Edit tour
Windows
Analysis Report
tatuJHXSR4.exe
Overview
General Information
| Sample name: | tatuJHXSR4.exerenamed because original name is a hash value |
| Original sample name: | 2a5f40e3ee04057e88c8b794ff258fd4.exe |
| Analysis ID: | 1416003 |
| MD5: | 2a5f40e3ee04057e88c8b794ff258fd4 |
| SHA1: | 590e7f9870f13c8a2c060a6f2cb1bdf97901605c |
| SHA256: | 30e8530fe027064f03f21e5dfc5d560338f8781c8133885b223ff3456ff16b65 |
| Tags: | 64exetrojan |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
tatuJHXSR4.exe (PID: 7304 cmdline: "C:\Users\ user\Deskt op\tatuJHX SR4.exe" MD5: 2A5F40E3EE04057E88C8B794FF258FD4) 
BitLockerToGo.exe (PID: 7620 cmdline: C:\Windows \BitLocker DiscoveryV olumeConte nts\BitLoc kerToGo.ex e MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop", "communicationgenerwo.shop"], "Build id": "uYY3NI--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 6_2_007657B1 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Directory queried: | ||
| Source: | Code function: | 6_2_00759750 | |
| Source: | Code function: | 6_2_00759750 | |
| Source: | Code function: | 6_2_007667E0 | |
| Source: | Code function: | 6_2_0076DC00 | |
| Source: | Code function: | 6_2_0076DC00 | |
| Source: | Code function: | 6_2_00763CF3 | |
| Source: | Code function: | 6_2_00765DA9 | |
| Source: | Code function: | 6_2_00765DA9 | |
| Source: | Code function: | 6_2_00764075 | |
| Source: | Code function: | 6_2_0076A181 | |
| Source: | Code function: | 6_2_0078426F | |
| Source: | Code function: | 6_2_0076A2B9 | |
| Source: | Code function: | 6_2_00759290 | |
| Source: | Code function: | 6_2_0076A31D | |
| Source: | Code function: | 6_2_0077E570 | |
| Source: | Code function: | 6_2_00787500 | |
| Source: | Code function: | 6_2_00769732 | |
| Source: | Code function: | 6_2_00766729 | |
| Source: | Code function: | 6_2_007718A0 | |
| Source: | Code function: | 6_2_0076A9F4 | |
| Source: | Code function: | 6_2_0076F990 | |
| Source: | Code function: | 6_2_0076CBF0 | |
| Source: | Code function: | 6_2_00784BF0 | |
| Source: | Code function: | 6_2_00771BC5 | |
| Source: | Code function: | 6_2_00764C63 | |
| Source: | Code function: | 6_2_00784C45 | |
| Source: | Code function: | 6_2_00752CF0 | |
| Source: | Code function: | 6_2_00786CA0 | |
| Source: | Code function: | 6_2_0075CD10 | |
| Source: | Code function: | 6_2_00764EA3 | |
| Source: | Code function: | 6_2_00758FE0 | |
| Source: | Code function: | 6_2_00772FA5 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 6_2_0077A1C0 | |
| Source: | Code function: | 6_2_0077A1C0 | |
| Source: | Code function: | 6_2_0077A3A0 | |
| Source: | Code function: | 6_2_00764160 | |
| Source: | Code function: | 6_2_00765280 | |
| Source: | Code function: | 6_2_00783316 | |
| Source: | Code function: | 6_2_0076447E | |
| Source: | Code function: | 6_2_00765465 | |
| Source: | Code function: | 6_2_00766430 | |
| Source: | Code function: | 6_2_00786500 | |
| Source: | Code function: | 6_2_007866E0 | |
| Source: | Code function: | 6_2_007878F0 | |
| Source: | Code function: | 6_2_007838D4 | |
| Source: | Code function: | 6_2_00768890 | |
| Source: | Code function: | 6_2_00786920 | |
| Source: | Code function: | 6_2_00764A59 | |
| Source: | Code function: | 6_2_00786A40 | |
| Source: | Code function: | 6_2_00768AC0 | |
| Source: | Code function: | 6_2_00770B61 | |
| Source: | Code function: | 6_2_0076DC00 | |
| Source: | Code function: | 6_2_00786D30 | |
| Source: | Code function: | 6_2_00786E40 | |
| Source: | Code function: | 6_2_00783E33 | |
| Source: | Code function: | 6_2_00783E87 | |
| Source: | Code function: | 6_2_00781F90 | |
| Source: | Code function: | 6_2_0076902E | |
| Source: | Code function: | 6_2_0076D000 | |
| Source: | Code function: | 6_2_00787160 | |
| Source: | Code function: | 6_2_00780260 | |
| Source: | Code function: | 6_2_007822E0 | |
| Source: | Code function: | 6_2_007662B0 | |
| Source: | Code function: | 6_2_0076A2B9 | |
| Source: | Code function: | 6_2_00762384 | |
| Source: | Code function: | 6_2_0076A46F | |
| Source: | Code function: | 6_2_00787500 | |
| Source: | Code function: | 6_2_007825E0 | |
| Source: | Code function: | 6_2_0076C6C0 | |
| Source: | Code function: | 6_2_00782740 | |
| Source: | Code function: | 6_2_00769732 | |
| Source: | Code function: | 6_2_007627DB | |
| Source: | Code function: | 6_2_00782850 | |
| Source: | Code function: | 6_2_0076C820 | |
| Source: | Code function: | 6_2_00782980 | |
| Source: | Code function: | 6_2_00782A90 | |
| Source: | Code function: | 6_2_00786B70 | |
| Source: | Code function: | 6_2_00783EE2 | |
| Source: | Code function: | 6_2_0076FF68 | |
| Source: | Code function: | 6_2_00754750 | |
| Source: | Code function: | 6_2_00751710 | |
| Source: | Code function: | 6_2_0076DC00 | |
| Source: | Code function: | 6_2_00756070 | |
| Source: | Code function: | 6_2_0076902E | |
| Source: | Code function: | 6_2_00780010 | |
| Source: | Code function: | 6_2_00751000 | |
| Source: | Code function: | 6_2_0076D000 | |
| Source: | Code function: | 6_2_00787160 | |
| Source: | Code function: | 6_2_00775152 | |
| Source: | Code function: | 6_2_00760180 | |
| Source: | Code function: | 6_2_007532B0 | |
| Source: | Code function: | 6_2_00755300 | |
| Source: | Code function: | 6_2_00787500 | |
| Source: | Code function: | 6_2_00756650 | |
| Source: | Code function: | 6_2_00769732 | |
| Source: | Code function: | 6_2_00758820 | |
| Source: | Code function: | 6_2_007788D9 | |
| Source: | Code function: | 6_2_0077697D | |
| Source: | Code function: | 6_2_00773992 | |
| Source: | Code function: | 6_2_00782A90 | |
| Source: | Code function: | 6_2_00757BF0 | |
| Source: | Code function: | 6_2_00753D10 | |
| Source: | Code function: | 6_2_00774DE2 | |
| Source: | Code function: | 6_2_00752EA0 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 6_2_0077802C | |
| Source: | File created: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 6_3_00CF66CE | |
| Source: | Code function: | 6_3_00CF66CE | |
| Source: | Code function: | 6_3_00CF66CE | |
| Source: | Code function: | 6_3_00CF66CA | |
| Source: | Code function: | 6_3_00CF66CA | |
| Source: | Code function: | 6_3_00CF66CA | |
| Source: | Code function: | 6_3_00CF52DE | |
| Source: | Code function: | 6_3_00CF52DE | |
| Source: | Code function: | 6_3_00CF52DE | |
| Source: | Code function: | 6_3_00CF52DA | |
| Source: | Code function: | 6_3_00CF52DA | |
| Source: | Code function: | 6_3_00CF52DA | |
| Source: | Code function: | 6_3_00CF5126 | |
| Source: | Code function: | 6_3_00CF5126 | |
| Source: | Code function: | 6_3_00CF5126 | |
| Source: | Code function: | 6_3_00CF529E | |
| Source: | Code function: | 6_3_00CF529E | |
| Source: | Code function: | 6_3_00CF529E | |
| Source: | Code function: | 6_3_00CF589A | |
| Source: | Code function: | 6_3_00CF589A | |
| Source: | Code function: | 6_3_00CF589A | |
| Source: | Code function: | 6_3_00CF52A2 | |
| Source: | Code function: | 6_3_00CF52A2 | |
| Source: | Code function: | 6_3_00CF52A2 | |
| Source: | Code function: | 6_3_00CF567A | |
| Source: | Code function: | 6_3_00CF567A | |
| Source: | Code function: | 6_3_00CF567A | |
| Source: | Code function: | 6_3_00CF5672 | |
| Source: | Code function: | 6_3_00CF5672 | |
| Source: | Code function: | 6_3_00CF5672 | |
| Source: | Code function: | 6_3_00CF51CA | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 311 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 31 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Deobfuscate/Decode Files or Information | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 8% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| communicationgenerwo.shop | 172.67.166.251 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| low | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| low | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.166.251 | communicationgenerwo.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1416003 |
| Start date and time: | 2024-03-26 18:22:09 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 36s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | tatuJHXSR4.exerenamed because original name is a hash value |
| Original Sample Name: | 2a5f40e3ee04057e88c8b794ff258fd4.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
- Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, cdn.onenote.net, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target tatuJHXSR4.exe, PID 7304 because there are no executed function
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Report size getting too big, too many NtCreateFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryDirectoryFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: tatuJHXSR4.exe
| Time | Type | Description |
|---|---|---|
| 18:23:26 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HtmlDropper, HTMLPhisher | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | MAC Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.342138892650738 |
| TrID: |
|
| File name: | tatuJHXSR4.exe |
| File size: | 10'470'400 bytes |
| MD5: | 2a5f40e3ee04057e88c8b794ff258fd4 |
| SHA1: | 590e7f9870f13c8a2c060a6f2cb1bdf97901605c |
| SHA256: | 30e8530fe027064f03f21e5dfc5d560338f8781c8133885b223ff3456ff16b65 |
| SHA512: | 0d201a3c90f5ec338e9af66b1c2b50093c04b8b14039e8cd5437b96b2e5e0c729eb2a8001fcfbad78e290850b813adfb3aeef39d04a240ba657ccb3f3b27671d |
| SSDEEP: | 98304:fGfgjfw8feH/u3v8/hTkYpEKA4CJj4DZ2Ig:fGp5W3v8/h4YqWceZW |
| TLSH: | D0B64947FCA144E5C5EEC13089669216BB727C484B2127C73B60F7692F7ABD0AE7A350 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..C......T.............@....................................f.....`... ............................ |
 | |
| Icon Hash: | 1430f482cac2c61d |
| Entrypoint: | 0x1400014c0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | 0x40433660, 0x1, 0x40433630, 0x1, 0x404370d0, 0x1 |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | c595f1660e1a3c84f4d9b0761d23cd7a |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [009B6015h] |
| mov dword ptr [eax], 00000001h |
| call 00007F546CF2A9BFh |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax] |
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [009B5FF5h] |
| mov dword ptr [eax], 00000000h |
| call 00007F546CF2A99Fh |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax] |
| dec eax |
| sub esp, 28h |
| call 00007F546D367C3Ch |
| dec eax |
| test eax, eax |
| sete al |
| movzx eax, al |
| neg eax |
| dec eax |
| add esp, 28h |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| dec eax |
| lea ecx, dword ptr [00000009h] |
| jmp 00007F546CF2ACD9h |
| nop dword ptr [eax+00h] |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| jmp dword ptr [eax] |
| inc edi |
| outsd |
| and byte ptr [edx+75h], ah |
| imul ebp, dword ptr [esp+20h], 203A4449h |
| and cl, byte ptr [ebx+75h] |
| push esp |
| inc edi |
| jo 00007F546CF2AD47h |
| dec ebx |
| inc ebx |
| insd |
| xor byte ptr [ecx+49h], cl |
| dec ecx |
| inc esi |
| push 00000077h |
| push edi |
| push ebx |
| jp 00007F546CF2AD31h |
| jne 00007F546CF2AD7Ah |
| outsd |
| imul ecx, dword ptr [eax+32h], 58625970h |
| pop edi |
| dec edi |
| push di |
| dec eax |
| dec esp |
| das |
| inc esp |
| pop edi |
| inc ebp |
| xor dl, byte ptr [edi+62h] |
| push edi |
| dec edx |
| pop edi |
| xor byte ptr [edi+34h], dh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0xa6d000 | 0x4e | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa6e000 | 0x1458 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xa72000 | 0xe056 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x9b8000 | 0x1de38 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xa81000 | 0x16978 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x9b6e40 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xa6e494 | 0x458 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x43dc00 | 0x43dc00 | 4d204adc3128543a03933ebab6a62a7e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x43f000 | 0x76f30 | 0x77000 | 61bcbb499bb2b71a68743e8b4547066d | False | 0.3885631400997899 | dBase III DBT, version number 0, next free block index 10, 1st item "nNzJar+8KY+LPI6wiWrP/myHw=" | 5.600499607623445 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x4b6000 | 0x501c70 | 0x501e00 | b021c8f42fc513a4e3f09342ad0fd319 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .pdata | 0x9b8000 | 0x1de38 | 0x1e000 | 6682d8d55c02004c2d47280e58157f3a | False | 0.39810384114583336 | data | 5.638546080934293 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .xdata | 0x9d6000 | 0xc50 | 0xe00 | 979050a6b7bf6161154d748c100efafc | False | 0.2583705357142857 | data | 3.9945120572433783 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x9d7000 | 0x952e0 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0xa6d000 | 0x4e | 0x200 | 07d4f7a3eb683855c6af60897a72395d | False | 0.08984375 | data | 0.6513844786319263 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .idata | 0xa6e000 | 0x1458 | 0x1600 | e9a82f31e572d26076a408635fbd2166 | False | 0.29829545454545453 | data | 4.342722917773444 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0xa70000 | 0x70 | 0x200 | 229f13381e9bd504d71bde7b201dc7ec | False | 0.08203125 | data | 0.46601398182820153 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xa71000 | 0x10 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xa72000 | 0xe056 | 0xe200 | fa3aa680db7c97fc632b574d278c3ac5 | False | 0.15486725663716813 | data | 2.509998495779265 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0xa81000 | 0x16978 | 0x16a00 | fed0f92e6b14a23efbd9ba9dcd66d328 | False | 0.21332225483425415 | data | 5.43066875103094 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xa72370 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.23655913978494625 | ||
| RT_ICON | 0xa72658 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | 0.4222972972972973 | ||
| RT_ICON | 0xa72780 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | 0.2667910447761194 | ||
| RT_ICON | 0xa73628 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | 0.38402527075812276 | ||
| RT_ICON | 0xa73ed0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | 0.5382947976878613 | ||
| RT_ICON | 0xa74438 | 0xdb4 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.733751425313569 | ||
| RT_ICON | 0xa751ec | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | 0.05018894662257912 | ||
| RT_ICON | 0xa79414 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | 0.06846473029045644 | ||
| RT_ICON | 0xa7b9bc | 0x1a68 | Device independent bitmap graphic, 40 x 80 x 32, image size 6720 | 0.08505917159763314 | ||
| RT_ICON | 0xa7d424 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | 0.10858348968105065 | ||
| RT_ICON | 0xa7e4cc | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | 0.1569672131147541 | ||
| RT_ICON | 0xa7ee54 | 0x6b8 | Device independent bitmap graphic, 20 x 40 x 32, image size 1680 | 0.20406976744186048 | ||
| RT_ICON | 0xa7f50c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | 0.2429078014184397 | ||
| RT_GROUP_ICON | 0xa7f974 | 0xbc | data | 0.6542553191489362 | ||
| RT_VERSION | 0xa7fa30 | 0x2f4 | data | English | United States | 0.4576719576719577 |
| RT_MANIFEST | 0xa7fd24 | 0x332 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.46943765281173594 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler |
| msvcrt.dll | ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 26, 2024 18:23:27.891983986 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:27.892028093 CET | 443 | 49727 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:27.892096043 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:27.911380053 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:27.911396980 CET | 443 | 49727 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.135770082 CET | 443 | 49727 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.135844946 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.155852079 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.155883074 CET | 443 | 49727 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.156152010 CET | 443 | 49727 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.205734968 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.225790024 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.225817919 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.225934982 CET | 443 | 49727 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.667217970 CET | 443 | 49727 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.667359114 CET | 443 | 49727 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.667438984 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.672445059 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.672472000 CET | 443 | 49727 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.672486067 CET | 49727 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.672492981 CET | 443 | 49727 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.684324026 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.684365988 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.684433937 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.684766054 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.684779882 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.885838032 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.885986090 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.887073040 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.887083054 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.887377977 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:28.888813019 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.888813019 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:28.888883114 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.412426949 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.412475109 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.412509918 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.412540913 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.412580967 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.412586927 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.412606001 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.412620068 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.412642956 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.412669897 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.412669897 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.412683010 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.412803888 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.412906885 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.413075924 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.413101912 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.413110018 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.413151026 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.413167953 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.413175106 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.413547993 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.413553953 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.413979053 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.414216995 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.414376974 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.414397001 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.414418936 CET | 49729 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.414423943 CET | 443 | 49729 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.593039036 CET | 49730 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.593091011 CET | 443 | 49730 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.593307972 CET | 49730 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.593568087 CET | 49730 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.593580008 CET | 443 | 49730 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.796722889 CET | 443 | 49730 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.796808004 CET | 49730 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.798113108 CET | 49730 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.798130989 CET | 443 | 49730 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.798388004 CET | 443 | 49730 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:29.799680948 CET | 49730 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.799823999 CET | 49730 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:29.799858093 CET | 443 | 49730 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:30.296804905 CET | 443 | 49730 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:30.296946049 CET | 443 | 49730 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:30.297086000 CET | 49730 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:30.297863960 CET | 49730 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:30.297884941 CET | 443 | 49730 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:30.588450909 CET | 49731 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:30.588495970 CET | 443 | 49731 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:30.588567972 CET | 49731 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:30.588871956 CET | 49731 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:30.588890076 CET | 443 | 49731 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:30.790688992 CET | 443 | 49731 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:30.790801048 CET | 49731 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:30.792198896 CET | 49731 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:30.792213917 CET | 443 | 49731 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:30.792503119 CET | 443 | 49731 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:30.793894053 CET | 49731 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:30.793894053 CET | 49731 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:30.793936014 CET | 443 | 49731 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:30.794027090 CET | 49731 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:30.794034004 CET | 443 | 49731 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:31.273519993 CET | 443 | 49731 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:31.273699999 CET | 443 | 49731 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:31.273844004 CET | 49731 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:31.273973942 CET | 49731 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:31.697478056 CET | 49732 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:31.697515011 CET | 443 | 49732 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:31.697680950 CET | 49732 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:31.697937965 CET | 49732 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:31.697948933 CET | 443 | 49732 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:31.899907112 CET | 443 | 49732 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:31.900027990 CET | 49732 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:31.901257038 CET | 49732 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:31.901263952 CET | 443 | 49732 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:31.901523113 CET | 443 | 49732 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:31.902731895 CET | 49732 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:31.902892113 CET | 49732 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:31.902921915 CET | 443 | 49732 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:31.902983904 CET | 49732 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:31.902992010 CET | 443 | 49732 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:32.435430050 CET | 443 | 49732 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:32.435573101 CET | 443 | 49732 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:32.435646057 CET | 49732 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:32.437331915 CET | 49732 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:32.437350035 CET | 443 | 49732 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:33.412810087 CET | 49733 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:33.412838936 CET | 443 | 49733 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:33.412902117 CET | 49733 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:33.413238049 CET | 49733 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:33.413253069 CET | 443 | 49733 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:33.615912914 CET | 443 | 49733 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:33.616044998 CET | 49733 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:33.617394924 CET | 49733 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:33.617402077 CET | 443 | 49733 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:33.617728949 CET | 443 | 49733 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:33.619112968 CET | 49733 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:33.619251013 CET | 49733 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:33.619273901 CET | 443 | 49733 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.102233887 CET | 443 | 49733 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.102359056 CET | 443 | 49733 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.102441072 CET | 49733 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:34.102603912 CET | 49733 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:34.102619886 CET | 443 | 49733 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.231576920 CET | 49734 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:34.231620073 CET | 443 | 49734 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.231731892 CET | 49734 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:34.232069969 CET | 49734 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:34.232080936 CET | 443 | 49734 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.431498051 CET | 443 | 49734 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.431567907 CET | 49734 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:34.432931900 CET | 49734 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:34.432944059 CET | 443 | 49734 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.433187008 CET | 443 | 49734 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.434506893 CET | 49734 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:34.434561968 CET | 49734 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:34.434571028 CET | 443 | 49734 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.910912037 CET | 443 | 49734 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.911041021 CET | 443 | 49734 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:34.911962032 CET | 49734 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:34.911962032 CET | 49734 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.221478939 CET | 49734 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.221508980 CET | 443 | 49734 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.586797953 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.586838007 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.586931944 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.587243080 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.587255955 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.788011074 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.788093090 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.789378881 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.789387941 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.789637089 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.790930033 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.791840076 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.791873932 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.791981936 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.792020082 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.792174101 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.792216063 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.792361021 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.792395115 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.792542934 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.792581081 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.792731047 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.792761087 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.792772055 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.792783976 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.792910099 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.792937994 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.792962074 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.793086052 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.793124914 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.840231895 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.840502024 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.840550900 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.840579033 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.840599060 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:35.840646029 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:35.840676069 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:37.320141077 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:37.320280075 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Mar 26, 2024 18:23:37.320332050 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:37.320379972 CET | 49735 | 443 | 192.168.2.6 | 172.67.166.251 |
| Mar 26, 2024 18:23:37.320400000 CET | 443 | 49735 | 172.67.166.251 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 26, 2024 18:23:27.789124012 CET | 59572 | 53 | 192.168.2.6 | 1.1.1.1 |
| Mar 26, 2024 18:23:27.887204885 CET | 53 | 59572 | 1.1.1.1 | 192.168.2.6 |
| Mar 26, 2024 18:23:40.255268097 CET | 64042 | 53 | 192.168.2.6 | 1.1.1.1 |
| Mar 26, 2024 18:23:40.377813101 CET | 53 | 64042 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 26, 2024 18:23:27.789124012 CET | 192.168.2.6 | 1.1.1.1 | 0xa712 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 26, 2024 18:23:40.255268097 CET | 192.168.2.6 | 1.1.1.1 | 0x8ee7 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 26, 2024 18:23:27.887204885 CET | 1.1.1.1 | 192.168.2.6 | 0xa712 | No error (0) | 172.67.166.251 | A (IP address) | IN (0x0001) | false | ||
| Mar 26, 2024 18:23:27.887204885 CET | 1.1.1.1 | 192.168.2.6 | 0xa712 | No error (0) | 104.21.83.19 | A (IP address) | IN (0x0001) | false | ||
| Mar 26, 2024 18:23:40.377813101 CET | 1.1.1.1 | 192.168.2.6 | 0x8ee7 | No error (0) | 104.21.83.19 | A (IP address) | IN (0x0001) | false | ||
| Mar 26, 2024 18:23:40.377813101 CET | 1.1.1.1 | 192.168.2.6 | 0x8ee7 | No error (0) | 172.67.166.251 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49727 | 172.67.166.251 | 443 | 7620 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-26 17:23:28 UTC | 272 | OUT | |
| 2024-03-26 17:23:28 UTC | 8 | OUT | |
| 2024-03-26 17:23:28 UTC | 822 | IN | |
| 2024-03-26 17:23:28 UTC | 7 | IN | |
| 2024-03-26 17:23:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49729 | 172.67.166.251 | 443 | 7620 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-26 17:23:28 UTC | 273 | OUT | |
| 2024-03-26 17:23:28 UTC | 49 | OUT | |
| 2024-03-26 17:23:29 UTC | 808 | IN | |
| 2024-03-26 17:23:29 UTC | 561 | IN | |
| 2024-03-26 17:23:29 UTC | 1369 | IN | |
| 2024-03-26 17:23:29 UTC | 1369 | IN | |
| 2024-03-26 17:23:29 UTC | 1369 | IN | |
| 2024-03-26 17:23:29 UTC | 1369 | IN | |
| 2024-03-26 17:23:29 UTC | 1369 | IN | |
| 2024-03-26 17:23:29 UTC | 1369 | IN | |
| 2024-03-26 17:23:29 UTC | 1369 | IN | |
| 2024-03-26 17:23:29 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49730 | 172.67.166.251 | 443 | 7620 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-26 17:23:29 UTC | 291 | OUT | |
| 2024-03-26 17:23:29 UTC | 12854 | OUT | |
| 2024-03-26 17:23:30 UTC | 810 | IN | |
| 2024-03-26 17:23:30 UTC | 22 | IN | |
| 2024-03-26 17:23:30 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49731 | 172.67.166.251 | 443 | 7620 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-26 17:23:30 UTC | 291 | OUT | |
| 2024-03-26 17:23:30 UTC | 15100 | OUT | |
| 2024-03-26 17:23:31 UTC | 810 | IN | |
| 2024-03-26 17:23:31 UTC | 22 | IN | |
| 2024-03-26 17:23:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49732 | 172.67.166.251 | 443 | 7620 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-26 17:23:31 UTC | 291 | OUT | |
| 2024-03-26 17:23:31 UTC | 15331 | OUT | |
| 2024-03-26 17:23:31 UTC | 4627 | OUT | |
| 2024-03-26 17:23:32 UTC | 812 | IN | |
| 2024-03-26 17:23:32 UTC | 22 | IN | |
| 2024-03-26 17:23:32 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.6 | 49733 | 172.67.166.251 | 443 | 7620 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-26 17:23:33 UTC | 290 | OUT | |
| 2024-03-26 17:23:33 UTC | 5437 | OUT | |
| 2024-03-26 17:23:34 UTC | 814 | IN | |
| 2024-03-26 17:23:34 UTC | 22 | IN | |
| 2024-03-26 17:23:34 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.6 | 49734 | 172.67.166.251 | 443 | 7620 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-26 17:23:34 UTC | 290 | OUT | |
| 2024-03-26 17:23:34 UTC | 1409 | OUT | |
| 2024-03-26 17:23:34 UTC | 814 | IN | |
| 2024-03-26 17:23:34 UTC | 22 | IN | |
| 2024-03-26 17:23:34 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.6 | 49735 | 172.67.166.251 | 443 | 7620 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-26 17:23:35 UTC | 292 | OUT | |
| 2024-03-26 17:23:35 UTC | 15331 | OUT | |
| 2024-03-26 17:23:35 UTC | 15331 | OUT | |
| 2024-03-26 17:23:35 UTC | 15331 | OUT | |
| 2024-03-26 17:23:35 UTC | 15331 | OUT | |
| 2024-03-26 17:23:35 UTC | 15331 | OUT | |
| 2024-03-26 17:23:35 UTC | 15331 | OUT | |
| 2024-03-26 17:23:35 UTC | 15331 | OUT | |
| 2024-03-26 17:23:35 UTC | 15331 | OUT | |
| 2024-03-26 17:23:35 UTC | 15331 | OUT | |
| 2024-03-26 17:23:35 UTC | 15331 | OUT | |
| 2024-03-26 17:23:37 UTC | 812 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 3 |
| Start time: | 18:23:08 |
| Start date: | 26/03/2024 |
| Path: | C:\Users\user\Desktop\tatuJHXSR4.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff67e2a0000 |
| File size: | 10'470'400 bytes |
| MD5 hash: | 2A5F40E3EE04057E88C8B794FF258FD4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Go lang |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 18:23:25 |
| Start date: | 26/03/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe60000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 15.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 50.8% |
| Total number of Nodes: | 309 |
| Total number of Limit Nodes: | 12 |
Graph
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00751710 Relevance: 10.6, Strings: 8, Instructions: 616COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00759750 Relevance: 10.4, Strings: 8, Instructions: 420COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00786500 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142nativememoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00768AC0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 334nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00754750 Relevance: 5.4, Strings: 4, Instructions: 435COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007866E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00786A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00768890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007657B1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00765DA9 Relevance: 2.8, Strings: 2, Instructions: 333COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00783E87 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00783EE2 Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00783E33 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00763CF3 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007667E0 Relevance: .4, Instructions: 428COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0077802C Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0077589C Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 94memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0078342C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00772354 Relevance: 3.6, APIs: 2, Instructions: 630COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00772357 Relevance: 3.6, APIs: 2, Instructions: 604COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0077188A Relevance: 3.6, APIs: 2, Instructions: 585COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00784848 Relevance: 1.6, APIs: 1, Instructions: 83memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00784996 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00783665 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007852CD Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00781E00 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00781EE6 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007804C2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0078464F Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0076D000 Relevance: 19.9, APIs: 4, Strings: 7, Instructions: 605nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00759290 Relevance: 15.4, Strings: 12, Instructions: 351COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00769732 Relevance: 14.1, APIs: 9, Instructions: 587nativelibrarymemoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0076902E Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 432nativememoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00787500 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 315nativememoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007662B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007627DB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0078426F Relevance: 6.3, Strings: 5, Instructions: 54COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00786B70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00758FE0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00755300 Relevance: 3.4, Strings: 2, Instructions: 864COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0077697D Relevance: 1.7, APIs: 1, Instructions: 203COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007788D9 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007718A0 Relevance: 1.5, Strings: 1, Instructions: 295COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00771BC5 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00756650 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0076CBF0 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0076A181 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00764075 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00786CA0 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00784BF0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00784C45 Relevance: 1.3, Strings: 1, Instructions: 12COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00757BF0 Relevance: .8, Instructions: 794COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 007532B0 Relevance: .7, Instructions: 703COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00753D10 Relevance: .7, Instructions: 651COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00751000 Relevance: .5, Instructions: 539COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00756070 Relevance: .5, Instructions: 468COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00758820 Relevance: .3, Instructions: 348COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00780010 Relevance: .2, Instructions: 179COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00752CF0 Relevance: .1, Instructions: 148COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00760180 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00752EA0 Relevance: .1, Instructions: 121COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00764EA3 Relevance: .1, Instructions: 119COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0076F990 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0076A31D Relevance: .1, Instructions: 103COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00773992 Relevance: .1, Instructions: 98COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0077E570 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00772FA5 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0075CD10 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00764C63 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00766729 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |