Edit tour
Windows
Analysis Report
PASS-1234.exe
Overview
General Information
| Sample name: | PASS-1234.exe |
| Analysis ID: | 1429198 |
| MD5: | 91a6507a51ddcf98f542e89c58b9a17e |
| SHA1: | 870a96273698fc67cf145a7601fc3892671eea22 |
| SHA256: | aca438e378d0fd7abdb1fc1f7cc9acdc279dbd399fda98f8078a99a4a24e537a |
| Tags: | exeredlinestealer |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
PASS-1234.exe (PID: 6732 cmdline: "C:\Users\ user\Deskt op\PASS-12 34.exe" MD5: 91A6507A51DDCF98F542E89C58B9A17E) - RegAsm.exe (PID: 5104 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "sideindexfollowragelrew.pw"], "Build id": "LPnhqo--@warefromware"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 04/21/24-09:04:55.909755 |
| SID: | 2049958 |
| Source Port: | 55278 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 1_2_0041545B | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00D95B4B | |
| Source: | Code function: | 0_2_00D9602F | |
| Source: | Code function: | 0_2_00DFC0C8 | |
| Source: | Code function: | 0_2_00DE0718 | |
| Source: | Code function: | 0_2_00DFC9C8 | |
| Source: | Code function: | 0_2_00DE0C58 | |
| Source: | Code function: | 0_2_00DE0C58 | |
| Source: | Code function: | 0_2_00E01858 | |
| Source: | Code function: | 0_2_00E01C08 | |
| Source: | Code function: | 0_2_00DE2388 | |
| Source: | Code function: | 0_2_00DE69B8 | |
| Source: | Code function: | 0_2_00DCF8A8 | |
| Source: | Code function: | 0_2_00DCFD58 | |
| Source: | Code function: | 1_2_0041507B | |
| Source: | Code function: | 1_2_004173DF | |
| Source: | Code function: | 1_2_004173DF | |
| Source: | Code function: | 1_2_0041545B | |
| Source: | Code function: | 1_2_00402570 | |
| Source: | Code function: | 1_2_00420580 | |
| Source: | Code function: | 1_2_0043B7D0 | |
| Source: | Code function: | 1_2_00425878 | |
| Source: | Code function: | 1_2_00409920 | |
| Source: | Code function: | 1_2_004209C1 | |
| Source: | Code function: | 1_2_00435C90 | |
| Source: | Code function: | 1_2_00438E4E | |
| Source: | Code function: | 1_2_0041BF50 | |
| Source: | Code function: | 1_2_00406060 | |
| Source: | Code function: | 1_2_00424085 | |
| Source: | Code function: | 1_2_00414170 | |
| Source: | Code function: | 1_2_0042410D | |
| Source: | Code function: | 1_2_00422C09 | |
| Source: | Code function: | 1_2_00439256 | |
| Source: | Code function: | 1_2_00439254 | |
| Source: | Code function: | 1_2_0041A2E0 | |
| Source: | Code function: | 1_2_004232F3 | |
| Source: | Code function: | 1_2_00422BCC | |
| Source: | Code function: | 1_2_00424397 | |
| Source: | Code function: | 1_2_00424397 | |
| Source: | Code function: | 1_2_00424397 | |
| Source: | Code function: | 1_2_00424397 | |
| Source: | Code function: | 1_2_00424394 | |
| Source: | Code function: | 1_2_00424394 | |
| Source: | Code function: | 1_2_00424394 | |
| Source: | Code function: | 1_2_00424394 | |
| Source: | Code function: | 1_2_004393B6 | |
| Source: | Code function: | 1_2_004393B4 | |
| Source: | Code function: | 1_2_00409470 | |
| Source: | Code function: | 1_2_0043B420 | |
| Source: | Code function: | 1_2_00423D4E | |
| Source: | Code function: | 1_2_00423D4E | |
| Source: | Code function: | 1_2_00423D4E | |
| Source: | Code function: | 1_2_00436590 | |
| Source: | Code function: | 1_2_00417770 | |
| Source: | Code function: | 1_2_0041085D | |
| Source: | Code function: | 1_2_0041A820 | |
| Source: | Code function: | 1_2_0041A820 | |
| Source: | Code function: | 1_2_0040FA70 | |
| Source: | Code function: | 1_2_0041AB60 | |
| Source: | Code function: | 1_2_00413C7A | |
| Source: | Code function: | 1_2_00413C12 | |
| Source: | Code function: | 1_2_00413AF8 | |
| Source: | Code function: | 1_2_00422CDB | |
| Source: | Code function: | 1_2_00422CDB | |
| Source: | Code function: | 1_2_00407C90 | |
| Source: | Code function: | 1_2_00410DB5 | |
| Source: | Code function: | 1_2_00413EF6 | |
| Source: | Code function: | 1_2_00431F40 | |
| Source: | Code function: | 1_2_00433F1A | |
| Source: | Code function: | 1_2_00433F30 | |
| Source: | Code function: | 1_2_00415F38 | |
| Source: | Code function: | 1_2_00439FC0 | |
| Source: | Code function: | 1_2_00421FA5 | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 1_2_0042DBB0 | |
| Source: | Code function: | 1_2_0042DBB0 | |
| Source: | Code function: | 1_2_0042E1F7 | |
| Source: | Code function: | 0_2_00D48318 | |
| Source: | Code function: | 0_2_00D7487A | |
| Source: | Code function: | 0_2_00DFC9C8 | |
| Source: | Code function: | 0_2_00D74C94 | |
| Source: | Code function: | 0_2_00D750C0 | |
| Source: | Code function: | 0_2_00D8125D | |
| Source: | Code function: | 0_2_00DFD238 | |
| Source: | Code function: | 0_2_00DA13FF | |
| Source: | Code function: | 0_2_00D754DA | |
| Source: | Code function: | 0_2_00D8125D | |
| Source: | Code function: | 0_2_00E01518 | |
| Source: | Code function: | 0_2_00D918BA | |
| Source: | Code function: | 0_2_00E01858 | |
| Source: | Code function: | 0_2_00D7594B | |
| Source: | Code function: | 0_2_00D75DCF | |
| Source: | Code function: | 0_2_00DF9F18 | |
| Source: | Code function: | 0_2_00D5E170 | |
| Source: | Code function: | 0_2_00D76240 | |
| Source: | Code function: | 0_2_00D92482 | |
| Source: | Code function: | 0_2_00D7667E | |
| Source: | Code function: | 0_2_00D5E7E0 | |
| Source: | Code function: | 0_2_00D9A967 | |
| Source: | Code function: | 0_2_00D76ACF | |
| Source: | Code function: | 0_2_00D5AB4B | |
| Source: | Code function: | 0_2_00D5ED20 | |
| Source: | Code function: | 0_2_00D76F0D | |
| Source: | Code function: | 0_2_00D77436 | |
| Source: | Code function: | 0_2_00D2364B | |
| Source: | Code function: | 0_2_00D2364B | |
| Source: | Code function: | 0_2_00D2364B | |
| Source: | Code function: | 0_2_00D5B8E0 | |
| Source: | Code function: | 0_2_00DE7878 | |
| Source: | Code function: | 0_2_00D77972 | |
| Source: | Code function: | 1_2_00421440 | |
| Source: | Code function: | 1_2_00404690 | |
| Source: | Code function: | 1_2_00406060 | |
| Source: | Code function: | 1_2_00401000 | |
| Source: | Code function: | 1_2_0043B0E0 | |
| Source: | Code function: | 1_2_0042120A | |
| Source: | Code function: | 1_2_00403230 | |
| Source: | Code function: | 1_2_00405320 | |
| Source: | Code function: | 1_2_0043B420 | |
| Source: | Code function: | 1_2_00423D4E | |
| Source: | Code function: | 1_2_00436590 | |
| Source: | Code function: | 1_2_00406630 | |
| Source: | Code function: | 1_2_004016F0 | |
| Source: | Code function: | 1_2_0042672B | |
| Source: | Code function: | 1_2_00408910 | |
| Source: | Code function: | 1_2_0041C992 | |
| Source: | Code function: | 1_2_00433AE0 | |
| Source: | Code function: | 1_2_00403C80 | |
| Source: | Code function: | 1_2_00407C90 | |
| Source: | Code function: | 1_2_00425E62 | |
| Source: | Code function: | 1_2_0041CE64 | |
| Source: | Code function: | 1_2_00436E00 | |
| Source: | Code function: | 1_2_00402E10 | |
| Source: | Code function: | 1_2_0041DFF1 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_0042B5D0 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00D3FB13 | |
| Source: | Code function: | 1_2_004401C8 | |
| Source: | Code function: | 1_2_004407F7 | |
| Source: | Code function: | 1_2_0042D8F1 | |
| Source: | Code function: | 1_2_004419F0 | |
| Source: | Code function: | 1_2_00440ACD | |
| Source: | Code function: | 1_2_00440AFD | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00D95B4B | |
| Source: | Code function: | 0_2_00D9602F | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_00435C40 | |
| Source: | Code function: | 0_2_00D50955 | |
| Source: | Code function: | 0_2_00D9889B | |
| Source: | Code function: | 0_2_00D8542B | |
| Source: | Code function: | 0_2_00D985E7 | |
| Source: | Code function: | 0_2_00D986FE | |
| Source: | Code function: | 0_2_00D9868D | |
| Source: | Code function: | 0_2_00D9863A | |
| Source: | Code function: | 0_2_00D987F1 | |
| Source: | Code function: | 0_2_00D988D8 | |
| Source: | Code function: | 0_2_00D98846 | |
| Source: | Code function: | 0_2_00D50955 | |
| Source: | Code function: | 0_2_00D3F7BA | |
| Source: | Code function: | 0_2_00D3FB66 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 0_2_00E129C5 | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00D3F337 | |
| Source: | Code function: | 0_2_00D14B3D | |
| Source: | Code function: | 0_2_00D3DC1F | |
| Source: | Code function: | 0_2_00D89F1F | |
| Source: | Code function: | 0_2_00D8A10E | |
| Source: | Code function: | 0_2_00D8AC69 | |
| Source: | Code function: | 0_2_00D9B05F | |
| Source: | Code function: | 0_2_00D9B3A8 | |
| Source: | Code function: | 0_2_00D9B4EB | |
| Source: | Code function: | 0_2_00D9B42A | |
| Source: | Code function: | 0_2_00D9B598 | |
| Source: | Code function: | 0_2_00D9B87F | |
| Source: | Code function: | 0_2_00D9B9F2 | |
| Source: | Code function: | 0_2_00D9BB39 | |
| Source: | Code function: | 0_2_00D9BC3B | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00D8ACB7 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 411 Process Injection | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 411 Process Injection | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 31 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 11 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 34% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 24% | Virustotal | Browse | ||
| 1% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse | ||
| 24% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 14% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 14% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 10% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 0% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| productivelookewr.shop | 104.21.11.250 | true | true |
| unknown |
| sideindexfollowragelrew.pw | unknown | unknown | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| false |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.11.250 | productivelookewr.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1429198 |
| Start date and time: | 2024-04-21 09:04:05 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 22s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 2 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | PASS-1234.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Excluded IPs from analysis (whitelisted): 40.126.28.12, 40.126.28.19, 40.126.7.35, 40.126.28.13, 40.126.28.20, 40.126.28.14, 40.126.28.23, 40.126.7.32
- Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, umwatson.events.data.microsoft.com, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 09:04:56 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.529944218392288 |
| TrID: |
|
| File name: | PASS-1234.exe |
| File size: | 1'229'424 bytes |
| MD5: | 91a6507a51ddcf98f542e89c58b9a17e |
| SHA1: | 870a96273698fc67cf145a7601fc3892671eea22 |
| SHA256: | aca438e378d0fd7abdb1fc1f7cc9acdc279dbd399fda98f8078a99a4a24e537a |
| SHA512: | cdc5aa3b28e69e119c1415ce760d6cd6633eb5ab98834d609ec198b212614ad49d1f9e5c11f44507522eaf7b1bf39d5d9d20064df5259a358951e15f05154e48 |
| SSDEEP: | 24576:zkeQ/Joxh1oVZM8YWmwZ+Y3DkUU78T0KPTXBsn1F9/GAApP1aqNt+:Xxh1oVZMY31snDNrABYqS |
| TLSH: | DC45CF2179C49072EDE720B746ECBA3682ADE4B0471516CB07DC5BEED7606C27F32686 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3.h.0...3.h.6...3.h.7...3.y77...3.y70...3.h.2...3...2...3.y76...3.H46...3.H4....3.H41...3.Rich..3.........PE..L.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x4011d1 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6624AD91 [Sun Apr 21 06:09:21 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 6c2d283aa2105be58188e49b58a6bdd2 |
| Signature Valid: | false |
| Signature Issuer: | CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 332CDC164B1324C3FF3F64E228C5FFFC |
| Thumbprint SHA-1: | CBFB3D25134A5FF6FCF2924D5B4BE16194EA7E13 |
| Thumbprint SHA-256: | 531855F05B9D55E4F6DDEBC443706382DDB9ACBD2B8AB24004822BE204420943 |
| Serial: | 0C9838F673F9B1CCE395CFAB2B6684E4 |
| Instruction |
|---|
| jmp 00007F0CCCC30345h |
| jmp 00007F0CCCC55D36h |
| jmp 00007F0CCCC2F530h |
| jmp 00007F0CCCC388D0h |
| jmp 00007F0CCCC21EDBh |
| jmp 00007F0CCCC0BE4Ch |
| jmp 00007F0CCCC92C81h |
| jmp 00007F0CCCC224BAh |
| jmp 00007F0CCCC56AB4h |
| jmp 00007F0CCCC97B8Bh |
| jmp 00007F0CCCC0720Ah |
| jmp 00007F0CCCC31480h |
| jmp 00007F0CCCC41402h |
| jmp 00007F0CCCC1A5B4h |
| jmp 00007F0CCCC02989h |
| jmp 00007F0CCCC44CAEh |
| jmp 00007F0CCCC095A5h |
| jmp 00007F0CCCC059C5h |
| jmp 00007F0CCCC826EFh |
| jmp 00007F0CCCC02445h |
| jmp 00007F0CCCC51257h |
| jmp 00007F0CCCC6DBDFh |
| jmp 00007F0CCCC1E997h |
| jmp 00007F0CCCC5F240h |
| jmp 00007F0CCCC2ACC9h |
| jmp 00007F0CCCC3949Ah |
| jmp 00007F0CCCC02DD1h |
| jmp 00007F0CCCC699EEh |
| jmp 00007F0CCCC90723h |
| jmp 00007F0CCCC1836Dh |
| jmp 00007F0CCCC32DFCh |
| jmp 00007F0CCCC44C74h |
| jmp 00007F0CCCC8D72Ch |
| jmp 00007F0CCCC7C911h |
| jmp 00007F0CCCC79A83h |
| jmp 00007F0CCCC1AB01h |
| jmp 00007F0CCCC393B7h |
| jmp 00007F0CCCC5EA39h |
| jmp 00007F0CCCC5EA20h |
| jmp 00007F0CCCC2F797h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x12620c | 0x3c | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x128000 | 0x595 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x129c00 | 0x2670 | .reloc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x129000 | 0x4810 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xbec50 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xbeb68 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x126000 | 0x20c | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xb0798 | 0xb0800 | bc036925ff26378c4f32254f050aca9b | False | 0.3322110702903683 | data | 5.8344330209166975 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xb2000 | 0x14e9c | 0x15000 | 12a8026f7cb82d532eda30aedd92a396 | False | 0.285888671875 | data | 3.7090415644290298 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xc7000 | 0x5ed00 | 0x5d200 | d0cef833d463a24fe9297b6d7daff38a | False | 0.8175597734899329 | data | 7.237379033791951 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x126000 | 0xce4 | 0xe00 | 3c03556465a808a15dfebc0547c07175 | False | 0.33677455357142855 | data | 4.3866801583830926 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .00cfg | 0x127000 | 0x10e | 0x200 | 538eede3a8efee153c6ea7cecee5ea41 | False | 0.03515625 | data | 0.11055713125913882 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x128000 | 0x595 | 0x600 | f56dc87fbf96485eb492de1e12eca98a | False | 0.4283854166666667 | data | 3.988375491483662 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x129000 | 0x563b | 0x5800 | d7343ca5ad0f878c7fdd0b0d9d9dd7bc | False | 0.6222478693181818 | data | 5.962106940053917 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x1280a0 | 0x378 | data | English | United States | 0.44144144144144143 |
| RT_MANIFEST | 0x128418 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| ADVAPI32.dll | RegDisablePredefinedCache |
| KERNEL32.dll | CloseHandle, WaitForSingleObjectEx, CreateRemoteThread, VirtualProtect, FormatMessageA, LocalFree, GetLocaleInfoEx, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, CreateFileW, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetCurrentThread, HeapAlloc, HeapFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, SetConsoleCtrlHandler, HeapReAlloc, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 04/21/24-09:04:55.909755 | UDP | 2049958 | ET TROJAN Lumma Stealer Related Domain in DNS Lookup (sideindexfollowragelrew .pw) | 55278 | 53 | 192.168.2.4 | 1.1.1.1 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 21, 2024 09:04:56.191524982 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.191567898 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.191637039 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.195146084 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.195162058 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.429863930 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.430047989 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.431646109 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.431653976 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.432189941 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.477598906 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.480608940 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.480634928 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.480979919 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.957777023 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.958048105 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.958132029 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.960956097 CEST | 49742 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.960972071 CEST | 443 | 49742 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.965198994 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.965313911 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.965413094 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.965858936 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:56.965939999 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.192219019 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.192316055 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.205641985 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.205719948 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.206602097 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.216793060 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.216794014 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.217015982 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.734230995 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.734391928 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.734498024 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.734527111 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.734636068 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.734714031 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.734724998 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.734872103 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.734925985 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.734935999 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.735085011 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.735138893 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.735148907 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.735296965 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.735351086 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.735359907 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.735505104 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.735558033 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.735567093 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.735759020 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.735816956 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.735867977 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.735896111 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.735922098 CEST | 49743 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.735935926 CEST | 443 | 49743 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.771289110 CEST | 49744 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.771368027 CEST | 443 | 49744 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.771492004 CEST | 49744 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.771807909 CEST | 49744 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:57.771843910 CEST | 443 | 49744 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.998644114 CEST | 443 | 49744 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:57.999130964 CEST | 49744 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.000071049 CEST | 49744 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.000149965 CEST | 443 | 49744 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.001127958 CEST | 443 | 49744 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.002157927 CEST | 49744 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.002284050 CEST | 49744 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.002402067 CEST | 443 | 49744 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.002496004 CEST | 49744 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.002574921 CEST | 443 | 49744 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.546812057 CEST | 443 | 49744 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.547041893 CEST | 443 | 49744 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.547328949 CEST | 49744 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.547329903 CEST | 49744 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.570653915 CEST | 49745 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.570699930 CEST | 443 | 49745 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.570775032 CEST | 49745 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.571043015 CEST | 49745 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.571053982 CEST | 443 | 49745 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.801445961 CEST | 443 | 49745 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.801547050 CEST | 49745 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.802778959 CEST | 49745 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.802791119 CEST | 443 | 49745 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.803921938 CEST | 443 | 49745 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:58.805057049 CEST | 49745 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.805164099 CEST | 49745 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:58.805213928 CEST | 443 | 49745 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:59.338597059 CEST | 443 | 49745 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:59.338867903 CEST | 443 | 49745 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:59.338931084 CEST | 49745 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:59.338973045 CEST | 49745 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:59.400651932 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:59.400732994 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:59.400851965 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:59.401273966 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:59.401354074 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:59.626473904 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:59.626676083 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:59.627823114 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:59.627872944 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:59.628396034 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:59.629601002 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:59.629764080 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:59.629833937 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:04:59.629925966 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:04:59.629944086 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.182255030 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.182543993 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.182701111 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:00.183147907 CEST | 49746 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:00.183207989 CEST | 443 | 49746 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.248697042 CEST | 49747 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:00.248776913 CEST | 443 | 49747 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.248881102 CEST | 49747 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:00.249275923 CEST | 49747 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:00.249358892 CEST | 443 | 49747 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.473462105 CEST | 443 | 49747 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.473781109 CEST | 49747 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:00.474813938 CEST | 49747 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:00.474865913 CEST | 443 | 49747 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.475442886 CEST | 443 | 49747 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.476694107 CEST | 49747 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:00.476775885 CEST | 49747 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:00.476852894 CEST | 443 | 49747 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.984888077 CEST | 443 | 49747 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.985186100 CEST | 443 | 49747 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:00.985420942 CEST | 49747 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:00.985420942 CEST | 49747 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:01.001167059 CEST | 49748 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:01.001204967 CEST | 443 | 49748 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:01.001272917 CEST | 49748 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:01.001543999 CEST | 49748 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:01.001557112 CEST | 443 | 49748 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:01.228846073 CEST | 443 | 49748 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:01.228920937 CEST | 49748 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:01.230165005 CEST | 49748 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:01.230174065 CEST | 443 | 49748 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:01.231183052 CEST | 443 | 49748 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:01.232353926 CEST | 49748 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:01.232439995 CEST | 49748 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:01.232601881 CEST | 443 | 49748 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:01.290359020 CEST | 49747 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:01.290420055 CEST | 443 | 49747 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:01.746011019 CEST | 443 | 49748 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:01.746225119 CEST | 49748 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.107943058 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.108036041 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.108136892 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.108413935 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.108443975 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.335706949 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.335777998 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.338285923 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.338305950 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.338799000 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.340133905 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.340843916 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.340892076 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.341037035 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.341084003 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.342442989 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.342498064 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.342684984 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.342731953 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.342909098 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.342957020 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.343189955 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.343230009 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.343257904 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.343298912 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.343381882 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.343415976 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.343451023 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.343471050 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.343524933 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.343631983 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.384152889 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.384452105 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.384493113 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.384538889 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.384572029 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:02.384643078 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:02.384675980 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:04.512609959 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:04.512860060 CEST | 443 | 49749 | 104.21.11.250 | 192.168.2.4 |
| Apr 21, 2024 09:05:04.512892962 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Apr 21, 2024 09:05:04.512953043 CEST | 49749 | 443 | 192.168.2.4 | 104.21.11.250 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 21, 2024 09:04:55.909754992 CEST | 55278 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 21, 2024 09:04:56.034226894 CEST | 53 | 55278 | 1.1.1.1 | 192.168.2.4 |
| Apr 21, 2024 09:04:56.035650015 CEST | 50104 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 21, 2024 09:04:56.186405897 CEST | 53 | 50104 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 21, 2024 09:04:55.909754992 CEST | 192.168.2.4 | 1.1.1.1 | 0xf7c6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 21, 2024 09:04:56.035650015 CEST | 192.168.2.4 | 1.1.1.1 | 0x6dd0 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 21, 2024 09:04:56.186405897 CEST | 1.1.1.1 | 192.168.2.4 | 0x6dd0 | No error (0) | 104.21.11.250 | A (IP address) | IN (0x0001) | false | ||
| Apr 21, 2024 09:04:56.186405897 CEST | 1.1.1.1 | 192.168.2.4 | 0x6dd0 | No error (0) | 172.67.150.207 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49742 | 104.21.11.250 | 443 | 5104 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 07:04:56 UTC | 269 | OUT | |
| 2024-04-21 07:04:56 UTC | 8 | OUT | |
| 2024-04-21 07:04:56 UTC | 810 | IN | |
| 2024-04-21 07:04:56 UTC | 7 | IN | |
| 2024-04-21 07:04:56 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49743 | 104.21.11.250 | 443 | 5104 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 07:04:57 UTC | 270 | OUT | |
| 2024-04-21 07:04:57 UTC | 62 | OUT | |
| 2024-04-21 07:04:57 UTC | 806 | IN | |
| 2024-04-21 07:04:57 UTC | 563 | IN | |
| 2024-04-21 07:04:57 UTC | 1369 | IN | |
| 2024-04-21 07:04:57 UTC | 1369 | IN | |
| 2024-04-21 07:04:57 UTC | 1369 | IN | |
| 2024-04-21 07:04:57 UTC | 1369 | IN | |
| 2024-04-21 07:04:57 UTC | 1369 | IN | |
| 2024-04-21 07:04:57 UTC | 1369 | IN | |
| 2024-04-21 07:04:57 UTC | 1369 | IN | |
| 2024-04-21 07:04:57 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49744 | 104.21.11.250 | 443 | 5104 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 07:04:57 UTC | 288 | OUT | |
| 2024-04-21 07:04:57 UTC | 15331 | OUT | |
| 2024-04-21 07:04:57 UTC | 2840 | OUT | |
| 2024-04-21 07:04:58 UTC | 812 | IN | |
| 2024-04-21 07:04:58 UTC | 20 | IN | |
| 2024-04-21 07:04:58 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49745 | 104.21.11.250 | 443 | 5104 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 07:04:58 UTC | 287 | OUT | |
| 2024-04-21 07:04:58 UTC | 8792 | OUT | |
| 2024-04-21 07:04:59 UTC | 814 | IN | |
| 2024-04-21 07:04:59 UTC | 20 | IN | |
| 2024-04-21 07:04:59 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49746 | 104.21.11.250 | 443 | 5104 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 07:04:59 UTC | 288 | OUT | |
| 2024-04-21 07:04:59 UTC | 15331 | OUT | |
| 2024-04-21 07:04:59 UTC | 5114 | OUT | |
| 2024-04-21 07:05:00 UTC | 802 | IN | |
| 2024-04-21 07:05:00 UTC | 20 | IN | |
| 2024-04-21 07:05:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49747 | 104.21.11.250 | 443 | 5104 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 07:05:00 UTC | 287 | OUT | |
| 2024-04-21 07:05:00 UTC | 7092 | OUT | |
| 2024-04-21 07:05:00 UTC | 806 | IN | |
| 2024-04-21 07:05:00 UTC | 20 | IN | |
| 2024-04-21 07:05:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49748 | 104.21.11.250 | 443 | 5104 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 07:05:01 UTC | 287 | OUT | |
| 2024-04-21 07:05:01 UTC | 1417 | OUT | |
| 2024-04-21 07:05:01 UTC | 812 | IN | |
| 2024-04-21 07:05:01 UTC | 20 | IN | |
| 2024-04-21 07:05:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49749 | 104.21.11.250 | 443 | 5104 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-21 07:05:02 UTC | 289 | OUT | |
| 2024-04-21 07:05:02 UTC | 15331 | OUT | |
| 2024-04-21 07:05:02 UTC | 15331 | OUT | |
| 2024-04-21 07:05:02 UTC | 15331 | OUT | |
| 2024-04-21 07:05:02 UTC | 15331 | OUT | |
| 2024-04-21 07:05:02 UTC | 15331 | OUT | |
| 2024-04-21 07:05:02 UTC | 15331 | OUT | |
| 2024-04-21 07:05:02 UTC | 15331 | OUT | |
| 2024-04-21 07:05:02 UTC | 15331 | OUT | |
| 2024-04-21 07:05:02 UTC | 15331 | OUT | |
| 2024-04-21 07:05:02 UTC | 15331 | OUT | |
| 2024-04-21 07:05:04 UTC | 804 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:04:54 |
| Start date: | 21/04/2024 |
| Path: | C:\Users\user\Desktop\PASS-1234.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd00000 |
| File size: | 1'229'424 bytes |
| MD5 hash: | 91A6507A51DDCF98F542E89C58B9A17E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 09:04:54 |
| Start date: | 21/04/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe60000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.4% |
| Dynamic/Decrypted Code Coverage: | 15.1% |
| Signature Coverage: | 24.5% |
| Total number of Nodes: | 53 |
| Total number of Limit Nodes: | 3 |
Graph
Function 00E129C5 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9889B Relevance: .0, Instructions: 22COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D8542B Relevance: .0, Instructions: 12COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D1192E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74registrymemorythreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D85392 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D8A688 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9BC3B Relevance: 7.7, APIs: 5, Instructions: 183COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DA13FF Relevance: 7.4, Strings: 4, Instructions: 2437COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DCFD58 Relevance: 6.7, Strings: 5, Instructions: 425COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9602F Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D3F7BA Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D14B3D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9B598 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D50955 Relevance: 4.6, APIs: 3, Instructions: 77COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DE7878 Relevance: 4.1, Strings: 3, Instructions: 381COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DE69B8 Relevance: 4.0, Strings: 3, Instructions: 247COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DE2388 Relevance: 2.9, Strings: 2, Instructions: 358COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DCF8A8 Relevance: 2.8, Strings: 2, Instructions: 339COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E01858 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D48318 Relevance: 2.5, Strings: 1, Instructions: 1201COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D95B4B Relevance: 1.8, APIs: 1, Instructions: 280COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D918BA Relevance: 1.8, APIs: 1, Instructions: 274COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D3F337 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D77436 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D76F0D Relevance: 1.6, Strings: 1, Instructions: 388COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D77972 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D7594B Relevance: 1.6, Strings: 1, Instructions: 348COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D754DA Relevance: 1.6, Strings: 1, Instructions: 344COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D75DCF Relevance: 1.6, Strings: 1, Instructions: 344COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9B87F Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D7667E Relevance: 1.6, Strings: 1, Instructions: 326COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DE0C58 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D76240 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D76ACF Relevance: 1.6, Strings: 1, Instructions: 322COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D8125D Relevance: 1.6, Instructions: 1571COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D74C94 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D7487A Relevance: 1.6, Strings: 1, Instructions: 314COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D750C0 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9B42A Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9BB39 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9B4EB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D89F1F Relevance: 1.5, APIs: 1, Instructions: 33COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D3DC1F Relevance: 1.5, APIs: 1, Instructions: 32COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9B3A8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D8AC69 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D8A10E Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D8ACB7 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DFC9C8 Relevance: .7, Instructions: 679COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9A967 Relevance: .6, Instructions: 558COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D5AB4B Relevance: .5, Instructions: 481COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D5E170 Relevance: .4, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D5ED20 Relevance: .4, Instructions: 386COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DE0718 Relevance: .4, Instructions: 353COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D92482 Relevance: .3, Instructions: 337COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E01518 Relevance: .3, Instructions: 314COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DFD238 Relevance: .3, Instructions: 290COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E01C08 Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D5E7E0 Relevance: .3, Instructions: 259COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DFC0C8 Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DF9F18 Relevance: .2, Instructions: 179COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D5B8E0 Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D988D8 Relevance: .0, Instructions: 40COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9868D Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D987F1 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D98846 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D985E7 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D9863A Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D986FE Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D3E2F8 Relevance: 9.2, APIs: 6, Instructions: 225COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D1AA5A Relevance: 9.2, APIs: 6, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D85455 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D8A7BE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D8EAC7 Relevance: 7.8, APIs: 5, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D5025A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D8C0D8 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D979C8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D8F31D Relevance: 6.1, APIs: 4, Instructions: 54COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DA654D Relevance: 6.0, APIs: 4, Instructions: 32COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00DA6669 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 16% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 4.1% |
| Total number of Nodes: | 364 |
| Total number of Limit Nodes: | 20 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00438E4E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00435C40 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042B5D0 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00428CED Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 84memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00414720 Relevance: 3.2, APIs: 2, Instructions: 218COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004386EA Relevance: 1.6, APIs: 1, Instructions: 66memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00435AB0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00435BB2 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004382F7 Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042DBB0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 164clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |