Edit tour
Windows
Analysis Report
Launcher.exe
Overview
General Information
| Sample name: | Launcher.exe |
| Analysis ID: | 1561497 |
| MD5: | 3ca9ca734f501c8de4270556f80f0f60 |
| SHA1: | 47652fb87960680ffe11dbc27a7969a2dacac97e |
| SHA256: | cfe6d27ef692f436653789758b0713bf8c6e1ed6267bd22775ed482777db96e5 |
| Tags: | exeuser-4k95m |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Launcher.exe (PID: 2360 cmdline: "C:\Users\ user\Deskt op\Launche r.exe" MD5: 3CA9CA734F501C8DE4270556F80F0F60) 
conhost.exe (PID: 3220 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Launcher.exe (PID: 5688 cmdline:
"C:\Users\ user\Deskt op\Launche r.exe" MD5: 3CA9CA734F501C8DE4270556F80F0F60)
- cleanup
{"C2 url": ["farewellnzu.icu"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:12:56.139869+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49699 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:12:58.155926+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49700 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:00.455993+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49701 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:02.633812+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49702 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:04.879612+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49703 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:07.273471+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49705 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:09.881039+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49711 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:13.548014+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49724 | 172.67.198.61 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:12:56.824663+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49699 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:12:58.873935+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49700 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:14.265345+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49724 | 172.67.198.61 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:12:56.824663+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.6 | 49699 | 172.67.198.61 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:12:58.873935+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.6 | 49700 | 172.67.198.61 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:13:07.978282+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49705 | 172.67.198.61 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 3_2_00418BE3 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0025174A | |
| Source: | Code function: | 0_2_002517FB | |
| Source: | Code function: | 3_2_0025174A | |
| Source: | Code function: | 3_2_002517FB | |
| Source: | Code function: | 3_2_0043D880 | |
| Source: | Code function: | 3_2_00420970 | |
| Source: | Code function: | 3_2_0040A10E | |
| Source: | Code function: | 3_2_00418BE3 | |
| Source: | Code function: | 3_2_0040CE5A | |
| Source: | Code function: | 3_2_00440620 | |
| Source: | Code function: | 3_2_00440740 | |
| Source: | Code function: | 3_2_0040C7A5 | |
| Source: | Code function: | 3_2_00439040 | |
| Source: | Code function: | 3_2_0042C84A | |
| Source: | Code function: | 3_2_0042CD62 | |
| Source: | Code function: | 3_2_00429F62 | |
| Source: | Code function: | 3_2_00429813 | |
| Source: | Code function: | 3_2_0042C8DC | |
| Source: | Code function: | 3_2_0042D0F6 | |
| Source: | Code function: | 3_2_004298A8 | |
| Source: | Code function: | 3_2_004298A8 | |
| Source: | Code function: | 3_2_00426959 | |
| Source: | Code function: | 3_2_00426910 | |
| Source: | Code function: | 3_2_0042C918 | |
| Source: | Code function: | 3_2_0042C929 | |
| Source: | Code function: | 3_2_00404930 | |
| Source: | Code function: | 3_2_00404930 | |
| Source: | Code function: | 3_2_004231F0 | |
| Source: | Code function: | 3_2_0040B989 | |
| Source: | Code function: | 3_2_00402190 | |
| Source: | Code function: | 3_2_0042A1A2 | |
| Source: | Code function: | 3_2_0040DA43 | |
| Source: | Code function: | 3_2_0040EA4F | |
| Source: | Code function: | 3_2_0041D201 | |
| Source: | Code function: | 3_2_0042BA10 | |
| Source: | Code function: | 3_2_00439290 | |
| Source: | Code function: | 3_2_00428A9C | |
| Source: | Code function: | 3_2_00428A9C | |
| Source: | Code function: | 3_2_00425344 | |
| Source: | Code function: | 3_2_004298A8 | |
| Source: | Code function: | 3_2_004298A8 | |
| Source: | Code function: | 3_2_0042D318 | |
| Source: | Code function: | 3_2_004393D0 | |
| Source: | Code function: | 3_2_0042D380 | |
| Source: | Code function: | 3_2_0042E388 | |
| Source: | Code function: | 3_2_00423450 | |
| Source: | Code function: | 3_2_0042B450 | |
| Source: | Code function: | 3_2_0041AC64 | |
| Source: | Code function: | 3_2_00405C20 | |
| Source: | Code function: | 3_2_00405C20 | |
| Source: | Code function: | 3_2_00440CD0 | |
| Source: | Code function: | 3_2_004294BD | |
| Source: | Code function: | 3_2_0042CD67 | |
| Source: | Code function: | 3_2_00427580 | |
| Source: | Code function: | 3_2_00427580 | |
| Source: | Code function: | 3_2_00427580 | |
| Source: | Code function: | 3_2_0042ADAB | |
| Source: | Code function: | 3_2_0042ADAB | |
| Source: | Code function: | 3_2_00408E00 | |
| Source: | Code function: | 3_2_00435E10 | |
| Source: | Code function: | 3_2_0040B626 | |
| Source: | Code function: | 3_2_0041CED0 | |
| Source: | Code function: | 3_2_0041CED0 | |
| Source: | Code function: | 3_2_0040BEB1 | |
| Source: | Code function: | 3_2_00428F5D | |
| Source: | Code function: | 3_2_00429F62 | |
| Source: | Code function: | 3_2_00422776 | |
| Source: | Code function: | 3_2_00427774 | |
| Source: | Code function: | 3_2_00427774 | |
| Source: | Code function: | 3_2_0041DF00 | |
| Source: | Code function: | 3_2_00421F10 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_2_00433550 | |
| Source: | Code function: | 3_2_00433550 | |
| Source: | Code function: | 0_2_0023A050 | |
| Source: | Code function: | 0_2_00238190 | |
| Source: | Code function: | 0_2_00246030 | |
| Source: | Code function: | 0_2_00231000 | |
| Source: | Code function: | 0_2_0023C530 | |
| Source: | Code function: | 0_2_00243D10 | |
| Source: | Code function: | 0_2_002489D0 | |
| Source: | Code function: | 0_2_0023FE20 | |
| Source: | Code function: | 0_2_00248270 | |
| Source: | Code function: | 0_2_0023DEF0 | |
| Source: | Code function: | 0_2_00245780 | |
| Source: | Code function: | 0_2_0023C785 | |
| Source: | Code function: | 0_2_00256FF2 | |
| Source: | Code function: | 3_2_00246030 | |
| Source: | Code function: | 3_2_00231000 | |
| Source: | Code function: | 3_2_0023A050 | |
| Source: | Code function: | 3_2_00238190 | |
| Source: | Code function: | 3_2_002489D0 | |
| Source: | Code function: | 3_2_00248270 | |
| Source: | Code function: | 3_2_00243D10 | |
| Source: | Code function: | 3_2_0023FE20 | |
| Source: | Code function: | 3_2_0023DEF0 | |
| Source: | Code function: | 3_2_00245780 | |
| Source: | Code function: | 3_2_00256FF2 | |
| Source: | Code function: | 3_2_004228A0 | |
| Source: | Code function: | 3_2_00427140 | |
| Source: | Code function: | 3_2_00420970 | |
| Source: | Code function: | 3_2_0043B100 | |
| Source: | Code function: | 3_2_004389D0 | |
| Source: | Code function: | 3_2_00408AE0 | |
| Source: | Code function: | 3_2_00418BE3 | |
| Source: | Code function: | 3_2_00409BA0 | |
| Source: | Code function: | 3_2_00424470 | |
| Source: | Code function: | 3_2_0042E434 | |
| Source: | Code function: | 3_2_0042DD55 | |
| Source: | Code function: | 3_2_00438660 | |
| Source: | Code function: | 3_2_00440740 | |
| Source: | Code function: | 3_2_00440FB0 | |
| Source: | Code function: | 3_2_00406840 | |
| Source: | Code function: | 3_2_0042C84A | |
| Source: | Code function: | 3_2_00438000 | |
| Source: | Code function: | 3_2_0042C8DC | |
| Source: | Code function: | 3_2_004298A8 | |
| Source: | Code function: | 3_2_00426959 | |
| Source: | Code function: | 3_2_00406170 | |
| Source: | Code function: | 3_2_00429100 | |
| Source: | Code function: | 3_2_00430112 | |
| Source: | Code function: | 3_2_00426910 | |
| Source: | Code function: | 3_2_0042C918 | |
| Source: | Code function: | 3_2_0042C929 | |
| Source: | Code function: | 3_2_00404930 | |
| Source: | Code function: | 3_2_004241E8 | |
| Source: | Code function: | 3_2_004409F0 | |
| Source: | Code function: | 3_2_0042A1A2 | |
| Source: | Code function: | 3_2_004281BC | |
| Source: | Code function: | 3_2_0040DA43 | |
| Source: | Code function: | 3_2_0043C250 | |
| Source: | Code function: | 3_2_0041FAF0 | |
| Source: | Code function: | 3_2_00425344 | |
| Source: | Code function: | 3_2_004298A8 | |
| Source: | Code function: | 3_2_00409300 | |
| Source: | Code function: | 3_2_0042D318 | |
| Source: | Code function: | 3_2_00402B20 | |
| Source: | Code function: | 3_2_0043BB30 | |
| Source: | Code function: | 3_2_004283CA | |
| Source: | Code function: | 3_2_00424BE2 | |
| Source: | Code function: | 3_2_0042D380 | |
| Source: | Code function: | 3_2_00420BB0 | |
| Source: | Code function: | 3_2_00423450 | |
| Source: | Code function: | 3_2_0043F450 | |
| Source: | Code function: | 3_2_0041AC64 | |
| Source: | Code function: | 3_2_0040546B | |
| Source: | Code function: | 3_2_00405C20 | |
| Source: | Code function: | 3_2_0041CC20 | |
| Source: | Code function: | 3_2_00406CD0 | |
| Source: | Code function: | 3_2_00440CD0 | |
| Source: | Code function: | 3_2_004304FB | |
| Source: | Code function: | 3_2_00418490 | |
| Source: | Code function: | 3_2_004294BD | |
| Source: | Code function: | 3_2_00403550 | |
| Source: | Code function: | 3_2_0043F550 | |
| Source: | Code function: | 3_2_0042CD67 | |
| Source: | Code function: | 3_2_0041F510 | |
| Source: | Code function: | 3_2_00427580 | |
| Source: | Code function: | 3_2_00408590 | |
| Source: | Code function: | 3_2_00437DA0 | |
| Source: | Code function: | 3_2_00424DB0 | |
| Source: | Code function: | 3_2_00409650 | |
| Source: | Code function: | 3_2_0042DD4E | |
| Source: | Code function: | 3_2_00431670 | |
| Source: | Code function: | 3_2_00426630 | |
| Source: | Code function: | 3_2_0041CED0 | |
| Source: | Code function: | 3_2_0041B68E | |
| Source: | Code function: | 3_2_0041EEA0 | |
| Source: | Code function: | 3_2_00403F60 | |
| Source: | Code function: | 3_2_0042E765 | |
| Source: | Code function: | 3_2_00427774 | |
| Source: | Code function: | 3_2_0041DF00 | |
| Source: | Code function: | 3_2_0043B700 | |
| Source: | Code function: | 3_2_004077E0 | |
| Source: | Code function: | 3_2_0040AFE0 | |
| Source: | Code function: | 3_2_00419FED | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_004389D0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00249BF8 | |
| Source: | Code function: | 3_2_00249BF8 | |
| Source: | Code function: | 3_2_00415894 | |
| Source: | Code function: | 3_2_00414334 | |
| Source: | Code function: | 3_2_00414594 | |
| Source: | Code function: | 3_2_00414D9B | |
| Source: | Code function: | 3_2_00417FF4 | |
| Source: | Code function: | 0_2_00249CC2 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_0025174A | |
| Source: | Code function: | 0_2_002517FB | |
| Source: | Code function: | 3_2_0025174A | |
| Source: | Code function: | 3_2_002517FB | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_0043D920 | |
| Source: | Code function: | 0_2_0024A464 | |
| Source: | Code function: | 0_2_0026018D | |
| Source: | Code function: | 0_2_0023DD90 | |
| Source: | Code function: | 0_2_00239EF0 | |
| Source: | Code function: | 0_2_0023C785 | |
| Source: | Code function: | 3_2_0023DD83 | |
| Source: | Code function: | 3_2_0023DD90 | |
| Source: | Code function: | 3_2_00239EF0 | |
| Source: | Code function: | 0_2_0024EFB0 | |
| Source: | Code function: | 0_2_0024A464 | |
| Source: | Code function: | 0_2_0024A458 | |
| Source: | Code function: | 0_2_0024CDEA | |
| Source: | Code function: | 0_2_00249AF9 | |
| Source: | Code function: | 3_2_00249AF9 | |
| Source: | Code function: | 3_2_0024A464 | |
| Source: | Code function: | 3_2_0024A458 | |
| Source: | Code function: | 3_2_0024CDEA | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_0026018D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_0024A220 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0024A8E5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 11 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| farewellnzu.icu | 172.67.198.61 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.198.61 | farewellnzu.icu | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1561497 |
| Start date and time: | 2024-11-23 15:12:05 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 52s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Launcher.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Launcher.exe
| Time | Type | Description |
|---|---|---|
| 09:12:56 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.198.61 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| farewellnzu.icu | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.690596603357686 |
| TrID: |
|
| File name: | Launcher.exe |
| File size: | 512'512 bytes |
| MD5: | 3ca9ca734f501c8de4270556f80f0f60 |
| SHA1: | 47652fb87960680ffe11dbc27a7969a2dacac97e |
| SHA256: | cfe6d27ef692f436653789758b0713bf8c6e1ed6267bd22775ed482777db96e5 |
| SHA512: | 6dc317d7157bb0f7407f17db3b0a55297e549fbaa2cdd83ddf6ac084452367aa602492b0d0f095396bf03ff9ab34df71da355ec4dfbc85db595ea86bb3af10d5 |
| SSDEEP: | 12288:EuYPABqG93bG2zYH13IypcLRDW+vHfQ1n21GwriB4tP/9h:1YPABNLGTV3xpclDWMHQ21IWt/ |
| TLSH: | 48B4E01AB993A1A3E6935C7981D8A772495EBF340F21A5FB53201B786F3B1D1C132B43 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ag.................h........................@..........................0............@.................................T...<.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x41a890 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6741DAB7 [Sat Nov 23 13:37:59 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 887797384d81c493a9d8ee55dad3b2e1 |
| Instruction |
|---|
| call 00007F425C80FE2Ah |
| jmp 00007F425C80FC8Dh |
| mov ecx, dword ptr [004305F0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F425C80FE26h |
| test esi, ecx |
| jne 00007F425C80FE48h |
| call 00007F425C80FE51h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F425C80FE29h |
| mov ecx, BB40E64Fh |
| jmp 00007F425C80FE30h |
| test esi, ecx |
| jne 00007F425C80FE2Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [004305F0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [004305ECh], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| and dword ptr [ebp-0Ch], 00000000h |
| lea eax, dword ptr [ebp-0Ch] |
| and dword ptr [ebp-08h], 00000000h |
| push eax |
| call dword ptr [0042E46Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [0042E430h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [0042E42Ch] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [0042E4A8h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 00431970h |
| call dword ptr [0042E488h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2e254 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x34000 | 0x143c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x287c0 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2e3c8 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x266ba | 0x26800 | 9fc12b2919d7993b7875b406673b0c41 | False | 0.5423155945616883 | data | 6.676506145316532 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x28000 | 0x7264 | 0x7400 | 662c29d34464011348a2d81d315c214b | False | 0.40833782327586204 | data | 4.811823385654876 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x30000 | 0x2068 | 0x1000 | 51c3c578bc7da757e8ebeb0ea4aceef9 | False | 0.484619140625 | OpenPGP Secret Key | 5.084546541546572 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x33000 | 0x8 | 0x200 | 64e01fde7e0180fcba7fdb172e6bbca6 | False | 0.03125 | data | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x34000 | 0x143c | 0x1600 | a55fdfa9c914f00e7079e3187805e326 | False | 0.7510653409090909 | data | 6.285750152953626 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .coS | 0x36000 | 0x4c800 | 0x4c800 | 8befc085f0df655fec9542b48d2685bd | False | 1.0003382863562091 | data | 7.999380848476415 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile |
| GDI32.dll | CreateEllipticRgn |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T15:12:56.139869+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49699 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:12:56.824663+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.6 | 49699 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:12:56.824663+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49699 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:12:58.155926+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49700 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:12:58.873935+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.6 | 49700 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:12:58.873935+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49700 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:00.455993+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49701 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:02.633812+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49702 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:04.879612+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49703 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:07.273471+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49705 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:07.978282+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.6 | 49705 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:09.881039+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49711 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:13.548014+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49724 | 172.67.198.61 | 443 | TCP |
| 2024-11-23T15:13:14.265345+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49724 | 172.67.198.61 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 15:12:54.864677906 CET | 49699 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:54.864708900 CET | 443 | 49699 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:54.864824057 CET | 49699 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:54.868093014 CET | 49699 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:54.868113041 CET | 443 | 49699 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:56.139707088 CET | 443 | 49699 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:56.139868975 CET | 49699 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:56.144181013 CET | 49699 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:56.144213915 CET | 443 | 49699 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:56.144664049 CET | 443 | 49699 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:56.193450928 CET | 49699 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:56.193492889 CET | 49699 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:56.193607092 CET | 443 | 49699 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:56.824656010 CET | 443 | 49699 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:56.824773073 CET | 443 | 49699 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:56.824841022 CET | 49699 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:56.826350927 CET | 49699 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:56.826363087 CET | 443 | 49699 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:56.826380014 CET | 49699 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:56.826386929 CET | 443 | 49699 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:56.894089937 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:56.894130945 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:56.894201994 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:56.895020008 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:56.895035028 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.155812979 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.155925989 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:58.157526016 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:58.157533884 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.157854080 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.159085989 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:58.159112930 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:58.159167051 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.873917103 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.873965979 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.874015093 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:58.874025106 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.874080896 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.874118090 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.874120951 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:58.874130011 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.874171019 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:58.876502037 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.884938955 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.884990931 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:58.885001898 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.893465996 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.893516064 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:58.893523932 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:58.947233915 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:58.993577957 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:59.041001081 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:59.094835043 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:59.098459005 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:59.098593950 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:59.099560022 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:59.099880934 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:59.099900007 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:59.099922895 CET | 49700 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:59.099929094 CET | 443 | 49700 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:59.194152117 CET | 49701 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:59.194242954 CET | 443 | 49701 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:12:59.194330931 CET | 49701 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:59.194700956 CET | 49701 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:12:59.194737911 CET | 443 | 49701 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:00.455862999 CET | 443 | 49701 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:00.455992937 CET | 49701 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:00.457305908 CET | 49701 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:00.457340002 CET | 443 | 49701 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:00.457694054 CET | 443 | 49701 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:00.458870888 CET | 49701 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:00.459079981 CET | 49701 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:00.459129095 CET | 443 | 49701 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:01.239933968 CET | 443 | 49701 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:01.240096092 CET | 443 | 49701 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:01.240185022 CET | 49701 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:01.240328074 CET | 49701 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:01.240371943 CET | 443 | 49701 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:01.321338892 CET | 49702 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:01.321388006 CET | 443 | 49702 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:01.321595907 CET | 49702 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:01.321896076 CET | 49702 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:01.321922064 CET | 443 | 49702 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:02.633691072 CET | 443 | 49702 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:02.633811951 CET | 49702 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:02.653624058 CET | 49702 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:02.653647900 CET | 443 | 49702 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:02.654014111 CET | 443 | 49702 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:02.655536890 CET | 49702 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:02.655688047 CET | 49702 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:02.655724049 CET | 443 | 49702 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:02.655774117 CET | 49702 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:02.699371099 CET | 443 | 49702 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:03.413450003 CET | 443 | 49702 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:03.413566113 CET | 443 | 49702 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:03.413623095 CET | 49702 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:03.413747072 CET | 49702 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:03.413764954 CET | 443 | 49702 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:03.607177973 CET | 49703 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:03.607255936 CET | 443 | 49703 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:03.607353926 CET | 49703 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:03.607830048 CET | 49703 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:03.607866049 CET | 443 | 49703 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:04.879388094 CET | 443 | 49703 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:04.879611969 CET | 49703 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:04.881010056 CET | 49703 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:04.881036043 CET | 443 | 49703 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:04.881300926 CET | 443 | 49703 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:04.882678032 CET | 49703 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:04.882846117 CET | 49703 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:04.882894993 CET | 443 | 49703 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:04.882967949 CET | 49703 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:04.882986069 CET | 443 | 49703 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:05.802805901 CET | 443 | 49703 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:05.802902937 CET | 443 | 49703 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:05.802974939 CET | 49703 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:05.803095102 CET | 49703 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:05.803133011 CET | 443 | 49703 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:06.005470991 CET | 49705 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:06.005548954 CET | 443 | 49705 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:06.005636930 CET | 49705 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:06.005986929 CET | 49705 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:06.006026983 CET | 443 | 49705 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:07.273400068 CET | 443 | 49705 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:07.273471117 CET | 49705 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:07.274794102 CET | 49705 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:07.274823904 CET | 443 | 49705 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:07.275079966 CET | 443 | 49705 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:07.276607990 CET | 49705 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:07.276696920 CET | 49705 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:07.276710033 CET | 443 | 49705 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:07.978266001 CET | 443 | 49705 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:07.978368998 CET | 443 | 49705 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:07.978424072 CET | 49705 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:07.978615046 CET | 49705 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:07.978637934 CET | 443 | 49705 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:08.498517036 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:08.498542070 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:08.498615026 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:08.498943090 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:08.498951912 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.880930901 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.881038904 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.882291079 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.882316113 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.882577896 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.911448002 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.912528992 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.912589073 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.912708044 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.912763119 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.912916899 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.912966967 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.913145065 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.913225889 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.913429022 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.913492918 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.913712025 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.913765907 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.913795948 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.913825989 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.913932085 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.913979053 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.914022923 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.914124012 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.914186001 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.959331989 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.959583044 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.959683895 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.959748983 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.959805012 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:09.959882021 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:09.959934950 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:12.205096006 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:12.205185890 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:12.205302000 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:12.205461025 CET | 49711 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:12.205504894 CET | 443 | 49711 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:12.274583101 CET | 49724 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:12.274626970 CET | 443 | 49724 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:12.274703026 CET | 49724 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:12.275221109 CET | 49724 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:12.275247097 CET | 443 | 49724 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:13.547934055 CET | 443 | 49724 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:13.548013926 CET | 49724 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:13.549526930 CET | 49724 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:13.549549103 CET | 443 | 49724 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:13.549803019 CET | 443 | 49724 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:13.551059008 CET | 49724 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:13.551100016 CET | 49724 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:13.551157951 CET | 443 | 49724 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:14.265322924 CET | 443 | 49724 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:14.265415907 CET | 443 | 49724 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:14.265620947 CET | 49724 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:14.265702009 CET | 49724 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:14.265736103 CET | 443 | 49724 | 172.67.198.61 | 192.168.2.6 |
| Nov 23, 2024 15:13:14.265763044 CET | 49724 | 443 | 192.168.2.6 | 172.67.198.61 |
| Nov 23, 2024 15:13:14.265782118 CET | 443 | 49724 | 172.67.198.61 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 15:12:54.620918036 CET | 59142 | 53 | 192.168.2.6 | 1.1.1.1 |
| Nov 23, 2024 15:12:54.858772993 CET | 53 | 59142 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 15:12:54.620918036 CET | 192.168.2.6 | 1.1.1.1 | 0xe306 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 15:12:54.858772993 CET | 1.1.1.1 | 192.168.2.6 | 0xe306 | No error (0) | 172.67.198.61 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 15:12:54.858772993 CET | 1.1.1.1 | 192.168.2.6 | 0xe306 | No error (0) | 104.21.44.93 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49699 | 172.67.198.61 | 443 | 5688 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:12:56 UTC | 262 | OUT | |
| 2024-11-23 14:12:56 UTC | 8 | OUT | |
| 2024-11-23 14:12:56 UTC | 1015 | IN | |
| 2024-11-23 14:12:56 UTC | 7 | IN | |
| 2024-11-23 14:12:56 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49700 | 172.67.198.61 | 443 | 5688 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:12:58 UTC | 263 | OUT | |
| 2024-11-23 14:12:58 UTC | 54 | OUT | |
| 2024-11-23 14:12:58 UTC | 1019 | IN | |
| 2024-11-23 14:12:58 UTC | 350 | IN | |
| 2024-11-23 14:12:58 UTC | 1369 | IN | |
| 2024-11-23 14:12:58 UTC | 1369 | IN | |
| 2024-11-23 14:12:58 UTC | 1369 | IN | |
| 2024-11-23 14:12:58 UTC | 1369 | IN | |
| 2024-11-23 14:12:58 UTC | 1369 | IN | |
| 2024-11-23 14:12:58 UTC | 1369 | IN | |
| 2024-11-23 14:12:58 UTC | 1369 | IN | |
| 2024-11-23 14:12:58 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49701 | 172.67.198.61 | 443 | 5688 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:13:00 UTC | 282 | OUT | |
| 2024-11-23 14:13:00 UTC | 12872 | OUT | |
| 2024-11-23 14:13:01 UTC | 1018 | IN | |
| 2024-11-23 14:13:01 UTC | 19 | IN | |
| 2024-11-23 14:13:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49702 | 172.67.198.61 | 443 | 5688 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:13:02 UTC | 274 | OUT | |
| 2024-11-23 14:13:02 UTC | 15070 | OUT | |
| 2024-11-23 14:13:03 UTC | 1016 | IN | |
| 2024-11-23 14:13:03 UTC | 19 | IN | |
| 2024-11-23 14:13:03 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49703 | 172.67.198.61 | 443 | 5688 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:13:04 UTC | 274 | OUT | |
| 2024-11-23 14:13:04 UTC | 15331 | OUT | |
| 2024-11-23 14:13:04 UTC | 4597 | OUT | |
| 2024-11-23 14:13:05 UTC | 1017 | IN | |
| 2024-11-23 14:13:05 UTC | 19 | IN | |
| 2024-11-23 14:13:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.6 | 49705 | 172.67.198.61 | 443 | 5688 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:13:07 UTC | 273 | OUT | |
| 2024-11-23 14:13:07 UTC | 1183 | OUT | |
| 2024-11-23 14:13:07 UTC | 1006 | IN | |
| 2024-11-23 14:13:07 UTC | 19 | IN | |
| 2024-11-23 14:13:07 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.6 | 49711 | 172.67.198.61 | 443 | 5688 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:13:09 UTC | 276 | OUT | |
| 2024-11-23 14:13:09 UTC | 15331 | OUT | |
| 2024-11-23 14:13:09 UTC | 15331 | OUT | |
| 2024-11-23 14:13:09 UTC | 15331 | OUT | |
| 2024-11-23 14:13:09 UTC | 15331 | OUT | |
| 2024-11-23 14:13:09 UTC | 15331 | OUT | |
| 2024-11-23 14:13:09 UTC | 15331 | OUT | |
| 2024-11-23 14:13:09 UTC | 15331 | OUT | |
| 2024-11-23 14:13:09 UTC | 15331 | OUT | |
| 2024-11-23 14:13:09 UTC | 15331 | OUT | |
| 2024-11-23 14:13:09 UTC | 15331 | OUT | |
| 2024-11-23 14:13:12 UTC | 1027 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.6 | 49724 | 172.67.198.61 | 443 | 5688 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 14:13:13 UTC | 263 | OUT | |
| 2024-11-23 14:13:13 UTC | 89 | OUT | |
| 2024-11-23 14:13:14 UTC | 1019 | IN | |
| 2024-11-23 14:13:14 UTC | 54 | IN | |
| 2024-11-23 14:13:14 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:12:52 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\Launcher.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x230000 |
| File size: | 512'512 bytes |
| MD5 hash: | 3CA9CA734F501C8DE4270556F80F0F60 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 09:12:52 |
| Start date: | 23/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 09:12:53 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\Launcher.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x230000 |
| File size: | 512'512 bytes |
| MD5 hash: | 3CA9CA734F501C8DE4270556F80F0F60 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 6.8% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 9.5% |
| Total number of Nodes: | 1903 |
| Total number of Limit Nodes: | 23 |
Graph
Function 0026018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0023A050 Relevance: 13.9, APIs: 6, Strings: 1, Instructions: 1601fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00238190 Relevance: 2.8, Strings: 1, Instructions: 1555COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0023C785 Relevance: 1.0, Instructions: 952COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0023DD90 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024EDF3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024BD06 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024F752 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024BE20 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002500EB Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00246E20 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0023DE10 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00250C65 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00249CC2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0023DEF0 Relevance: 9.7, APIs: 5, Instructions: 2248COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00231000 Relevance: 8.6, Strings: 3, Instructions: 4838COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002517FB Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024A464 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0023FE20 Relevance: 4.9, Strings: 1, Instructions: 3648COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0023C530 Relevance: 3.3, Strings: 1, Instructions: 2002COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025174A Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024A220 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024A458 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024EFB0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00248270 Relevance: .7, Instructions: 669COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002489D0 Relevance: .6, Instructions: 582COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00246030 Relevance: .5, Instructions: 544COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00245780 Relevance: .5, Instructions: 499COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00239EF0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024E0F3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024BF74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00252F3D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024E518 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00252C7E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002515D8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025224D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024DD8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 42.3% |
| Total number of Nodes: | 286 |
| Total number of Limit Nodes: | 30 |
Graph
Function 004389D0 Relevance: 40.7, APIs: 11, Strings: 12, Instructions: 484memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408AE0 Relevance: 7.7, APIs: 5, Instructions: 198threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D880 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D920 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440620 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440740 Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420970 Relevance: .2, Instructions: 196COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A10E Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CE5A Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C7A5 Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B070 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FC22 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B030 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D260 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D293 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425344 Relevance: 16.0, Strings: 12, Instructions: 1043COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426910 Relevance: 12.9, Strings: 10, Instructions: 416COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002517FB Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024A464 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AC64 Relevance: 5.7, Strings: 4, Instructions: 708COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DF00 Relevance: 5.6, Strings: 4, Instructions: 623COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427580 Relevance: 5.6, Strings: 4, Instructions: 609COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004298A8 Relevance: 5.5, Strings: 4, Instructions: 466COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429F62 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D201 Relevance: 5.1, Strings: 4, Instructions: 111COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421F10 Relevance: 4.2, Strings: 3, Instructions: 453COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A1A2 Relevance: 4.0, Strings: 3, Instructions: 227COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404930 Relevance: 4.0, Strings: 3, Instructions: 224COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427774 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C84A Relevance: 2.8, Strings: 2, Instructions: 309COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C8DC Relevance: 2.8, Strings: 2, Instructions: 306COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C929 Relevance: 2.8, Strings: 2, Instructions: 305COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C918 Relevance: 2.8, Strings: 2, Instructions: 280COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426959 Relevance: 2.7, Strings: 2, Instructions: 176COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004231F0 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423450 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA10 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CED0 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D380 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D318 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D0F6 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DA43 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439290 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EA4F Relevance: 1.3, Strings: 1, Instructions: 95COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042ADAB Relevance: 1.3, Strings: 1, Instructions: 92COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429813 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428A9C Relevance: 1.3, Strings: 1, Instructions: 38COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C20 Relevance: .4, Instructions: 448COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CD67 Relevance: .3, Instructions: 310COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004294BD Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440CD0 Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402190 Relevance: .2, Instructions: 230COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439040 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B989 Relevance: .2, Instructions: 199COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B626 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004393D0 Relevance: .2, Instructions: 176COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428F5D Relevance: .1, Instructions: 113COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408E00 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435E10 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B450 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E388 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422776 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CD62 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BEB1 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00249CC2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024E0F3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024EDF3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024BF74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00252F3D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024E518 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00252C7E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002515D8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00251B74 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0025224D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0024DD8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|