Edit tour
Windows
Analysis Report
Call 0f Duty A1 Launcher.exe
Overview
General Information
| Sample name: | Call 0f Duty A1 Launcher.exe |
| Analysis ID: | 1561495 |
| MD5: | fad119b9db79ccbfe3a65a13f0822b22 |
| SHA1: | db0992d62adb36a46b493063dd5192bb27422bb9 |
| SHA256: | 27550a73b832d92b6a6a3869f0dedbb826c7c97348587342fe02c8c7cf98e0b9 |
| Tags: | exeuser-4k95m |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Call 0f Duty A1 Launcher.exe (PID: 5668 cmdline: "C:\Users\ user\Deskt op\Call 0f Duty A1 L auncher.ex e" MD5: FAD119B9DB79CCBFE3A65A13F0822B22) 
conhost.exe (PID: 1864 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Call 0f Duty A1 Launcher.exe (PID: 4832 cmdline:
"C:\Users\ user\Deskt op\Call 0f Duty A1 L auncher.ex e" MD5: FAD119B9DB79CCBFE3A65A13F0822B22)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 5 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:11:39.821460+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:42.030345+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:44.427022+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49706 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:46.552360+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49707 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:48.833057+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49708 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:51.369193+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49709 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:53.832174+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49710 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:57.920823+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49715 | 104.21.33.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:11:40.683329+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:42.741185+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:58.652710+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49715 | 104.21.33.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:11:40.683329+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:11:42.741185+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:11:52.117288+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49709 | 104.21.33.116 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Directory queried: | ||
| Source: | Code function: | 0_2_0037C72A | |
| Source: | Code function: | 0_2_0037C7DB | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0036F4D0 | |
| Source: | Code function: | 0_2_003734D0 | |
| Source: | Code function: | 0_2_003715A0 | |
| Source: | Code function: | 0_2_0036F980 | |
| Source: | Code function: | 0_2_0036CE70 | |
| Source: | Code function: | 0_2_003686C0 | |
| Source: | Code function: | 0_2_0036D7F0 | |
| Source: | Code function: | 0_2_00381FD2 | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00374BD8 | |
| Source: | Code function: | 3_3_03580CA7 | |
| Source: | Code function: | 3_3_0357E752 | |
| Source: | Code function: | 3_3_0357E752 | |
| Source: | Code function: | 3_3_0357DF21 | |
| Source: | Code function: | 3_3_0357DF21 | |
| Source: | Code function: | 3_3_03580CA7 | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_0358CC09 | |
| Source: | Code function: | 3_3_03597756 | |
| Source: | Code function: | 3_3_03597756 | |
| Source: | Code function: | 3_3_03597756 | |
| Source: | Code function: | 3_3_03597756 | |
| Source: | Code function: | 3_3_03597756 | |
| Source: | Code function: | 3_3_03597756 | |
| Source: | Code function: | 3_3_03597756 | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 3_3_03595DBA | |
| Source: | Code function: | 0_2_00374CA2 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_0037C72A | |
| Source: | Code function: | 0_2_0037C7DB | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00375444 | |
| Source: | Code function: | 0_2_0036CD10 | |
| Source: | Code function: | 0_2_0038B18D | |
| Source: | Code function: | 0_2_0036BD50 | |
| Source: | Code function: | 0_2_00379F90 | |
| Source: | Code function: | 0_2_00375438 | |
| Source: | Code function: | 0_2_00375444 | |
| Source: | Code function: | 0_2_00377DCA | |
| Source: | Code function: | 0_2_00374AD9 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_0038B18D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00375200 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_003758C5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 41 Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 141 Security Software Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 11 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 14 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 21 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 33 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 45% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| property-imper.sbs | 104.21.33.116 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.33.116 | property-imper.sbs | United States | 13335 | CLOUDFLARENETUS | false | |
| 147.45.47.81 | unknown | Russian Federation | 2895 | FREE-NET-ASFREEnetEU | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1561495 |
| Start date and time: | 2024-11-23 15:10:46 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 45s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Call 0f Duty A1 Launcher.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@1/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Call 0f Duty A1 Launcher.exe, PID 4832 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryDirectoryFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Call 0f Duty A1 Launcher.exe
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.33.116 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| 147.45.47.81 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | RedLine, Xmrig | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine, Xmrig | Browse |
| ||
| Get hash | malicious | RedLine, Xmrig | Browse |
| ||
| Get hash | malicious | RedLine, Xmrig | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| property-imper.sbs | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| FREE-NET-ASFREEnetEU | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.728754242194129 |
| TrID: |
|
| File name: | Call 0f Duty A1 Launcher.exe |
| File size: | 495'616 bytes |
| MD5: | fad119b9db79ccbfe3a65a13f0822b22 |
| SHA1: | db0992d62adb36a46b493063dd5192bb27422bb9 |
| SHA256: | 27550a73b832d92b6a6a3869f0dedbb826c7c97348587342fe02c8c7cf98e0b9 |
| SHA512: | 41c629c773500fc55b3da2b726045ce88d1f5ae7f35800666c4465bb1d7b8fd3e8aa71e7a99f8c607f64d77916a704e9da7bf0ed2d06844864ad138fe5a2df2f |
| SSDEEP: | 12288:SJB+nneDgkXFEIs2Gvih6W8Rd70dDufr3/:2AoR24BhL4r3/ |
| TLSH: | 60B4F06E3393A0A3E5A3183141D89EB5456E7E300F34A4FB57605BB92F3A6D2C532E17 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...t.@g............................pX............@.......................................@.................................T...<.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x415870 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6740AA74 [Fri Nov 22 15:59:48 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 887797384d81c493a9d8ee55dad3b2e1 |
| Instruction |
|---|
| call 00007F7D8450579Ah |
| jmp 00007F7D845055FDh |
| mov ecx, dword ptr [0042B5F0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F7D84505796h |
| test esi, ecx |
| jne 00007F7D845057B8h |
| call 00007F7D845057C1h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F7D84505799h |
| mov ecx, BB40E64Fh |
| jmp 00007F7D845057A0h |
| test esi, ecx |
| jne 00007F7D8450579Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [0042B5F0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [0042B5ECh], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| and dword ptr [ebp-0Ch], 00000000h |
| lea eax, dword ptr [ebp-0Ch] |
| and dword ptr [ebp-08h], 00000000h |
| push eax |
| call dword ptr [0042946Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00429430h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [0042942Ch] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [004294A8h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 0042C970h |
| call dword ptr [00429488h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x29254 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2f000 | 0x1400 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x237c0 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x293c8 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2169a | 0x21800 | 02aff72e65eaf052f891170e28598361 | False | 0.550606343283582 | data | 6.737058354414408 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x23000 | 0x7264 | 0x7400 | 91e5fdecc510d2c4e72b1b50db3c2501 | False | 0.40641837284482757 | data | 4.769873714467996 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2b000 | 0x2068 | 0x1000 | f9b2b4b1f63578440eedd0ace5ac94f1 | False | 0.484375 | OpenPGP Secret Key | 5.090094544660231 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .00cfg | 0x2e000 | 0x8 | 0x200 | 160c8b290b62e5e566d05ce3bec76423 | False | 0.03125 | data | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x2f000 | 0x1400 | 0x1400 | 29fb367912ce622b91120c5cffd84495 | False | 0.81953125 | data | 6.557860970753822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .coS | 0x31000 | 0x4d800 | 0x4d800 | dadefaca19565602088c9505a810b233 | False | 1.0003339213709677 | data | 7.999391001565712 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile |
| GDI32.dll | CreateEllipticRgn |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:11:39.821460+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:40.683329+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:40.683329+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:42.030345+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:42.741185+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:42.741185+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:44.427022+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49706 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:46.552360+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49707 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:48.833057+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49708 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:51.369193+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49709 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:52.117288+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49709 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:53.832174+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49710 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:57.920823+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49715 | 104.21.33.116 | 443 | TCP |
| 2024-11-23T15:11:58.652710+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49715 | 104.21.33.116 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 15:11:38.548849106 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:38.548912048 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:38.549089909 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:38.550278902 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:38.550297022 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:39.821394920 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:39.821460009 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:39.928963900 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:39.928983927 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:39.929351091 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:39.969199896 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:39.991450071 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:39.991480112 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:39.991561890 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:40.683299065 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:40.683388948 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:40.683459044 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:40.685986996 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:40.686002970 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:40.686023951 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:40.686028957 CET | 443 | 49704 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:40.730207920 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:40.730321884 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:40.730443001 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:40.730707884 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:40.730751038 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.030205011 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.030344963 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.031969070 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.031996965 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.032238960 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.033838987 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.033910990 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.033934116 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.741132021 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.741159916 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.741178989 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.741203070 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.741249084 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.741281033 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.741313934 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.741324902 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.741332054 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.741374969 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.741393089 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.741476059 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.749274969 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.757728100 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.757788897 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.757801056 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.762135029 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.762204885 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.762213945 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.802241087 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.860816956 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.903635025 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.942218065 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.942384958 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.942449093 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.942694902 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.942751884 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:42.942802906 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:42.942817926 CET | 443 | 49705 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:43.103369951 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:43.103413105 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:43.103478909 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:43.103874922 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:43.103888035 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:44.426898003 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:44.427021980 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:44.428746939 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:44.428755045 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:44.428976059 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:44.430759907 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:44.430964947 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:44.430993080 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:45.222585917 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:45.222673893 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:45.222743034 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:45.222882032 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:45.222897053 CET | 443 | 49706 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:45.338722944 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:45.338838100 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:45.338948965 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:45.339335918 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:45.339365959 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:46.552222013 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:46.552360058 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:46.553597927 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:46.553613901 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:46.554265022 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:46.555248976 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:46.555380106 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:46.555447102 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:46.555541992 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:46.603354931 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:47.330530882 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:47.330602884 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:47.330674887 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:47.330826998 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:47.330869913 CET | 443 | 49707 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:47.620814085 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:47.620922089 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:47.621002913 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:47.621309042 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:47.621345997 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:48.832914114 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:48.833056927 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:48.834337950 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:48.834350109 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:48.834585905 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:48.836194038 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:48.836358070 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:48.836401939 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:48.836488962 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:48.836505890 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:49.678051949 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:49.678128004 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:49.678193092 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:49.678359985 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:49.678385019 CET | 443 | 49708 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:50.063308001 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:50.063334942 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:50.063406944 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:50.063780069 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:50.063797951 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:51.368983984 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:51.369193077 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:51.375580072 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:51.375591993 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:51.375814915 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:51.377069950 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:51.377167940 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:51.377172947 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:52.117300987 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:52.117410898 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:52.117465973 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:52.117609978 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:52.117619991 CET | 443 | 49709 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:52.569839001 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:52.569900036 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:52.570148945 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:52.570349932 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:52.570384026 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.832084894 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.832174063 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.833373070 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.833404064 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.833656073 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.839200974 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.840049028 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.840097904 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.840219021 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.840266943 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.840392113 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.840442896 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.840599060 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.840660095 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.840846062 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.840903997 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.841157913 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.841206074 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.841237068 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.841264963 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.841407061 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.841445923 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.841486931 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.841577053 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.841619968 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.883348942 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.883639097 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.883698940 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.883747101 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.883791924 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:53.883862019 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:53.883909941 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:56.671521902 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:56.671633005 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:56.671691895 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:56.671955109 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:56.671991110 CET | 443 | 49710 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:56.700735092 CET | 49715 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:56.700781107 CET | 443 | 49715 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:56.700853109 CET | 49715 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:56.701194048 CET | 49715 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:56.701205969 CET | 443 | 49715 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:57.920722961 CET | 443 | 49715 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:57.920823097 CET | 49715 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:57.922099113 CET | 49715 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:57.922102928 CET | 443 | 49715 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:57.922364950 CET | 443 | 49715 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:57.925497055 CET | 49715 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:57.925497055 CET | 49715 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:57.925575018 CET | 443 | 49715 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:58.652728081 CET | 443 | 49715 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:58.652827024 CET | 443 | 49715 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:58.652995110 CET | 49715 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:58.653081894 CET | 49715 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:58.653099060 CET | 443 | 49715 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:58.653112888 CET | 49715 | 443 | 192.168.2.5 | 104.21.33.116 |
| Nov 23, 2024 15:11:58.653117895 CET | 443 | 49715 | 104.21.33.116 | 192.168.2.5 |
| Nov 23, 2024 15:11:58.654633045 CET | 49723 | 80 | 192.168.2.5 | 147.45.47.81 |
| Nov 23, 2024 15:11:58.774991989 CET | 80 | 49723 | 147.45.47.81 | 192.168.2.5 |
| Nov 23, 2024 15:11:58.775089979 CET | 49723 | 80 | 192.168.2.5 | 147.45.47.81 |
| Nov 23, 2024 15:11:58.775237083 CET | 49723 | 80 | 192.168.2.5 | 147.45.47.81 |
| Nov 23, 2024 15:11:58.895246029 CET | 80 | 49723 | 147.45.47.81 | 192.168.2.5 |
| Nov 23, 2024 15:12:20.676095963 CET | 80 | 49723 | 147.45.47.81 | 192.168.2.5 |
| Nov 23, 2024 15:12:20.676161051 CET | 49723 | 80 | 192.168.2.5 | 147.45.47.81 |
| Nov 23, 2024 15:12:20.699867964 CET | 49723 | 80 | 192.168.2.5 | 147.45.47.81 |
| Nov 23, 2024 15:12:20.819431067 CET | 80 | 49723 | 147.45.47.81 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 15:11:38.400815964 CET | 54256 | 53 | 192.168.2.5 | 1.1.1.1 |
| Nov 23, 2024 15:11:38.542999983 CET | 53 | 54256 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 15:11:38.400815964 CET | 192.168.2.5 | 1.1.1.1 | 0x6e5d | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 15:11:38.542999983 CET | 1.1.1.1 | 192.168.2.5 | 0x6e5d | No error (0) | 104.21.33.116 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 15:11:38.542999983 CET | 1.1.1.1 | 192.168.2.5 | 0x6e5d | No error (0) | 172.67.162.84 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49723 | 147.45.47.81 | 80 | 4832 | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Nov 23, 2024 15:11:58.775237083 CET | 198 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49704 | 104.21.33.116 | 443 | 4832 | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:11:39 UTC | 265 | OUT | |
| 2024-11-23 14:11:39 UTC | 8 | OUT | |
| 2024-11-23 14:11:40 UTC | 1017 | IN | |
| 2024-11-23 14:11:40 UTC | 7 | IN | |
| 2024-11-23 14:11:40 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49705 | 104.21.33.116 | 443 | 4832 | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:11:42 UTC | 266 | OUT | |
| 2024-11-23 14:11:42 UTC | 51 | OUT | |
| 2024-11-23 14:11:42 UTC | 1012 | IN | |
| 2024-11-23 14:11:42 UTC | 357 | IN | |
| 2024-11-23 14:11:42 UTC | 1369 | IN | |
| 2024-11-23 14:11:42 UTC | 1369 | IN | |
| 2024-11-23 14:11:42 UTC | 1369 | IN | |
| 2024-11-23 14:11:42 UTC | 1369 | IN | |
| 2024-11-23 14:11:42 UTC | 1369 | IN | |
| 2024-11-23 14:11:42 UTC | 377 | IN | |
| 2024-11-23 14:11:42 UTC | 1369 | IN | |
| 2024-11-23 14:11:42 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49706 | 104.21.33.116 | 443 | 4832 | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:11:44 UTC | 274 | OUT | |
| 2024-11-23 14:11:44 UTC | 12779 | OUT | |
| 2024-11-23 14:11:45 UTC | 1020 | IN | |
| 2024-11-23 14:11:45 UTC | 19 | IN | |
| 2024-11-23 14:11:45 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49707 | 104.21.33.116 | 443 | 4832 | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:11:46 UTC | 280 | OUT | |
| 2024-11-23 14:11:46 UTC | 15057 | OUT | |
| 2024-11-23 14:11:47 UTC | 1025 | IN | |
| 2024-11-23 14:11:47 UTC | 19 | IN | |
| 2024-11-23 14:11:47 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49708 | 104.21.33.116 | 443 | 4832 | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:11:48 UTC | 280 | OUT | |
| 2024-11-23 14:11:48 UTC | 15331 | OUT | |
| 2024-11-23 14:11:48 UTC | 5216 | OUT | |
| 2024-11-23 14:11:49 UTC | 1023 | IN | |
| 2024-11-23 14:11:49 UTC | 19 | IN | |
| 2024-11-23 14:11:49 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49709 | 104.21.33.116 | 443 | 4832 | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:11:51 UTC | 278 | OUT | |
| 2024-11-23 14:11:51 UTC | 1226 | OUT | |
| 2024-11-23 14:11:52 UTC | 1014 | IN | |
| 2024-11-23 14:11:52 UTC | 19 | IN | |
| 2024-11-23 14:11:52 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49710 | 104.21.33.116 | 443 | 4832 | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:11:53 UTC | 281 | OUT | |
| 2024-11-23 14:11:53 UTC | 15331 | OUT | |
| 2024-11-23 14:11:53 UTC | 15331 | OUT | |
| 2024-11-23 14:11:53 UTC | 15331 | OUT | |
| 2024-11-23 14:11:53 UTC | 15331 | OUT | |
| 2024-11-23 14:11:53 UTC | 15331 | OUT | |
| 2024-11-23 14:11:53 UTC | 15331 | OUT | |
| 2024-11-23 14:11:53 UTC | 15331 | OUT | |
| 2024-11-23 14:11:53 UTC | 15331 | OUT | |
| 2024-11-23 14:11:53 UTC | 15331 | OUT | |
| 2024-11-23 14:11:53 UTC | 15331 | OUT | |
| 2024-11-23 14:11:56 UTC | 1025 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49715 | 104.21.33.116 | 443 | 4832 | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:11:57 UTC | 266 | OUT | |
| 2024-11-23 14:11:57 UTC | 86 | OUT | |
| 2024-11-23 14:11:58 UTC | 1017 | IN | |
| 2024-11-23 14:11:58 UTC | 126 | IN | |
| 2024-11-23 14:11:58 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:11:36 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x360000 |
| File size: | 495'616 bytes |
| MD5 hash: | FAD119B9DB79CCBFE3A65A13F0822B22 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 09:11:36 |
| Start date: | 23/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 09:11:36 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\Call 0f Duty A1 Launcher.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x360000 |
| File size: | 495'616 bytes |
| MD5 hash: | FAD119B9DB79CCBFE3A65A13F0822B22 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 7.6% |
| Total number of Nodes: | 1866 |
| Total number of Limit Nodes: | 22 |
Graph
Function 0038B18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0036CD10 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00379DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0036BEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00376CE6 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037A732 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00376E00 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037B0CB Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00373B60 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0036CD90 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037BC45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00374CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0036CE70 Relevance: 8.0, APIs: 5, Instructions: 518threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037C7DB Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00375444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003715A0 Relevance: 4.4, APIs: 2, Instructions: 1444COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037C72A Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00375200 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00375438 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00379F90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003686C0 Relevance: .7, Instructions: 725COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003734D0 Relevance: .6, Instructions: 607COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0036F980 Relevance: .5, Instructions: 456COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0036BD50 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003790D3 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00376F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037DF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003794F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037DC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037C5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0037D22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00378D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003745A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|