Edit tour
Windows
Analysis Report
Setup.exe
Overview
General Information
| Sample name: | Setup.exe |
| Analysis ID: | 1542822 |
| MD5: | c5f86099f8c1b5b8a8b5c9c884b764a4 |
| SHA1: | a2686f52b8f9a95fca10082a37e0a5270576bb0f |
| SHA256: | a34d6e9743d028c4c7f91bace1a4d1b0b75d71774af8215c0819d84e29a89ef1 |
| Tags: | exeuser-aachum |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Setup.exe (PID: 6228 cmdline: "C:\Users\ user\Deskt op\Setup.e xe" MD5: C5F86099F8C1B5B8A8B5C9C884B764A4) 
BitLockerToGo.exe (PID: 5232 cmdline: "C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["ostracizez.sbs", "elaboretib.sbs", "definitib.sbs", "strikebripm.sbs", "mediavelk.sbs", "activedomest.sbs", "arenbootk.sbs", "fashionablei.sbs", "offybirhtdi.sbs"], "Build id": "tLYMe5--testtesttest"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 14 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-26T16:02:17.520081+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49747 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:02:18.880458+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49758 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:02:31.525182+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49839 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-26T16:02:17.520081+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.6 | 49747 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-26T16:02:18.880458+0200 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.6 | 49758 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-26T16:02:20.289488+0200 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49768 | 188.114.97.3 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_0041E9B6 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 2_2_004420E8 | |
| Source: | Code function: | 2_2_00406740 | |
| Source: | Code function: | 2_2_00445770 | |
| Source: | Code function: | 2_2_00445890 | |
| Source: | Code function: | 2_2_00428900 | |
| Source: | Code function: | 2_2_0041E9B6 | |
| Source: | Code function: | 2_2_0041E9B6 | |
| Source: | Code function: | 2_2_0041CA15 | |
| Source: | Code function: | 2_2_00431A22 | |
| Source: | Code function: | 2_2_0040DF60 | |
| Source: | Code function: | 2_2_0042FF9C | |
| Source: | Code function: | 2_2_0042FF9C | |
| Source: | Code function: | 2_2_0042FF9C | |
| Source: | Code function: | 2_2_0042FF9C | |
| Source: | Code function: | 2_2_00441FBE | |
| Source: | Code function: | 2_2_00442074 | |
| Source: | Code function: | 2_2_00401000 | |
| Source: | Code function: | 2_2_00401000 | |
| Source: | Code function: | 2_2_00440010 | |
| Source: | Code function: | 2_2_00425030 | |
| Source: | Code function: | 2_2_0042F1E0 | |
| Source: | Code function: | 2_2_004012D5 | |
| Source: | Code function: | 2_2_0042D2A0 | |
| Source: | Code function: | 2_2_0042D2A0 | |
| Source: | Code function: | 2_2_004393A0 | |
| Source: | Code function: | 2_2_004214C0 | |
| Source: | Code function: | 2_2_0042D485 | |
| Source: | Code function: | 2_2_0043F500 | |
| Source: | Code function: | 2_2_00442589 | |
| Source: | Code function: | 2_2_00443620 | |
| Source: | Code function: | 2_2_00429680 | |
| Source: | Code function: | 2_2_004436B0 | |
| Source: | Code function: | 2_2_00429731 | |
| Source: | Code function: | 2_2_0043C870 | |
| Source: | Code function: | 2_2_0042D8E0 | |
| Source: | Code function: | 2_2_0042BA62 | |
| Source: | Code function: | 2_2_0041FAD5 | |
| Source: | Code function: | 2_2_00427A8A | |
| Source: | Code function: | 2_2_00429B40 | |
| Source: | Code function: | 2_2_0042EB70 | |
| Source: | Code function: | 2_2_00428B15 | |
| Source: | Code function: | 2_2_0042D8E0 | |
| Source: | Code function: | 2_2_00429C41 | |
| Source: | Code function: | 2_2_0042EC10 | |
| Source: | Code function: | 2_2_00404CA0 | |
| Source: | Code function: | 2_2_00405CB0 | |
| Source: | Code function: | 2_2_00426DE0 | |
| Source: | Code function: | 2_2_0043EE40 | |
| Source: | Code function: | 2_2_00421E00 | |
| Source: | Code function: | 2_2_0041FED0 | |
| Source: | Code function: | 2_2_0041DF4C | |
| Source: | Code function: | 2_2_0041DF4C | |
| Source: | Code function: | 2_2_0042CF80 | |
| Source: | Code function: | 2_2_0042CF80 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00436BC0 | |
| Source: | Code function: | 2_2_00436BC0 | |
| Source: | Code function: | 2_2_00437689 | |
| Source: | Code function: | 2_2_0043C0D9 | |
| Source: | Code function: | 2_2_004420E8 | |
| Source: | Code function: | 2_2_0043C0A8 | |
| Source: | Code function: | 2_2_00446140 | |
| Source: | Code function: | 2_2_004101A0 | |
| Source: | Code function: | 2_2_00426744 | |
| Source: | Code function: | 2_2_004108F0 | |
| Source: | Code function: | 2_2_00445890 | |
| Source: | Code function: | 2_2_0040F95D | |
| Source: | Code function: | 2_2_0041E9B6 | |
| Source: | Code function: | 2_2_0041CA15 | |
| Source: | Code function: | 2_2_00431A22 | |
| Source: | Code function: | 2_2_0042FA20 | |
| Source: | Code function: | 2_2_0043BB50 | |
| Source: | Code function: | 2_2_0040DF60 | |
| Source: | Code function: | 2_2_0042AF30 | |
| Source: | Code function: | 2_2_0042FF9C | |
| Source: | Code function: | 2_2_00427040 | |
| Source: | Code function: | 2_2_00401000 | |
| Source: | Code function: | 2_2_0040A008 | |
| Source: | Code function: | 2_2_0042E010 | |
| Source: | Code function: | 2_2_00440010 | |
| Source: | Code function: | 2_2_0041D0D0 | |
| Source: | Code function: | 2_2_004430B0 | |
| Source: | Code function: | 2_2_00407150 | |
| Source: | Code function: | 2_2_004441D0 | |
| Source: | Code function: | 2_2_0042F1E0 | |
| Source: | Code function: | 2_2_004232C0 | |
| Source: | Code function: | 2_2_004012D5 | |
| Source: | Code function: | 2_2_0040C2F0 | |
| Source: | Code function: | 2_2_0043B2A0 | |
| Source: | Code function: | 2_2_0040B310 | |
| Source: | Code function: | 2_2_00401328 | |
| Source: | Code function: | 2_2_004333C7 | |
| Source: | Code function: | 2_2_004093E0 | |
| Source: | Code function: | 2_2_0043C3FA | |
| Source: | Code function: | 2_2_00444380 | |
| Source: | Code function: | 2_2_00405460 | |
| Source: | Code function: | 2_2_0042B427 | |
| Source: | Code function: | 2_2_004214C0 | |
| Source: | Code function: | 2_2_0043A482 | |
| Source: | Code function: | 2_2_0042D485 | |
| Source: | Code function: | 2_2_0040A49A | |
| Source: | Code function: | 2_2_0043F500 | |
| Source: | Code function: | 2_2_0043B500 | |
| Source: | Code function: | 2_2_00407510 | |
| Source: | Code function: | 2_2_0043C5C0 | |
| Source: | Code function: | 2_2_0042A5CF | |
| Source: | Code function: | 2_2_004225F0 | |
| Source: | Code function: | 2_2_00442589 | |
| Source: | Code function: | 2_2_00444590 | |
| Source: | Code function: | 2_2_00443620 | |
| Source: | Code function: | 2_2_004436B0 | |
| Source: | Code function: | 2_2_00427767 | |
| Source: | Code function: | 2_2_0040A700 | |
| Source: | Code function: | 2_2_00429731 | |
| Source: | Code function: | 2_2_0040B7E0 | |
| Source: | Code function: | 2_2_00436780 | |
| Source: | Code function: | 2_2_0042F850 | |
| Source: | Code function: | 2_2_004038E0 | |
| Source: | Code function: | 2_2_0042D8E0 | |
| Source: | Code function: | 2_2_00408970 | |
| Source: | Code function: | 2_2_0043BA40 | |
| Source: | Code function: | 2_2_00434A4D | |
| Source: | Code function: | 2_2_00414A5E | |
| Source: | Code function: | 2_2_00442A70 | |
| Source: | Code function: | 2_2_0043CAF0 | |
| Source: | Code function: | 2_2_00427A8A | |
| Source: | Code function: | 2_2_00423AB0 | |
| Source: | Code function: | 2_2_00429B40 | |
| Source: | Code function: | 2_2_0043EB50 | |
| Source: | Code function: | 2_2_00445B60 | |
| Source: | Code function: | 2_2_00428B15 | |
| Source: | Code function: | 2_2_0042D8E0 | |
| Source: | Code function: | 2_2_00411BA8 | |
| Source: | Code function: | 2_2_00429C41 | |
| Source: | Code function: | 2_2_0040AC70 | |
| Source: | Code function: | 2_2_00442C90 | |
| Source: | Code function: | 2_2_00445E50 | |
| Source: | Code function: | 2_2_0041FED0 | |
| Source: | Code function: | 2_2_0044AED2 | |
| Source: | Code function: | 2_2_0041DF4C | |
| Source: | Code function: | 2_2_00407F50 | |
| Source: | Code function: | 2_2_00417FCB | |
| Source: | Code function: | 2_2_0042CF80 | |
| Source: | Code function: | 2_2_00422F90 | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_0043BE60 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_00426007 | |
| Source: | Code function: | 2_2_0044F20E | |
| Source: | Code function: | 2_2_0043EAAE | |
| Source: | Code function: | 2_2_0044BBEF | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00441A80 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 16% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| fashionablei.sbs | 188.114.97.3 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.97.3 | fashionablei.sbs | European Union | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1542822 |
| Start date and time: | 2024-10-26 16:01:10 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 8s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Setup.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Setup.exe, PID 6228 because there are no executed function
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Setup.exe
| Time | Type | Description |
|---|---|---|
| 10:02:16 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.97.3 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Pushdo | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| fashionablei.sbs | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | CobaltStrike | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.415833234617627 |
| TrID: |
|
| File name: | Setup.exe |
| File size: | 10'651'136 bytes |
| MD5: | c5f86099f8c1b5b8a8b5c9c884b764a4 |
| SHA1: | a2686f52b8f9a95fca10082a37e0a5270576bb0f |
| SHA256: | a34d6e9743d028c4c7f91bace1a4d1b0b75d71774af8215c0819d84e29a89ef1 |
| SHA512: | 884c769f1323731f90a19082c573427bd883417f4f5f144badc9e6ec96847cd7f567f0575ba7be0b9a03f12781eb106d00aad26bdf0fcc33f114e804ed3c8401 |
| SSDEEP: | 98304:vPME2iQ5qNh+nHQhHbq0wJvHSWECW/atYt:vFFQKf/Bat0 |
| TLSH: | 68B62841F9CB49F6E943493150AB727F23319D058B39CBCBE6547B2AFC372920A36265 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................I..l......0.............@.......................................@................................ |
 | |
| Icon Hash: | 4383636f52510c00 |
| Entrypoint: | 0x46d930 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 4f2f006e2ecf7172ad368f8289dc96c1 |
| Instruction |
|---|
| jmp 00007FA654D3A560h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| sub esp, 28h |
| mov dword ptr [esp+1Ch], ebx |
| mov dword ptr [esp+10h], ebp |
| mov dword ptr [esp+14h], esi |
| mov dword ptr [esp+18h], edi |
| mov dword ptr [esp], eax |
| mov dword ptr [esp+04h], ecx |
| call 00007FA654D1FDC6h |
| mov eax, dword ptr [esp+08h] |
| mov edi, dword ptr [esp+18h] |
| mov esi, dword ptr [esp+14h] |
| mov ebp, dword ptr [esp+10h] |
| mov ebx, dword ptr [esp+1Ch] |
| add esp, 28h |
| retn 0004h |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| sub esp, 08h |
| mov ecx, dword ptr [esp+0Ch] |
| mov edx, dword ptr [ecx] |
| mov eax, esp |
| mov dword ptr [edx+04h], eax |
| sub eax, 00010000h |
| mov dword ptr [edx], eax |
| add eax, 00000BA0h |
| mov dword ptr [edx+08h], eax |
| mov dword ptr [edx+0Ch], eax |
| lea edi, dword ptr [ecx+34h] |
| mov dword ptr [edx+18h], ecx |
| mov dword ptr [edi], edx |
| mov dword ptr [esp+04h], edi |
| call 00007FA654D3C984h |
| cld |
| call 00007FA654D3BA4Eh |
| call 00007FA654D3A689h |
| add esp, 08h |
| ret |
| mov ebx, dword ptr [esp+04h] |
| mov dword ptr fs:[00000034h], 00000000h |
| mov ebp, esp |
| mov ecx, dword ptr [ebx+04h] |
| mov eax, ecx |
| shl eax, 02h |
| sub esp, eax |
| mov edi, esp |
| mov esi, dword ptr [ebx+08h] |
| cld |
| rep movsd |
| call dword ptr [ebx] |
| mov esp, ebp |
| mov ebx, dword ptr [esp+04h] |
| mov dword ptr [ebx+0Ch], eax |
| mov dword ptr [ebx+10h], edx |
| mov eax, dword ptr fs:[00000034h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x9f5000 | 0x45e | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xa32000 | 0x2a248 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x9f6000 | 0x3adfe | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x978c40 | 0xb8 | .data |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x49f839 | 0x49fa00 | 9e1b4c818f0460e9b4a4f8a7f90cc9c7 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x4a1000 | 0x4d64ac | 0x4d6600 | 3bfdcfb0b87eea69e8b25101cfd832c8 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x978000 | 0x7c308 | 0x4c800 | 861973732e2376040696278bd0798cf4 | False | 0.436596839256536 | data | 5.768610815962593 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x9f5000 | 0x45e | 0x600 | 9478c29300bca8d1606cb0d00faadd39 | False | 0.361328125 | data | 3.87636263657324 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x9f6000 | 0x3adfe | 0x3ae00 | 38f08e52f9e512fb8f4dd343e75bd41d | False | 0.5784982085987261 | data | 6.65207248593649 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .symtab | 0xa31000 | 0x4 | 0x200 | 07b5472d347d42780469fb2654b7fc54 | False | 0.02734375 | data | 0.020393135236084953 | IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xa32000 | 0x2a248 | 0x2a400 | 484bf95fec15722302dcd0c4c7fbbc60 | False | 0.12969790125739644 | data | 3.749306355679096 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xa322b0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m | 0.4157801418439716 | ||
| RT_ICON | 0xa32718 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3779 x 3779 px/m | 0.2733606557377049 | ||
| RT_ICON | 0xa330a0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m | 0.21575984990619138 | ||
| RT_ICON | 0xa34148 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m | 0.13340248962655601 | ||
| RT_ICON | 0xa366f0 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m | 0.09801606046291922 | ||
| RT_ICON | 0xa3a918 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/m | 0.0927449168207024 | ||
| RT_ICON | 0xa3fda0 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3779 x 3779 px/m | 0.06758461215051503 | ||
| RT_ICON | 0xa49248 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m | 0.05555719862770614 | ||
| RT_ICON | 0xa59a70 | 0x1c78 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9927277716794731 | ||
| RT_GROUP_ICON | 0xa5b6e8 | 0x84 | data | 0.7272727272727273 | ||
| RT_VERSION | 0xa5b76c | 0x4f4 | data | English | United States | 0.29574132492113564 |
| RT_MANIFEST | 0xa5bc60 | 0x5e8 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4252645502645503 |
| DLL | Import |
|---|---|
| kernel32.dll | WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-26T16:02:17.520081+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.6 | 49747 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:02:17.520081+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49747 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:02:18.880458+0200 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.6 | 49758 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:02:18.880458+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49758 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:02:20.289488+0200 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.6 | 49768 | 188.114.97.3 | 443 | TCP |
| 2024-10-26T16:02:31.525182+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49839 | 188.114.97.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 26, 2024 16:02:16.376344919 CEST | 49747 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:16.376394987 CEST | 443 | 49747 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:16.376471996 CEST | 49747 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:16.379726887 CEST | 49747 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:16.379765987 CEST | 443 | 49747 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:16.999625921 CEST | 443 | 49747 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:16.999763966 CEST | 49747 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:17.001319885 CEST | 49747 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:17.001352072 CEST | 443 | 49747 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:17.001648903 CEST | 443 | 49747 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:17.050813913 CEST | 49747 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:17.050813913 CEST | 49747 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:17.050955057 CEST | 443 | 49747 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:17.520169973 CEST | 443 | 49747 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:17.520416021 CEST | 443 | 49747 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:17.520492077 CEST | 49747 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:17.534574032 CEST | 49747 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:17.534590960 CEST | 443 | 49747 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:17.777008057 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:17.777045965 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:17.777282000 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:17.777981043 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:17.777996063 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.387733936 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.387792110 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.388936043 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.388945103 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.389303923 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.390525103 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.390556097 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.390603065 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.880562067 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.880707979 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.880754948 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.880768061 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.880868912 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.880909920 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.880917072 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.881040096 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.881102085 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.881107092 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.881283045 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.881392002 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.881397963 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.886033058 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.886106968 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.886113882 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.931422949 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.996999025 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.997184992 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.997253895 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.997265100 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.997395039 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.997445107 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.997816086 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.997829914 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:18.997843027 CEST | 49758 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:18.997849941 CEST | 443 | 49758 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:19.149076939 CEST | 49768 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:19.149126053 CEST | 443 | 49768 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:19.149251938 CEST | 49768 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:19.149787903 CEST | 49768 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:19.149806976 CEST | 443 | 49768 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:19.758690119 CEST | 443 | 49768 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:19.758778095 CEST | 49768 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:19.760746002 CEST | 49768 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:19.760757923 CEST | 443 | 49768 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:19.761738062 CEST | 443 | 49768 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:19.764730930 CEST | 49768 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:19.764985085 CEST | 49768 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:19.765021086 CEST | 443 | 49768 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:20.289611101 CEST | 443 | 49768 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:20.289845943 CEST | 443 | 49768 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:20.289922953 CEST | 49768 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:20.321656942 CEST | 49768 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:20.321672916 CEST | 443 | 49768 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:20.508553982 CEST | 49778 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:20.508639097 CEST | 443 | 49778 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:20.508723021 CEST | 49778 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:20.509049892 CEST | 49778 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:20.509083986 CEST | 443 | 49778 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:21.123230934 CEST | 443 | 49778 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:21.123380899 CEST | 49778 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:21.124567032 CEST | 49778 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:21.124598980 CEST | 443 | 49778 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:21.124857903 CEST | 443 | 49778 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:21.126183033 CEST | 49778 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:21.126348972 CEST | 49778 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:21.126396894 CEST | 443 | 49778 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:21.126477003 CEST | 49778 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:21.126492023 CEST | 443 | 49778 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:23.359010935 CEST | 443 | 49778 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:23.359260082 CEST | 443 | 49778 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:23.359347105 CEST | 49778 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:23.360456944 CEST | 49778 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:23.360543966 CEST | 443 | 49778 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:23.742255926 CEST | 49796 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:23.742284060 CEST | 443 | 49796 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:23.742477894 CEST | 49796 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:23.742809057 CEST | 49796 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:23.742821932 CEST | 443 | 49796 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:24.359797955 CEST | 443 | 49796 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:24.359951019 CEST | 49796 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:24.369285107 CEST | 49796 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:24.369321108 CEST | 443 | 49796 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:24.369617939 CEST | 443 | 49796 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:24.384536982 CEST | 49796 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:24.384738922 CEST | 49796 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:24.384814024 CEST | 443 | 49796 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:24.385000944 CEST | 49796 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:24.385016918 CEST | 443 | 49796 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:25.087369919 CEST | 443 | 49796 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:25.087618113 CEST | 443 | 49796 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:25.088613033 CEST | 49796 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:25.088819027 CEST | 49796 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:25.088836908 CEST | 443 | 49796 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:25.476809978 CEST | 49807 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:25.476843119 CEST | 443 | 49807 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:25.476916075 CEST | 49807 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:25.477210045 CEST | 49807 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:25.477225065 CEST | 443 | 49807 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:26.091849089 CEST | 443 | 49807 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:26.092108011 CEST | 49807 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:26.094204903 CEST | 49807 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:26.094213009 CEST | 443 | 49807 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:26.094507933 CEST | 443 | 49807 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:26.104599953 CEST | 49807 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:26.104650021 CEST | 49807 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:26.104782104 CEST | 443 | 49807 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:26.608973026 CEST | 443 | 49807 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:26.609097004 CEST | 443 | 49807 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:26.609421015 CEST | 49807 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:26.609421015 CEST | 49807 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:26.682148933 CEST | 49816 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:26.682223082 CEST | 443 | 49816 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:26.682363987 CEST | 49816 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:26.682743073 CEST | 49816 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:26.682775021 CEST | 443 | 49816 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:27.289609909 CEST | 443 | 49816 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:27.289772987 CEST | 49816 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:27.291565895 CEST | 49816 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:27.291588068 CEST | 443 | 49816 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:27.292078972 CEST | 443 | 49816 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:27.293363094 CEST | 49816 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:27.293500900 CEST | 49816 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:27.293540001 CEST | 443 | 49816 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:27.624315977 CEST | 443 | 49816 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:27.624403954 CEST | 443 | 49816 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:27.624680996 CEST | 49816 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:27.624952078 CEST | 49816 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:27.624999046 CEST | 443 | 49816 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:27.761651039 CEST | 49822 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:27.761701107 CEST | 443 | 49822 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:27.761771917 CEST | 49822 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:27.762479067 CEST | 49822 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:27.762495041 CEST | 443 | 49822 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:28.398689985 CEST | 443 | 49822 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:28.398890018 CEST | 49822 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:28.400759935 CEST | 49822 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:28.400778055 CEST | 443 | 49822 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:28.401695967 CEST | 443 | 49822 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:28.402981043 CEST | 49822 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:28.403089046 CEST | 49822 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:28.403098106 CEST | 443 | 49822 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:28.907624960 CEST | 443 | 49822 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:28.907877922 CEST | 443 | 49822 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:28.908031940 CEST | 49822 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:28.909261942 CEST | 49822 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:28.909286022 CEST | 443 | 49822 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:28.977991104 CEST | 49830 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:28.978070974 CEST | 443 | 49830 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:28.978174925 CEST | 49830 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:28.978707075 CEST | 49830 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:28.978744984 CEST | 443 | 49830 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:29.588390112 CEST | 443 | 49830 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:29.588510036 CEST | 49830 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:29.589983940 CEST | 49830 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:29.589996099 CEST | 443 | 49830 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:29.590337038 CEST | 443 | 49830 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:29.608704090 CEST | 49830 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:29.608831882 CEST | 49830 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:29.608858109 CEST | 443 | 49830 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:30.121074915 CEST | 443 | 49830 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:30.121196985 CEST | 443 | 49830 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:30.121264935 CEST | 49830 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:30.121377945 CEST | 49830 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:30.121392965 CEST | 443 | 49830 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:30.163847923 CEST | 49839 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:30.163887978 CEST | 443 | 49839 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:30.163980007 CEST | 49839 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:30.164338112 CEST | 49839 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:30.164350986 CEST | 443 | 49839 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:31.027713060 CEST | 443 | 49839 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:31.027791023 CEST | 49839 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:31.029093981 CEST | 49839 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:31.029103041 CEST | 443 | 49839 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:31.029434919 CEST | 443 | 49839 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:31.030817986 CEST | 49839 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:31.030843019 CEST | 49839 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:31.030895948 CEST | 443 | 49839 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:31.525222063 CEST | 443 | 49839 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:31.525377989 CEST | 443 | 49839 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:31.525432110 CEST | 49839 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:31.525901079 CEST | 49839 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:31.525907993 CEST | 443 | 49839 | 188.114.97.3 | 192.168.2.6 |
| Oct 26, 2024 16:02:31.525922060 CEST | 49839 | 443 | 192.168.2.6 | 188.114.97.3 |
| Oct 26, 2024 16:02:31.525929928 CEST | 443 | 49839 | 188.114.97.3 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 26, 2024 16:02:16.355534077 CEST | 59483 | 53 | 192.168.2.6 | 1.1.1.1 |
| Oct 26, 2024 16:02:16.369908094 CEST | 53 | 59483 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 26, 2024 16:02:16.355534077 CEST | 192.168.2.6 | 1.1.1.1 | 0x84e8 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 26, 2024 16:02:16.369908094 CEST | 1.1.1.1 | 192.168.2.6 | 0x84e8 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
| Oct 26, 2024 16:02:16.369908094 CEST | 1.1.1.1 | 192.168.2.6 | 0x84e8 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49747 | 188.114.97.3 | 443 | 5232 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:02:17 UTC | 263 | OUT | |
| 2024-10-26 14:02:17 UTC | 8 | OUT | |
| 2024-10-26 14:02:17 UTC | 1005 | IN | |
| 2024-10-26 14:02:17 UTC | 7 | IN | |
| 2024-10-26 14:02:17 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49758 | 188.114.97.3 | 443 | 5232 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:02:18 UTC | 264 | OUT | |
| 2024-10-26 14:02:18 UTC | 86 | OUT | |
| 2024-10-26 14:02:18 UTC | 1015 | IN | |
| 2024-10-26 14:02:18 UTC | 354 | IN | |
| 2024-10-26 14:02:18 UTC | 1369 | IN | |
| 2024-10-26 14:02:18 UTC | 1369 | IN | |
| 2024-10-26 14:02:18 UTC | 1369 | IN | |
| 2024-10-26 14:02:18 UTC | 1369 | IN | |
| 2024-10-26 14:02:18 UTC | 1369 | IN | |
| 2024-10-26 14:02:18 UTC | 1369 | IN | |
| 2024-10-26 14:02:18 UTC | 1369 | IN | |
| 2024-10-26 14:02:18 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49768 | 188.114.97.3 | 443 | 5232 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:02:19 UTC | 282 | OUT | |
| 2024-10-26 14:02:19 UTC | 12866 | OUT | |
| 2024-10-26 14:02:20 UTC | 1004 | IN | |
| 2024-10-26 14:02:20 UTC | 23 | IN | |
| 2024-10-26 14:02:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49778 | 188.114.97.3 | 443 | 5232 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:02:21 UTC | 282 | OUT | |
| 2024-10-26 14:02:21 UTC | 15112 | OUT | |
| 2024-10-26 14:02:23 UTC | 1009 | IN | |
| 2024-10-26 14:02:23 UTC | 23 | IN | |
| 2024-10-26 14:02:23 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49796 | 188.114.97.3 | 443 | 5232 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:02:24 UTC | 282 | OUT | |
| 2024-10-26 14:02:24 UTC | 15331 | OUT | |
| 2024-10-26 14:02:24 UTC | 4639 | OUT | |
| 2024-10-26 14:02:25 UTC | 1019 | IN | |
| 2024-10-26 14:02:25 UTC | 23 | IN | |
| 2024-10-26 14:02:25 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.6 | 49807 | 188.114.97.3 | 443 | 5232 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:02:26 UTC | 281 | OUT | |
| 2024-10-26 14:02:26 UTC | 3809 | OUT | |
| 2024-10-26 14:02:26 UTC | 1013 | IN | |
| 2024-10-26 14:02:26 UTC | 23 | IN | |
| 2024-10-26 14:02:26 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.6 | 49816 | 188.114.97.3 | 443 | 5232 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:02:27 UTC | 281 | OUT | |
| 2024-10-26 14:02:27 UTC | 3825 | OUT | |
| 2024-10-26 14:02:27 UTC | 1005 | IN | |
| 2024-10-26 14:02:27 UTC | 23 | IN | |
| 2024-10-26 14:02:27 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.6 | 49822 | 188.114.97.3 | 443 | 5232 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:02:28 UTC | 281 | OUT | |
| 2024-10-26 14:02:28 UTC | 1254 | OUT | |
| 2024-10-26 14:02:28 UTC | 1007 | IN | |
| 2024-10-26 14:02:28 UTC | 23 | IN | |
| 2024-10-26 14:02:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.6 | 49830 | 188.114.97.3 | 443 | 5232 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:02:29 UTC | 281 | OUT | |
| 2024-10-26 14:02:29 UTC | 1132 | OUT | |
| 2024-10-26 14:02:30 UTC | 1008 | IN | |
| 2024-10-26 14:02:30 UTC | 23 | IN | |
| 2024-10-26 14:02:30 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.6 | 49839 | 188.114.97.3 | 443 | 5232 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-26 14:02:31 UTC | 265 | OUT | |
| 2024-10-26 14:02:31 UTC | 121 | OUT | |
| 2024-10-26 14:02:31 UTC | 1016 | IN | |
| 2024-10-26 14:02:31 UTC | 54 | IN | |
| 2024-10-26 14:02:31 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:02:02 |
| Start date: | 26/10/2024 |
| Path: | C:\Users\user\Desktop\Setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x7d0000 |
| File size: | 10'651'136 bytes |
| MD5 hash: | C5F86099F8C1B5B8A8B5C9C884B764A4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 10:02:09 |
| Start date: | 26/10/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8b0000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | true |
Function 00809BA0 Relevance: 11.4, Strings: 9, Instructions: 183COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0081A210 Relevance: 6.3, Strings: 5, Instructions: 83COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 6.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 63% |
| Total number of Nodes: | 238 |
| Total number of Limit Nodes: | 23 |
Graph
Function 0043C0D9 Relevance: 25.4, APIs: 8, Strings: 6, Instructions: 940memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004108F0 Relevance: 14.1, Strings: 11, Instructions: 385COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426744 Relevance: 10.2, Strings: 8, Instructions: 165COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FF9C Relevance: 9.9, Strings: 7, Instructions: 1154COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C3FA Relevance: 8.2, APIs: 5, Instructions: 703COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DF60 Relevance: 5.3, Strings: 4, Instructions: 340COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F95D Relevance: 4.4, Strings: 3, Instructions: 643COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C0A8 Relevance: 3.7, APIs: 2, Instructions: 697COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AF30 Relevance: 2.8, Strings: 2, Instructions: 299COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BB50 Relevance: 2.7, Strings: 2, Instructions: 245COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BE60 Relevance: 1.6, APIs: 1, Instructions: 62comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441A80 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428900 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445770 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CA15 Relevance: .4, Instructions: 442COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FA20 Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004101A0 Relevance: .3, Instructions: 325COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00446140 Relevance: .3, Instructions: 289COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445890 Relevance: .3, Instructions: 280COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406740 Relevance: .2, Instructions: 230COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004420E8 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441FBE Relevance: .1, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D5F0 Relevance: 6.1, APIs: 4, Instructions: 68threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E615 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BF63 Relevance: 3.1, APIs: 2, Instructions: 86memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410F69 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C581 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E656 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441B90 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004366C1 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441BE8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433FF0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410F40 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428B15 Relevance: 40.7, Strings: 32, Instructions: 675COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401000 Relevance: 19.5, Strings: 14, Instructions: 1989COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FED0 Relevance: 17.9, Strings: 13, Instructions: 1668COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004012D5 Relevance: 16.0, Strings: 12, Instructions: 987COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436BC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 123clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425030 Relevance: 13.0, Strings: 10, Instructions: 459COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423AB0 Relevance: 11.9, Strings: 9, Instructions: 696COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D0D0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 366threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004214C0 Relevance: 8.3, Strings: 6, Instructions: 767COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411BA8 Relevance: 7.7, Strings: 6, Instructions: 243COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DF4C Relevance: 6.9, Strings: 5, Instructions: 648COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E010 Relevance: 6.9, Strings: 5, Instructions: 631COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401328 Relevance: 6.6, Strings: 5, Instructions: 389COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00443620 Relevance: 5.8, Strings: 4, Instructions: 797COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F500 Relevance: 5.7, Strings: 4, Instructions: 693COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A482 Relevance: 5.3, Strings: 4, Instructions: 280COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429B40 Relevance: 5.2, Strings: 4, Instructions: 250COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004225F0 Relevance: 4.5, Strings: 3, Instructions: 750COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429731 Relevance: 4.3, Strings: 3, Instructions: 540COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004232C0 Relevance: 4.3, Strings: 3, Instructions: 512COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A5CF Relevance: 4.2, Strings: 3, Instructions: 481COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427A8A Relevance: 4.2, Strings: 3, Instructions: 472COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408970 Relevance: 4.2, Strings: 3, Instructions: 420COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427767 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004441D0 Relevance: 4.0, Strings: 3, Instructions: 234COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429680 Relevance: 3.9, Strings: 3, Instructions: 178COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00444380 Relevance: 3.9, Strings: 3, Instructions: 127COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F1E0 Relevance: 3.0, Strings: 2, Instructions: 539COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427040 Relevance: 3.0, Strings: 2, Instructions: 481COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038E0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CF80 Relevance: 2.9, Strings: 2, Instructions: 387COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421E00 Relevance: 2.9, Strings: 2, Instructions: 369COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FAD5 Relevance: 2.6, Strings: 2, Instructions: 94COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405460 Relevance: 1.8, Strings: 1, Instructions: 541COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426DE0 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D8E0 Relevance: 1.7, Strings: 1, Instructions: 479COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B427 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429C41 Relevance: 1.7, Strings: 1, Instructions: 434COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442589 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AC70 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EB50 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440010 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EC10 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436780 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004436B0 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417FCB Relevance: 1.4, Strings: 1, Instructions: 131COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA62 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C2F0 Relevance: .8, Instructions: 807COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407510 Relevance: .7, Instructions: 681COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B7E0 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C5C0 Relevance: .6, Instructions: 636COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407F50 Relevance: .6, Instructions: 630COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CAF0 Relevance: .6, Instructions: 569COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044AED2 Relevance: .5, Instructions: 496COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A700 Relevance: .5, Instructions: 451COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00444590 Relevance: .4, Instructions: 441COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004093E0 Relevance: .4, Instructions: 369COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442C90 Relevance: .4, Instructions: 351COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D485 Relevance: .3, Instructions: 342COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B310 Relevance: .3, Instructions: 329COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434A4D Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445B60 Relevance: .3, Instructions: 287COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B500 Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00445E50 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004430B0 Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414A5E Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004333C7 Relevance: .2, Instructions: 214COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442A70 Relevance: .2, Instructions: 210COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422F90 Relevance: .2, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B2A0 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D2A0 Relevance: .2, Instructions: 175COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EE40 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CB0 Relevance: .2, Instructions: 163COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A008 Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C870 Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F850 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BA40 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404CA0 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407150 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A49A Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004393A0 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EB70 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442074 Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D8C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102threadwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|