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.329713106 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.329778910 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.329880953 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.330003023 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.330312014 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.330358982 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.330389023 CEST | 49735 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.330405951 CEST | 443 | 49735 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.530143976 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.530186892 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:25.530371904 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.530783892 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:25.530808926 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:26.129869938 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:26.130033970 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.203022957 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.203047991 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:26.204195976 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:26.252123117 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.267278910 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.267589092 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.267623901 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:26.268261909 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.268277884 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:26.675839901 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:26.675937891 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:26.676013947 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.676115990 CEST | 49737 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.676135063 CEST | 443 | 49737 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:26.774576902 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.774627924 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:26.774699926 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.775048971 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:26.775059938 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:27.388254881 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:27.388395071 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:27.389904022 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:27.389915943 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:27.390239954 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:27.409660101 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:27.409835100 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:27.409866095 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:27.927073956 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:27.927216053 CEST | 443 | 49739 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:27.927385092 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:27.927433968 CEST | 49739 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:28.123128891 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:28.123204947 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:28.123296976 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:28.123663902 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:28.123684883 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:28.727015972 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:28.727137089 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:28.728863955 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:28.728888035 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:28.729131937 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:28.730411053 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:28.730562925 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:28.730598927 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:28.730674982 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:28.730685949 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:29.400727034 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:29.400996923 CEST | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:29.400995970 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:29.401052952 CEST | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:29.916084051 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:29.916131020 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:29.916225910 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:29.916555882 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:29.916568041 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:30.524461985 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:30.524532080 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:30.526015043 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:30.526021004 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:30.527050972 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:30.528244019 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:30.528362989 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:30.528412104 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:31.046216011 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:31.046329021 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:31.046426058 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:31.066230059 CEST | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:31.066262960 CEST | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:31.108221054 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:31.108287096 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:31.108380079 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:31.108814001 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:31.108829021 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:31.711642981 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:31.711889029 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:31.713716984 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:31.713752031 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:31.714021921 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:31.715656042 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:31.715776920 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:31.715802908 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:32.218761921 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:32.218872070 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:32.218961954 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:32.219403028 CEST | 49742 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:32.219423056 CEST | 443 | 49742 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:32.329360008 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:32.329410076 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:32.329632044 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:32.330205917 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:32.330225945 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:32.942610979 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:32.942687035 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:32.944149971 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:32.944155931 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:32.944453955 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:32.945636988 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:32.945714951 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:32.945719004 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:33.432313919 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:33.432573080 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:33.432683945 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:33.432797909 CEST | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:33.432820082 CEST | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:33.635087013 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:33.635133982 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:33.635216951 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:33.639184952 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:33.639197111 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:34.258455038 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:34.258667946 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:34.260325909 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:34.260341883 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:34.260603905 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:34.299782991 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:34.299916983 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:34.299928904 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:34.795397043 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:34.795494080 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:34.795572996 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:34.795768023 CEST | 49744 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:34.795795918 CEST | 443 | 49744 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:34.826519012 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:34.826581001 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:34.826675892 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:34.827037096 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:34.827049971 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:35.438673973 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:35.438776970 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:35.440294981 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:35.440304041 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:35.440516949 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:35.441852093 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:35.441879034 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:35.441898108 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:35.769200087 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:35.769315958 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:35.770287037 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:35.770385027 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:35.770385027 CEST | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Oct 24, 2024 14:51:35.770433903 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Oct 24, 2024 14:51:35.770487070 CEST | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 24, 2024 14:51:22.291280031 CEST | 60097 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 24, 2024 14:51:22.305902958 CEST | 53 | 60097 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 24, 2024 14:51:22.291280031 CEST | 192.168.2.4 | 1.1.1.1 | 0xeea7 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 24, 2024 14:51:22.305902958 CEST | 1.1.1.1 | 192.168.2.4 | 0xeea7 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
| Oct 24, 2024 14:51:22.305902958 CEST | 1.1.1.1 | 192.168.2.4 | 0xeea7 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49731 | 188.114.96.3 | 443 | 6984 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:51:23 UTC | 260 | OUT | |
| 2024-10-24 12:51:23 UTC | 8 | OUT | |
| 2024-10-24 12:51:23 UTC | 1009 | IN | |
| 2024-10-24 12:51:23 UTC | 7 | IN | |
| 2024-10-24 12:51:23 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49735 | 188.114.96.3 | 443 | 6984 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:51:24 UTC | 261 | OUT | |
| 2024-10-24 12:51:24 UTC | 77 | OUT | |
| 2024-10-24 12:51:25 UTC | 1007 | IN | |
| 2024-10-24 12:51:25 UTC | 362 | IN | |
| 2024-10-24 12:51:25 UTC | 1369 | IN | |
| 2024-10-24 12:51:25 UTC | 1369 | IN | |
| 2024-10-24 12:51:25 UTC | 1369 | IN | |
| 2024-10-24 12:51:25 UTC | 1369 | IN | |
| 2024-10-24 12:51:25 UTC | 1369 | IN | |
| 2024-10-24 12:51:25 UTC | 1369 | IN | |
| 2024-10-24 12:51:25 UTC | 1369 | IN | |
| 2024-10-24 12:51:25 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49737 | 188.114.96.3 | 443 | 6984 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:51:26 UTC | 279 | OUT | |
| 2024-10-24 12:51:26 UTC | 15331 | OUT | |
| 2024-10-24 12:51:26 UTC | 2830 | OUT | |
| 2024-10-24 12:51:26 UTC | 1007 | IN | |
| 2024-10-24 12:51:26 UTC | 23 | IN | |
| 2024-10-24 12:51:26 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49739 | 188.114.96.3 | 443 | 6984 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:51:27 UTC | 278 | OUT | |
| 2024-10-24 12:51:27 UTC | 8782 | OUT | |
| 2024-10-24 12:51:27 UTC | 1003 | IN | |
| 2024-10-24 12:51:27 UTC | 23 | IN | |
| 2024-10-24 12:51:27 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49740 | 188.114.96.3 | 443 | 6984 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:51:28 UTC | 279 | OUT | |
| 2024-10-24 12:51:28 UTC | 15331 | OUT | |
| 2024-10-24 12:51:28 UTC | 5104 | OUT | |
| 2024-10-24 12:51:29 UTC | 1003 | IN | |
| 2024-10-24 12:51:29 UTC | 23 | IN | |
| 2024-10-24 12:51:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 188.114.96.3 | 443 | 6984 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:51:30 UTC | 278 | OUT | |
| 2024-10-24 12:51:30 UTC | 3802 | OUT | |
| 2024-10-24 12:51:31 UTC | 1008 | IN | |
| 2024-10-24 12:51:31 UTC | 23 | IN | |
| 2024-10-24 12:51:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49742 | 188.114.96.3 | 443 | 6984 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:51:31 UTC | 278 | OUT | |
| 2024-10-24 12:51:31 UTC | 3818 | OUT | |
| 2024-10-24 12:51:32 UTC | 1001 | IN | |
| 2024-10-24 12:51:32 UTC | 23 | IN | |
| 2024-10-24 12:51:32 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49743 | 188.114.96.3 | 443 | 6984 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:51:32 UTC | 278 | OUT | |
| 2024-10-24 12:51:32 UTC | 1255 | OUT | |
| 2024-10-24 12:51:33 UTC | 1001 | IN | |
| 2024-10-24 12:51:33 UTC | 23 | IN | |
| 2024-10-24 12:51:33 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49744 | 188.114.96.3 | 443 | 6984 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:51:34 UTC | 278 | OUT | |
| 2024-10-24 12:51:34 UTC | 1121 | OUT | |
| 2024-10-24 12:51:34 UTC | 1004 | IN | |
| 2024-10-24 12:51:34 UTC | 23 | IN | |
| 2024-10-24 12:51:34 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.4 | 49745 | 188.114.96.3 | 443 | 6984 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-24 12:51:35 UTC | 262 | OUT | |
| 2024-10-24 12:51:35 UTC | 112 | OUT | |
| 2024-10-24 12:51:35 UTC | 1008 | IN | |
| 2024-10-24 12:51:35 UTC | 54 | IN | |
| 2024-10-24 12:51:35 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 08:51:03 |
| Start date: | 24/10/2024 |
| Path: | C:\Users\user\Desktop\StudioDemo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd20000 |
| File size: | 27'028'992 bytes |
| MD5 hash: | C2572A275E098D91A781656E6895A22E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 08:51:12 |
| Start date: | 24/10/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x470000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | true |
Function 00D5AF90 Relevance: 11.4, Strings: 9, Instructions: 183COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D6B600 Relevance: 6.3, Strings: 5, Instructions: 83COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 63.6% |
| Total number of Nodes: | 247 |
| Total number of Limit Nodes: | 25 |
Graph
Function 0043C0D9 Relevance: 25.4, APIs: 8, Strings: 6, Instructions: 940memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004108F0 Relevance: 14.1, Strings: 11, Instructions: 385COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426744 Relevance: 10.2, Strings: 8, Instructions: 165COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FF9C Relevance: 9.9, Strings: 7, Instructions: 1154COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C3FA Relevance: 8.2, APIs: 5, Instructions: 703COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DF60 Relevance: 5.3, Strings: 4, Instructions: 340COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F95D Relevance: 4.4, Strings: 3, Instructions: 643COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C0A8 Relevance: 3.7, APIs: 2, Instructions: 697COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AF30 Relevance: 2.8, Strings: 2, Instructions: 299COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BB50 Relevance: 2.7, Strings: 2, Instructions: 245COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BE60 Relevance: 1.6, APIs: 1, Instructions: 62comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441A80 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428900 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445770 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CA15 Relevance: .4, Instructions: 442COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FA20 Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004101A0 Relevance: .3, Instructions: 325COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00446140 Relevance: .3, Instructions: 289COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445890 Relevance: .3, Instructions: 280COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406740 Relevance: .2, Instructions: 230COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004420E8 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441FBE Relevance: .1, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D5F0 Relevance: 6.1, APIs: 4, Instructions: 68threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E615 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BF63 Relevance: 3.1, APIs: 2, Instructions: 86memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410F69 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C581 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004419A0 Relevance: 1.6, APIs: 1, Instructions: 79memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E656 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441B90 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004366C1 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441BE8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433FF0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410F40 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428B15 Relevance: 40.7, Strings: 32, Instructions: 675COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401000 Relevance: 19.5, Strings: 14, Instructions: 1989COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FED0 Relevance: 17.9, Strings: 13, Instructions: 1668COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004012D5 Relevance: 16.0, Strings: 12, Instructions: 987COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436BC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 123clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425030 Relevance: 13.0, Strings: 10, Instructions: 459COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423AB0 Relevance: 11.9, Strings: 9, Instructions: 696COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D0D0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 366threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004214C0 Relevance: 8.3, Strings: 6, Instructions: 767COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DF4C Relevance: 6.9, Strings: 5, Instructions: 648COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E010 Relevance: 6.9, Strings: 5, Instructions: 631COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401328 Relevance: 6.6, Strings: 5, Instructions: 389COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443620 Relevance: 5.8, Strings: 4, Instructions: 797COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F500 Relevance: 5.7, Strings: 4, Instructions: 693COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A482 Relevance: 5.3, Strings: 4, Instructions: 280COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429B40 Relevance: 5.2, Strings: 4, Instructions: 250COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004225F0 Relevance: 4.5, Strings: 3, Instructions: 750COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429731 Relevance: 4.3, Strings: 3, Instructions: 540COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004232C0 Relevance: 4.3, Strings: 3, Instructions: 512COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A5CF Relevance: 4.2, Strings: 3, Instructions: 481COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427A8A Relevance: 4.2, Strings: 3, Instructions: 472COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427767 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004441D0 Relevance: 4.0, Strings: 3, Instructions: 234COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429680 Relevance: 3.9, Strings: 3, Instructions: 178COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00444380 Relevance: 3.9, Strings: 3, Instructions: 127COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F1E0 Relevance: 3.0, Strings: 2, Instructions: 539COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427040 Relevance: 3.0, Strings: 2, Instructions: 481COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038E0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CF80 Relevance: 2.9, Strings: 2, Instructions: 387COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421E00 Relevance: 2.9, Strings: 2, Instructions: 369COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411D5F Relevance: 2.6, Strings: 2, Instructions: 150COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FAD5 Relevance: 2.6, Strings: 2, Instructions: 94COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405460 Relevance: 1.8, Strings: 1, Instructions: 541COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426DE0 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D8E0 Relevance: 1.7, Strings: 1, Instructions: 479COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B427 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429C41 Relevance: 1.7, Strings: 1, Instructions: 434COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442589 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EB50 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440010 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EC10 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436780 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004436B0 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417FCB Relevance: 1.4, Strings: 1, Instructions: 131COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA62 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C2F0 Relevance: .8, Instructions: 807COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407510 Relevance: .7, Instructions: 681COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B7E0 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C5C0 Relevance: .6, Instructions: 636COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407F50 Relevance: .6, Instructions: 630COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CAF0 Relevance: .6, Instructions: 569COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044AED2 Relevance: .5, Instructions: 496COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A700 Relevance: .5, Instructions: 451COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00444590 Relevance: .4, Instructions: 441COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004093E0 Relevance: .4, Instructions: 369COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442C90 Relevance: .4, Instructions: 351COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D485 Relevance: .3, Instructions: 342COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B310 Relevance: .3, Instructions: 329COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434A4D Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445B60 Relevance: .3, Instructions: 287COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B500 Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445E50 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004430B0 Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414A5E Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004333C7 Relevance: .2, Instructions: 214COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442A70 Relevance: .2, Instructions: 210COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422F90 Relevance: .2, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B2A0 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D2A0 Relevance: .2, Instructions: 175COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EE40 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CB0 Relevance: .2, Instructions: 163COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A008 Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C870 Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F850 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BA40 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404CA0 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407150 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A49A Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004393A0 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EB70 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442074 Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D8C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102threadwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|