Windows
Analysis Report
LwnI84BBtb.exe
Overview
General Information
Sample name: | LwnI84BBtb.exerenamed because original name is a hash value |
Original sample name: | 49293c745f0fd48ab2784cad7cc5a0ac.exe |
Analysis ID: | 1429106 |
MD5: | 49293c745f0fd48ab2784cad7cc5a0ac |
SHA1: | 65c11bc045e69bec4e164914b2e2b3bfd2ef12a2 |
SHA256: | 25c3cd7375f5244402a5b407a107266c2c93dcaa6f313d78ad944689a2be184f |
Tags: | 32exetrojan |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- LwnI84BBtb.exe (PID: 7396 cmdline:
"C:\Users\ user\Deskt op\LwnI84B Btb.exe" MD5: 49293C745F0FD48AB2784CAD7CC5A0AC) - WerFault.exe (PID: 7552 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 396 -s 156 8 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7624 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 396 -s 164 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "strollheavengwu.shop"], "Build id": "P6Mk0M--key"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Code function: | 0_2_004162D6 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 0_2_0043B3B0 | |
Source: | Code function: | 0_2_00410565 | |
Source: | Code function: | 0_2_004156B6 | |
Source: | Code function: | 0_2_004156B6 | |
Source: | Code function: | 0_2_00438879 | |
Source: | Code function: | 0_2_00437998 | |
Source: | Code function: | 0_2_00437998 | |
Source: | Code function: | 0_2_00435B8B | |
Source: | Code function: | 0_2_0041CC60 | |
Source: | Code function: | 0_2_0041CC60 | |
Source: | Code function: | 0_2_0043AE80 | |
Source: | Code function: | 0_2_0041AFE0 | |
Source: | Code function: | 0_2_0041AFE0 | |
Source: | Code function: | 0_2_0043B060 | |
Source: | Code function: | 0_2_00426097 | |
Source: | Code function: | 0_2_00426097 | |
Source: | Code function: | 0_2_0040D160 | |
Source: | Code function: | 0_2_0041210C | |
Source: | Code function: | 0_2_0041B1E0 | |
Source: | Code function: | 0_2_0043A182 | |
Source: | Code function: | 0_2_0043A190 | |
Source: | Code function: | 0_2_004222E7 | |
Source: | Code function: | 0_2_004222ED | |
Source: | Code function: | 0_2_00439389 | |
Source: | Code function: | 0_2_00422422 | |
Source: | Code function: | 0_2_004134B2 | |
Source: | Code function: | 0_2_0043A5D0 | |
Source: | Code function: | 0_2_004245D4 | |
Source: | Code function: | 0_2_00410565 | |
Source: | Code function: | 0_2_00424678 | |
Source: | Code function: | 0_2_004245A8 | |
Source: | Code function: | 0_2_0043B6A0 | |
Source: | Code function: | 0_2_004088F0 | |
Source: | Code function: | 0_2_0043B9D0 | |
Source: | Code function: | 0_2_0043B9D0 | |
Source: | Code function: | 0_2_004069B4 | |
Source: | Code function: | 0_2_00417A65 | |
Source: | Code function: | 0_2_00417A1A | |
Source: | Code function: | 0_2_0041DB22 | |
Source: | Code function: | 0_2_00407C70 | |
Source: | Code function: | 0_2_00407C70 | |
Source: | Code function: | 0_2_00437D40 | |
Source: | Code function: | 0_2_0043AD70 | |
Source: | Code function: | 0_2_00410D77 | |
Source: | Code function: | 0_2_00410D77 | |
Source: | Code function: | 0_2_00402D10 | |
Source: | Code function: | 0_2_00412E93 | |
Source: | Code function: | 0_2_00438F6A | |
Source: | Code function: | 0_2_00414FC0 | |
Source: | Code function: | 0_2_00431F80 | |
Source: | Code function: | 0_2_03662373 | |
Source: | Code function: | 0_2_0368A3E9 | |
Source: | Code function: | 0_2_0368A3F7 | |
Source: | Code function: | 0_2_0365D3C7 | |
Source: | Code function: | 0_2_0366B247 | |
Source: | Code function: | 0_2_0366B247 | |
Source: | Code function: | 0_2_03665227 | |
Source: | Code function: | 0_2_036762FE | |
Source: | Code function: | 0_2_036762FE | |
Source: | Code function: | 0_2_0368B2C7 | |
Source: | Code function: | 0_2_036821E7 | |
Source: | Code function: | 0_2_036891D1 | |
Source: | Code function: | 0_2_0368B0E7 | |
Source: | Code function: | 0_2_036630FA | |
Source: | Code function: | 0_2_03663719 | |
Source: | Code function: | 0_2_036607CC | |
Source: | Code function: | 0_2_0368B617 | |
Source: | Code function: | 0_2_03672689 | |
Source: | Code function: | 0_2_0367254E | |
Source: | Code function: | 0_2_03672554 | |
Source: | Code function: | 0_2_036895F0 | |
Source: | Code function: | 0_2_0366B447 | |
Source: | Code function: | 0_2_03658B57 | |
Source: | Code function: | 0_2_03687BFF | |
Source: | Code function: | 0_2_03687BFF | |
Source: | Code function: | 0_2_0366DA12 | |
Source: | Code function: | 0_2_03688AE0 | |
Source: | Code function: | 0_2_0367480F | |
Source: | Code function: | 0_2_0368B907 | |
Source: | Code function: | 0_2_0366B917 | |
Source: | Code function: | 0_2_0366591D | |
Source: | Code function: | 0_2_0366591D | |
Source: | Code function: | 0_2_0367483B | |
Source: | Code function: | 0_2_0368A837 | |
Source: | Code function: | 0_2_036748DF | |
Source: | Code function: | 0_2_03652F77 | |
Source: | Code function: | 0_2_03660FDE | |
Source: | Code function: | 0_2_03660FDE | |
Source: | Code function: | 0_2_0368AFD7 | |
Source: | Code function: | 0_2_03687FA7 | |
Source: | Code function: | 0_2_0366CEC7 | |
Source: | Code function: | 0_2_0366CEC7 | |
Source: | Code function: | 0_2_03657ED7 | |
Source: | Code function: | 0_2_03657ED7 | |
Source: | Code function: | 0_2_03685DF2 | |
Source: | Code function: | 0_2_0368BC37 | |
Source: | Code function: | 0_2_0368BC37 | |
Source: | Code function: | 0_2_03667CCC | |
Source: | Code function: | 0_2_03667C81 |
Networking |
---|
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 0_2_0042D8F0 |
Source: | Code function: | 0_2_0042D8F0 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00421370 | |
Source: | Code function: | 0_2_004046D0 | |
Source: | Code function: | 0_2_00420C42 | |
Source: | Code function: | 0_2_00406030 | |
Source: | Code function: | 0_2_00421090 | |
Source: | Code function: | 0_2_00426097 | |
Source: | Code function: | 0_2_00410140 | |
Source: | Code function: | 0_2_00426148 | |
Source: | Code function: | 0_2_004261C3 | |
Source: | Code function: | 0_2_004261D5 | |
Source: | Code function: | 0_2_00403492 | |
Source: | Code function: | 0_2_00405567 | |
Source: | Code function: | 0_2_004365C0 | |
Source: | Code function: | 0_2_004065F0 | |
Source: | Code function: | 0_2_00403670 | |
Source: | Code function: | 0_2_0043B6A0 | |
Source: | Code function: | 0_2_0040581F | |
Source: | Code function: | 0_2_00433950 | |
Source: | Code function: | 0_2_0043B9D0 | |
Source: | Code function: | 0_2_004069B4 | |
Source: | Code function: | 0_2_00405B18 | |
Source: | Code function: | 0_2_0041DB22 | |
Source: | Code function: | 0_2_00407C70 | |
Source: | Code function: | 0_2_00403CEF | |
Source: | Code function: | 0_2_00402EC0 | |
Source: | Code function: | 0_2_036603A7 | |
Source: | Code function: | 0_2_036763AF | |
Source: | Code function: | 0_2_036762FE | |
Source: | Code function: | 0_2_03656297 | |
Source: | Code function: | 0_2_03653127 | |
Source: | Code function: | 0_2_03653517 | |
Source: | Code function: | 0_2_036715D7 | |
Source: | Code function: | 0_2_036555DB | |
Source: | Code function: | 0_2_0367642A | |
Source: | Code function: | 0_2_0367643C | |
Source: | Code function: | 0_2_03683BB7 | |
Source: | Code function: | 0_2_03654937 | |
Source: | Code function: | 0_2_0368B907 | |
Source: | Code function: | 0_2_03686827 | |
Source: | Code function: | 0_2_03653F47 | |
Source: | Code function: | 0_2_03657ED7 | |
Source: | Code function: | 0_2_0368BC37 |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_01A4F5C6 |
Source: | Code function: | 0_2_004286B8 |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_01A550F4 | |
Source: | Code function: | 0_2_01A550ED |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00435C40 |
Source: | Code function: | 0_2_01A4EEA3 | |
Source: | Code function: | 0_2_0365092B | |
Source: | Code function: | 0_2_03650D90 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 11 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
41% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
11% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
11% | Virustotal | Browse | ||
1% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
strollheavengwu.shop | 104.21.15.198 | true | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
false |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.15.198 | strollheavengwu.shop | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1429106 |
Start date and time: | 2024-04-20 22:06:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 24s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | LwnI84BBtb.exerenamed because original name is a hash value |
Original Sample Name: | 49293c745f0fd48ab2784cad7cc5a0ac.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/9@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.21
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
22:06:57 | API Interceptor | |
22:07:22 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.21.15.198 | Get hash | malicious | LummaC | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
strollheavengwu.shop | Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Blank Grabber, Njrat, Umbral Stealer | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RisePro Stealer | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | RisePro Stealer | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRAT | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | RisePro Stealer | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | RisePro Stealer | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRAT | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LwnI84BBtb.exe_1ea81470fde93d5ba9982c97d6c51c12dc70cc0_19912bd0_209de206-4fdf-4734-8956-4504ba2af95f\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.0018866717565438 |
Encrypted: | false |
SSDEEP: | 192:5OIO0jAL/AQ04DmIwsOoTjldFPzuiFVZ24IO8QF9:xNAjAr4Dm9sBjlzuiFVY4IO8a |
MD5: | 306E291584A39DC703555859AB08CC00 |
SHA1: | C7402A8235BDAE7A94E378A6C31CA7B1289FB0F7 |
SHA-256: | 19DEBEFB6BD525DE9AB3357709CC4E21A4C82676CFA98D5B7BC71246F3FD442D |
SHA-512: | 770EA2704695ADA249DAD55C5C594F570E032D8747FD76CF32980C56A3C52C0683ECE9F89BFA321A8D48AFE126CEEF9BA9080B48FC4B46D1930B9E3A22E03AA6 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LwnI84BBtb.exe_e664834b6db86c663fd972c4efd7b7dd6c8b6a_19912bd0_6bfa8470-f327-4b11-9581-4a8c6cf91f20\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9923492421283597 |
Encrypted: | false |
SSDEEP: | 192:SiAIO0jnL/lXb0U7vCoTjldFPzuiF1Z24IO8QF9:zNnjVoU7vVjlzuiF1Y4IO8a |
MD5: | 0782158DE2D9CF3376F06224A4EDEBF5 |
SHA1: | F1957281891FE1A62A21974C4026CE955DF6D5A4 |
SHA-256: | 68A9B7FDBA291C9647F0C415D8AD914E9C4F813FF33700CDD26D314124E9BB4D |
SHA-512: | E4E29B4962266126AF6FD09DFE15F4C9D6A3AE3CFEFACE37ECD31B1B71F14FCF7D564B9E3CF6191FC8FD1157CCBC8744834F37E1BCED3FF0CFA5355047E16916 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 53982 |
Entropy (8bit): | 2.6511634522482264 |
Encrypted: | false |
SSDEEP: | 384:NXlvb8nyjbBv8wQvfN/Qo4jolslzLEQsj:tlAsbBUjfN/Q/Uyej |
MD5: | BB3037356647F8F7F3A93CE46BE8A59C |
SHA1: | B1DF2818EE2FD040E5AF4485371D58E253600EBE |
SHA-256: | E56346731DF718DB6170D5951CC0E764BB162938CC608381E6A63B3416E07C4A |
SHA-512: | DB784689269ED4391F4C89F69390EF4979E094D3649E98D9FA59BA5C540F5B0DEECDC581598AC19346B899BFB490FD93573FF5F704D3A548FA2F20EF7E32EFC2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8410 |
Entropy (8bit): | 3.6929738404547776 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJNeu6Y16Y9hSUoBjgmfmRW7pND89bDv21fp5/m:R6lXJV6Y16YrSUoFgmf5UDvMfn+ |
MD5: | DEED6A7AD751BFF9FB3933F57B96BE09 |
SHA1: | 7512F3F2BA23F66B6087D6E043C02B2099263B58 |
SHA-256: | 57C250962AEBFBF59BFFDC63974A30236DB8A014C5366DE51716CDACA78A90EE |
SHA-512: | 8C8273AF6D3EE169BEA7CEFDC4433F62AE86066D0B612BF8F72AD8FA72B744D4262EF8772A4439378317C05568421F35B064B5BF9F631DA354A144ACCE8A52C4 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4684 |
Entropy (8bit): | 4.450358073665631 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsHJg77aI91qWpW8VYUYm8M4JKN5CFJ1+q8vXN5sGpgJ4md:uIjfpI7fL7VIJKHS1KXHsfJ4md |
MD5: | E90C292C817C23F09C7BC61445F452F1 |
SHA1: | 59A04FE650083893FF16161A58AAE3221BDF6714 |
SHA-256: | 996FA0D2458982548EBCA464F6B67418EC17DF4EF98B49B294946287EBB094D6 |
SHA-512: | B2E824BFDA8864A45375225FE1286C500428D4E4465AFFD6B34ACABBEA0AF7A71BA610BABE846DB327AEAE6AE7B3261F6E8E145EF997F8D51FDFBF64656207BE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1085334 |
Entropy (8bit): | 1.067144023149537 |
Encrypted: | false |
SSDEEP: | 3072:u/NT2n4tPGmTebUHoz8glAH7EHI7PTyXo/5HXhHxds01:uBtPacoz8glAH7AI/yXihHfP1 |
MD5: | F198C72B73E983CCF8F8F5BB3CF48DBA |
SHA1: | 6CB29F5F6157CFBD60DC2618C23CD6B53D36255D |
SHA-256: | DE8E7768666F9F7FC59BB4597B01645130EC633D82DF904D52E1574122790B91 |
SHA-512: | 86E7E0E002B7F97AB2CEEA04C3C6D90269B11BBD2A3782A15EB3E3F437678FE7E055156120AD28CABCA57581E32309CF0A0F6BBC748DA56F73B9CCEBED44A6FE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8440 |
Entropy (8bit): | 3.6974857177660923 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJNexq6Yt6Y9BSUokjgmfmEz6cI4pDP89bD4bWsfg54jm:R6lXJiq6Yt6YLSUoggmf5z6cAD4b1f6J |
MD5: | B9DCA74D5DA9A1D9DFE7DA84460FBEB3 |
SHA1: | F01C7610FC4E35DE47E4EADFBF7ADAAF5D7AF046 |
SHA-256: | 181B3A038C36F8C2668C627193A989BAB5DC2B07099BACE27FE13EF14C34FA43 |
SHA-512: | 495F56FAD745F73D36C8C935CC4B62762816F878C9A686251E0495467D2253B3225CB9E594B932B467F8572ABFF9FE6EE97721BBFABD916DF91A07F1A9721636 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4726 |
Entropy (8bit): | 4.481108623569315 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsHJg77aI91qWpW8VYYPYm8M4JKNOrQO3FKmv+q8vXNOrQOtGpgJ43d:uIjfpI7fL7VRSJKGQlmvKXGQ2fJ43d |
MD5: | 774F69B19A9CCF36565A3BF600CD4746 |
SHA1: | 871D0C93AE8D2ADBAA3F0E2A43A8477B673403E4 |
SHA-256: | 394529242DC0A38CEFC7AC290294BF43082AD560803C0C5ADBC94DF81CAC53B2 |
SHA-512: | B9F8092CB34D234FB93B1763B4167BCAA637931FDE95DEE8CC27D21EE4E10B96456A640789DA9D8EAB0A92BD806442366454BF2DEB793CC496856F9BB5779867 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.465397250245093 |
Encrypted: | false |
SSDEEP: | 6144:0IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNddwBCswSbN:JXD94+WlLZMM6YFHr+N |
MD5: | 2AB80D9D594A587E6E42D21C8D844A7A |
SHA1: | DD0A50B674B6B001A5C34782ABF652E20B4D2A5A |
SHA-256: | 86125B392CF0E8B70723021E18AADACA842EE47231F4B888A9218A099750BDBC |
SHA-512: | 872C9578B5E6C062540F732C4FF8542B3A1623A523BC7AF9FE25F08349AC5C043C57350D05D1FA493D9D80387AC12DF277A6D6636B0E422D58855ECB7FD5B3DD |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.853160286288826 |
TrID: |
|
File name: | LwnI84BBtb.exe |
File size: | 406'528 bytes |
MD5: | 49293c745f0fd48ab2784cad7cc5a0ac |
SHA1: | 65c11bc045e69bec4e164914b2e2b3bfd2ef12a2 |
SHA256: | 25c3cd7375f5244402a5b407a107266c2c93dcaa6f313d78ad944689a2be184f |
SHA512: | c99c956c53543773adfb21105ff86ae1793c376075d096ec7a77828b0b004b9a88f458ce2c31def266eef91fb153c71ad87f7aa87985cf86e49af9215bc70316 |
SSDEEP: | 6144:K4E8f5SKo6pmUJFMeZj0nGa4jDmePeGchyU7UvAg6LzsA:K78f5w6pFF3oGPPQ7Uaz1 |
TLSH: | DD848C0372E1BC66E56247328F5E9AEC372DF8614E15BB5F2248AE2F28701B1D637711 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................W.......h.Q.....i.....................e-m.......S.....e-V.....Rich....................PE..L...@..d........... |
Icon Hash: | 432551414d55510d |
Entrypoint: | 0x403d77 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x64BFBC40 [Tue Jul 25 12:12:48 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | deee2f3ec985195fc99175dfed532c7c |
Instruction |
---|
call 00007FB43D351888h |
jmp 00007FB43D34A455h |
push 00000014h |
push 004177F0h |
call 00007FB43D34EA78h |
call 00007FB43D351A59h |
movzx esi, ax |
push 00000002h |
call 00007FB43D35181Bh |
pop ecx |
mov eax, 00005A4Dh |
cmp word ptr [00400000h], ax |
je 00007FB43D34A456h |
xor ebx, ebx |
jmp 00007FB43D34A485h |
mov eax, dword ptr [0040003Ch] |
cmp dword ptr [eax+00400000h], 00004550h |
jne 00007FB43D34A43Dh |
mov ecx, 0000010Bh |
cmp word ptr [eax+00400018h], cx |
jne 00007FB43D34A42Fh |
xor ebx, ebx |
cmp dword ptr [eax+00400074h], 0Eh |
jbe 00007FB43D34A45Bh |
cmp dword ptr [eax+004000E8h], ebx |
setne bl |
mov dword ptr [ebp-1Ch], ebx |
call 00007FB43D34E26Eh |
test eax, eax |
jne 00007FB43D34A45Ah |
push 0000001Ch |
call 00007FB43D34A531h |
pop ecx |
call 00007FB43D34DA30h |
test eax, eax |
jne 00007FB43D34A45Ah |
push 00000010h |
call 00007FB43D34A520h |
pop ecx |
call 00007FB43D351894h |
and dword ptr [ebp-04h], 00000000h |
call 00007FB43D35090Dh |
test eax, eax |
jns 00007FB43D34A45Ah |
push 0000001Bh |
call 00007FB43D34A506h |
pop ecx |
call dword ptr [004110C8h] |
mov dword ptr [01A14E80h], eax |
call 00007FB43D3518AFh |
mov dword ptr [0044CDCCh], eax |
call 00007FB43D351252h |
test eax, eax |
jns 00007FB43D34A45Ah |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x17c44 | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1615000 | 0x17c00 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x11210 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x17178 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x11000 | 0x19c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xfec5 | 0x10000 | c7d5c14e347f555af284966d3887f38f | False | 0.604034423828125 | data | 6.7072054579447755 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x11000 | 0x75d0 | 0x7600 | 075370d77a13d93e84cafb668839f1a3 | False | 0.3941009004237288 | data | 4.941145593266466 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x19000 | 0x15fbe84 | 0x33e00 | a8fab69814f0b8856893cec71ea5de23 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x1615000 | 0x17c00 | 0x17c00 | 5a8350554404b4c58677b1f3fac55ce6 | False | 0.3187705592105263 | data | 4.147489583276286 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x1627ae0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.26439232409381663 | ||
RT_CURSOR | 0x1628988 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.3686823104693141 | ||
RT_CURSOR | 0x1629230 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.49060693641618497 | ||
RT_CURSOR | 0x16297c8 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | 0.4375 | ||
RT_CURSOR | 0x16298f8 | 0xb0 | Device independent bitmap graphic, 16 x 32 x 1, image size 0 | 0.44886363636363635 | ||
RT_CURSOR | 0x16299d0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.27238805970149255 | ||
RT_CURSOR | 0x162a878 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.375 | ||
RT_CURSOR | 0x162b120 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.5057803468208093 | ||
RT_ICON | 0x16158d0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.41359447004608296 |
RT_ICON | 0x1615f98 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.16524896265560166 |
RT_ICON | 0x1618540 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.2154255319148936 |
RT_ICON | 0x16189d8 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.41359447004608296 |
RT_ICON | 0x16190a0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.16524896265560166 |
RT_ICON | 0x161b648 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.2154255319148936 |
RT_ICON | 0x161bae0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Romanian | Romania | 0.37100213219616207 |
RT_ICON | 0x161c988 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Romanian | Romania | 0.45306859205776173 |
RT_ICON | 0x161d230 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Romanian | Romania | 0.4619815668202765 |
RT_ICON | 0x161d8f8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Romanian | Romania | 0.45664739884393063 |
RT_ICON | 0x161de60 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.2691908713692946 |
RT_ICON | 0x1620408 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Romanian | Romania | 0.3062851782363977 |
RT_ICON | 0x16214b0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.350177304964539 |
RT_ICON | 0x1621980 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Romanian | Romania | 0.5666311300639659 |
RT_ICON | 0x1622828 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Romanian | Romania | 0.5473826714801444 |
RT_ICON | 0x16230d0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Romanian | Romania | 0.6184971098265896 |
RT_ICON | 0x1623638 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Romanian | Romania | 0.46524896265560167 |
RT_ICON | 0x1625be0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Romanian | Romania | 0.48897748592870544 |
RT_ICON | 0x1626c88 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Romanian | Romania | 0.49631147540983606 |
RT_ICON | 0x1627610 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Romanian | Romania | 0.4512411347517731 |
RT_DIALOG | 0x162b8a8 | 0x52 | data | 0.8780487804878049 | ||
RT_STRING | 0x162b900 | 0x3d2 | data | Romanian | Romania | 0.4539877300613497 |
RT_STRING | 0x162bcd8 | 0x32a | data | Romanian | Romania | 0.47901234567901235 |
RT_STRING | 0x162c008 | 0x1a8 | data | Romanian | Romania | 0.49528301886792453 |
RT_STRING | 0x162c1b0 | 0x30a | data | Romanian | Romania | 0.47429305912596403 |
RT_STRING | 0x162c4c0 | 0x534 | data | Romanian | Romania | 0.44744744744744747 |
RT_STRING | 0x162c9f8 | 0x208 | data | Romanian | Romania | 0.5038461538461538 |
RT_GROUP_CURSOR | 0x1629798 | 0x30 | data | 0.9375 | ||
RT_GROUP_CURSOR | 0x16299a8 | 0x22 | data | 1.0588235294117647 | ||
RT_GROUP_CURSOR | 0x162b688 | 0x30 | data | 0.9375 | ||
RT_GROUP_ICON | 0x1627a78 | 0x68 | data | Romanian | Romania | 0.7115384615384616 |
RT_GROUP_ICON | 0x16189a8 | 0x30 | data | Romanian | Romania | 0.9375 |
RT_GROUP_ICON | 0x1621918 | 0x68 | data | Romanian | Romania | 0.7115384615384616 |
RT_GROUP_ICON | 0x161bab0 | 0x30 | data | Romanian | Romania | 1.0 |
RT_VERSION | 0x162b6b8 | 0x1ec | data | 0.5386178861788617 |
DLL | Import |
---|---|
KERNEL32.dll | LocalCompact, GetUserDefaultLCID, AddConsoleAliasW, CreateHardLinkA, GetTickCount, GetWindowsDirectoryA, EnumTimeFormatsW, FindResourceExA, GetVolumeInformationA, LoadLibraryW, ReadConsoleInputA, CopyFileW, WriteConsoleW, GetCompressedFileSizeA, GetTempPathW, SetThreadLocale, GetLastError, SetLastError, GetProcAddress, GetLocaleInfoA, CreateTimerQueueTimer, SetStdHandle, SetFileAttributesA, WriteConsoleA, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, GetExitCodeThread, RemoveDirectoryW, AddAtomA, GlobalFindAtomW, GetModuleFileNameA, GetOEMCP, GlobalUnWire, LoadLibraryExA, AddConsoleAliasA, OutputDebugStringW, GetComputerNameA, FindFirstChangeNotificationW, GetSystemDefaultLangID, FlushFileBuffers, GetConsoleMode, HeapFree, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, IsDebuggerPresent, GetProcessHeap, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, HeapSize, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, HeapAlloc, WriteFile, GetModuleFileNameW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, GetStringTypeW, LoadLibraryExW, HeapReAlloc, ReadFile, SetFilePointerEx, LCMapStringW, GetConsoleCP, CreateFileW |
USER32.dll | GetMenuItemID |
GDI32.dll | GetCharacterPlacementW |
ADVAPI32.dll | DeregisterEventSource |
WINHTTP.dll | WinHttpConnect |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Romanian | Romania |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 20, 2024 22:06:58.107923985 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.107964039 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:58.108043909 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.132740974 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.132783890 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:58.365586042 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:58.365669012 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.369517088 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.369530916 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:58.369940042 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:58.421324968 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.421350002 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.421530008 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:58.903470993 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:58.903619051 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:58.903981924 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.906050920 CEST | 49730 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.906071901 CEST | 443 | 49730 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:58.910775900 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.910876036 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:58.910980940 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.911284924 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:58.911309958 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.136548042 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.136770964 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.138067961 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.138087034 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.138588905 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.139751911 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.139786005 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.139853001 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.689630032 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.689778090 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.689883947 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.689943075 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.689970016 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.689996004 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.690016031 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.690134048 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.690185070 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.690216064 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.690293074 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.690342903 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.690356970 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.690435886 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.690485001 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.690495014 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.690568924 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.690612078 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.690622091 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.690929890 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.690980911 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.692045927 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.692080975 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.692121983 CEST | 49731 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.692136049 CEST | 443 | 49731 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.809972048 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.810056925 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:06:59.810142040 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.810508966 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:06:59.810543060 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.036710024 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.037024021 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.038223028 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.038252115 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.038760900 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.040020943 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.040177107 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.040222883 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.040306091 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.040322065 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.578377008 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.578699112 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.578797102 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.578864098 CEST | 49732 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.578903913 CEST | 443 | 49732 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.681066990 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.681135893 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.681247950 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.681675911 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.681705952 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.906430960 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.906666994 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.908499002 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.908516884 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.909048080 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:00.910222054 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.910375118 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:00.910418987 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:01.438627005 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:01.438898087 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:01.439039946 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:01.442152977 CEST | 49733 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:01.442205906 CEST | 443 | 49733 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:01.610970020 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:01.611012936 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:01.611207962 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:01.611701012 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:01.611715078 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:01.836942911 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:01.837135077 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:01.838803053 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:01.838809967 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:01.839128017 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:01.840225935 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:01.840372086 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:01.840408087 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:01.840503931 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:01.840512037 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:02.445250988 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:02.445508957 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:02.445600033 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:02.452986956 CEST | 49734 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:02.453011990 CEST | 443 | 49734 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:02.659068108 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:02.659142017 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:02.659226894 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:02.659588099 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:02.659632921 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:02.885277987 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:02.885404110 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:02.886605024 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:02.886621952 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:02.887118101 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:02.888267994 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:02.888366938 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:02.888422966 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:03.409410000 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:03.409676075 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:03.409699917 CEST | 443 | 49735 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:03.409758091 CEST | 49735 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:03.492305040 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:03.492340088 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:03.492428064 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:03.492717028 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:03.492732048 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:03.723784924 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:03.723861933 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:03.725244999 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:03.725255013 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:03.725745916 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:03.726933002 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:03.727018118 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:03.727021933 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.248038054 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.248320103 CEST | 443 | 49736 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.248613119 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.248613119 CEST | 49736 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.673290014 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.673394918 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.673531055 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.673974991 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.674010038 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.903810024 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.903893948 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.905314922 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.905333996 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.905782938 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.906878948 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.907520056 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.907561064 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.907691956 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.907728910 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.907860994 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.907984018 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.908139944 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.908169985 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.908338070 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.908366919 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.908564091 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.908597946 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.908685923 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.908874035 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.908921003 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.909003973 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.909183025 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.909240961 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.909256935 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.952143908 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.952388048 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.952442884 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:04.996151924 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:04.996288061 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:05.040153980 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:05.118247032 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:05.118390083 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:05.118491888 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:05.159781933 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:05.224684000 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:06.482014894 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:06.482297897 CEST | 443 | 49737 | 104.21.15.198 | 192.168.2.4 |
Apr 20, 2024 22:07:06.482348919 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Apr 20, 2024 22:07:06.482404947 CEST | 49737 | 443 | 192.168.2.4 | 104.21.15.198 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 20, 2024 22:06:57.963877916 CEST | 59674 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 20, 2024 22:06:58.102309942 CEST | 53 | 59674 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 20, 2024 22:06:57.963877916 CEST | 192.168.2.4 | 1.1.1.1 | 0x1dec | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 20, 2024 22:06:58.102309942 CEST | 1.1.1.1 | 192.168.2.4 | 0x1dec | No error (0) | 104.21.15.198 | A (IP address) | IN (0x0001) | false | ||
Apr 20, 2024 22:06:58.102309942 CEST | 1.1.1.1 | 192.168.2.4 | 0x1dec | No error (0) | 172.67.163.209 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 104.21.15.198 | 443 | 7396 | C:\Users\user\Desktop\LwnI84BBtb.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 20:06:58 UTC | 267 | OUT | |
2024-04-20 20:06:58 UTC | 8 | OUT | |
2024-04-20 20:06:58 UTC | 808 | IN | |
2024-04-20 20:06:58 UTC | 7 | IN | |
2024-04-20 20:06:58 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49731 | 104.21.15.198 | 443 | 7396 | C:\Users\user\Desktop\LwnI84BBtb.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 20:06:59 UTC | 268 | OUT | |
2024-04-20 20:06:59 UTC | 52 | OUT | |
2024-04-20 20:06:59 UTC | 804 | IN | |
2024-04-20 20:06:59 UTC | 565 | IN | |
2024-04-20 20:06:59 UTC | 1369 | IN | |
2024-04-20 20:06:59 UTC | 1369 | IN | |
2024-04-20 20:06:59 UTC | 1369 | IN | |
2024-04-20 20:06:59 UTC | 955 | IN | |
2024-04-20 20:06:59 UTC | 1369 | IN | |
2024-04-20 20:06:59 UTC | 1369 | IN | |
2024-04-20 20:06:59 UTC | 1369 | IN | |
2024-04-20 20:06:59 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49732 | 104.21.15.198 | 443 | 7396 | C:\Users\user\Desktop\LwnI84BBtb.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 20:07:00 UTC | 286 | OUT | |
2024-04-20 20:07:00 UTC | 15331 | OUT | |
2024-04-20 20:07:00 UTC | 2830 | OUT | |
2024-04-20 20:07:00 UTC | 812 | IN | |
2024-04-20 20:07:00 UTC | 20 | IN | |
2024-04-20 20:07:00 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.4 | 49733 | 104.21.15.198 | 443 | 7396 | C:\Users\user\Desktop\LwnI84BBtb.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 20:07:00 UTC | 285 | OUT | |
2024-04-20 20:07:00 UTC | 8782 | OUT | |
2024-04-20 20:07:01 UTC | 806 | IN | |
2024-04-20 20:07:01 UTC | 20 | IN | |
2024-04-20 20:07:01 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.4 | 49734 | 104.21.15.198 | 443 | 7396 | C:\Users\user\Desktop\LwnI84BBtb.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 20:07:01 UTC | 286 | OUT | |
2024-04-20 20:07:01 UTC | 15331 | OUT | |
2024-04-20 20:07:01 UTC | 5104 | OUT | |
2024-04-20 20:07:02 UTC | 808 | IN | |
2024-04-20 20:07:02 UTC | 20 | IN | |
2024-04-20 20:07:02 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.4 | 49735 | 104.21.15.198 | 443 | 7396 | C:\Users\user\Desktop\LwnI84BBtb.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 20:07:02 UTC | 285 | OUT | |
2024-04-20 20:07:02 UTC | 3792 | OUT | |
2024-04-20 20:07:03 UTC | 812 | IN | |
2024-04-20 20:07:03 UTC | 20 | IN | |
2024-04-20 20:07:03 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.4 | 49736 | 104.21.15.198 | 443 | 7396 | C:\Users\user\Desktop\LwnI84BBtb.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 20:07:03 UTC | 285 | OUT | |
2024-04-20 20:07:03 UTC | 1391 | OUT | |
2024-04-20 20:07:04 UTC | 814 | IN | |
2024-04-20 20:07:04 UTC | 20 | IN | |
2024-04-20 20:07:04 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.4 | 49737 | 104.21.15.198 | 443 | 7396 | C:\Users\user\Desktop\LwnI84BBtb.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 20:07:04 UTC | 287 | OUT | |
2024-04-20 20:07:04 UTC | 15331 | OUT | |
2024-04-20 20:07:04 UTC | 15331 | OUT | |
2024-04-20 20:07:04 UTC | 15331 | OUT | |
2024-04-20 20:07:04 UTC | 15331 | OUT | |
2024-04-20 20:07:04 UTC | 15331 | OUT | |
2024-04-20 20:07:04 UTC | 15331 | OUT | |
2024-04-20 20:07:04 UTC | 15331 | OUT | |
2024-04-20 20:07:04 UTC | 15331 | OUT | |
2024-04-20 20:07:04 UTC | 15331 | OUT | |
2024-04-20 20:07:04 UTC | 15331 | OUT | |
2024-04-20 20:07:06 UTC | 816 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 22:06:56 |
Start date: | 20/04/2024 |
Path: | C:\Users\user\Desktop\LwnI84BBtb.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 406'528 bytes |
MD5 hash: | 49293C745F0FD48AB2784CAD7CC5A0AC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 22:07:05 |
Start date: | 20/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xce0000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 22:07:06 |
Start date: | 20/04/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xce0000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 8.4% |
Dynamic/Decrypted Code Coverage: | 7.7% |
Signature Coverage: | 27.9% |
Total number of Nodes: | 362 |
Total number of Limit Nodes: | 20 |
Graph
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004046D0 Relevance: 5.5, Strings: 4, Instructions: 506COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041CC60 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DB22 Relevance: 3.6, APIs: 2, Instructions: 615COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01A4F5C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041AFE0 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004162D6 Relevance: 1.7, APIs: 1, Instructions: 218COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00435B8B Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00435C40 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00420C42 Relevance: .4, Instructions: 431COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00421370 Relevance: .4, Instructions: 381COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00421090 Relevance: .4, Instructions: 373COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B3B0 Relevance: .3, Instructions: 255COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AE80 Relevance: .2, Instructions: 160COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00438879 Relevance: .1, Instructions: 138COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00437998 Relevance: .1, Instructions: 138COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041210C Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410565 Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004286B8 Relevance: .0, Instructions: 19COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0365003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00427C0B Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 72memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00437E48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90libraryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004241EB Relevance: 3.6, APIs: 2, Instructions: 582COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00435AA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00439580 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DE00 Relevance: 3.2, APIs: 2, Instructions: 215COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042DFB8 Relevance: 3.1, APIs: 2, Instructions: 123COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03650E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004394EC Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041860C Relevance: 1.5, APIs: 1, Instructions: 33COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01A4F285 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0042D8F0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 155clipboardCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036762FE Relevance: 7.1, Strings: 5, Instructions: 837COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00426097 Relevance: 7.1, Strings: 5, Instructions: 837COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03654937 Relevance: 5.5, Strings: 4, Instructions: 506COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0366CEC7 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0365092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036555DB Relevance: 3.3, Strings: 2, Instructions: 800COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405567 Relevance: 3.0, Strings: 2, Instructions: 510COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0368BC37 Relevance: 2.9, Strings: 2, Instructions: 360COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B9D0 Relevance: 2.9, Strings: 2, Instructions: 360COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040581F Relevance: 2.8, Strings: 2, Instructions: 267COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405B18 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0366B247 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03686827 Relevance: 2.0, Strings: 1, Instructions: 700COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004365C0 Relevance: 2.0, Strings: 1, Instructions: 700COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0367643C Relevance: 1.7, Strings: 1, Instructions: 432COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004261D5 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036763AF Relevance: 1.7, Strings: 1, Instructions: 429COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00426148 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0367642A Relevance: 1.6, Strings: 1, Instructions: 388COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004261C3 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03667CCC Relevance: 1.6, Strings: 1, Instructions: 357COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00417A65 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004065F0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0367483B Relevance: 1.4, Strings: 1, Instructions: 188COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004245D4 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036748DF Relevance: 1.4, Strings: 1, Instructions: 169COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00424678 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0367480F Relevance: 1.4, Strings: 1, Instructions: 126COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004245A8 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03663719 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004134B2 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03687FA7 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00437D40 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03657ED7 Relevance: .9, Instructions: 864COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00407C70 Relevance: .9, Instructions: 864COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03653517 Relevance: .7, Instructions: 698COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03653F47 Relevance: .6, Instructions: 632COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03656297 Relevance: .5, Instructions: 497COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406030 Relevance: .5, Instructions: 497COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036715D7 Relevance: .4, Instructions: 381COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004069B4 Relevance: .4, Instructions: 379COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03658B57 Relevance: .4, Instructions: 373COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004088F0 Relevance: .4, Instructions: 373COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403670 Relevance: .3, Instructions: 336COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403CEF Relevance: .3, Instructions: 325COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0366B447 Relevance: .3, Instructions: 310COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0041B1E0 Relevance: .3, Instructions: 310COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0366B917 Relevance: .3, Instructions: 291COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0368B907 Relevance: .3, Instructions: 290COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B6A0 Relevance: .3, Instructions: 290COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0368B617 Relevance: .3, Instructions: 255COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03660FDE Relevance: .2, Instructions: 240COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410D77 Relevance: .2, Instructions: 240COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403492 Relevance: .2, Instructions: 229COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03683BB7 Relevance: .2, Instructions: 192COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00433950 Relevance: .2, Instructions: 192COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0368B2C7 Relevance: .2, Instructions: 166COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B060 Relevance: .2, Instructions: 166COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0368B0E7 Relevance: .2, Instructions: 160COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03652F77 Relevance: .2, Instructions: 152COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402D10 Relevance: .2, Instructions: 152COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03665227 Relevance: .1, Instructions: 146COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00414FC0 Relevance: .1, Instructions: 146COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03687BFF Relevance: .1, Instructions: 138COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03688AE0 Relevance: .1, Instructions: 138COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036630FA Relevance: .1, Instructions: 136COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00412E93 Relevance: .1, Instructions: 136COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036603A7 Relevance: .1, Instructions: 132COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00410140 Relevance: .1, Instructions: 132COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03662373 Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03653127 Relevance: .1, Instructions: 100COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402EC0 Relevance: .1, Instructions: 100COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0368AFD7 Relevance: .1, Instructions: 92COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AD70 Relevance: .1, Instructions: 92COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036891D1 Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00438F6A Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0366DA12 Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036821E7 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00431F80 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01A4EEA3 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03672554 Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004222ED Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0368A837 Relevance: .0, Instructions: 47COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043A5D0 Relevance: .0, Instructions: 47COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03650D90 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03685DF2 Relevance: .0, Instructions: 42COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0367254E Relevance: .0, Instructions: 32COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004222E7 Relevance: .0, Instructions: 32COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036607CC Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 036895F0 Relevance: .0, Instructions: 24COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00439389 Relevance: .0, Instructions: 24COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0365D3C7 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040D160 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03667C81 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00417A1A Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0368A3E9 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043A182 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 03672689 Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00422422 Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0368A3F7 Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0043A190 Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0367DB57 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 155clipboardCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |