Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1431577 |
| MD5: | c91f9c9ffa73cd9d586d34f73beee0cd |
| SHA1: | 0c6c645322b236944142fdffacbb610906177ee3 |
| SHA256: | 1b17680574d595b6211da1ca0664113f78cfb0e678c209dd61664d0f99841942 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
file.exe (PID: 7328 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: C91F9C9FFA73CD9D586D34F73BEEE0CD)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "greetclassifytalk.shop"], "Build id": "4sxFKu--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 04/25/24-13:33:01.018564 |
| SID: | 2052037 |
| Source Port: | 49732 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/25/24-13:33:06.114264 |
| SID: | 2052037 |
| Source Port: | 49737 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/25/24-13:32:58.942006 |
| SID: | 2052028 |
| Source Port: | 56442 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/25/24-13:33:01.871434 |
| SID: | 2052037 |
| Source Port: | 49733 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/25/24-13:33:04.680270 |
| SID: | 2052037 |
| Source Port: | 49736 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/25/24-13:32:59.247616 |
| SID: | 2052037 |
| Source Port: | 49730 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/25/24-13:33:02.853848 |
| SID: | 2052037 |
| Source Port: | 49734 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/25/24-13:33:03.855093 |
| SID: | 2052037 |
| Source Port: | 49735 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/25/24-13:33:00.026464 |
| SID: | 2052037 |
| Source Port: | 49731 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_00CE5999 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00CE42F0 | |
| Source: | Code function: | 0_2_00CF2458 | |
| Source: | Code function: | 0_2_00CEC540 | |
| Source: | Code function: | 0_2_00D057CA | |
| Source: | Code function: | 0_2_00D059E2 | |
| Source: | Code function: | 0_2_00CE4C49 | |
| Source: | Code function: | 0_2_00D03D10 | |
| Source: | Code function: | 0_2_00D03D10 | |
| Source: | Code function: | 0_2_00CF4087 | |
| Source: | Code function: | 0_2_00CF4084 | |
| Source: | Code function: | 0_2_00CDD140 | |
| Source: | Code function: | 0_2_00CF3943 | |
| Source: | Code function: | 0_2_00CD3260 | |
| Source: | Code function: | 0_2_00CEF234 | |
| Source: | Code function: | 0_2_00CEE451 | |
| Source: | Code function: | 0_2_00D05412 | |
| Source: | Code function: | 0_2_00CEA420 | |
| Source: | Code function: | 0_2_00CEA420 | |
| Source: | Code function: | 0_2_00CE4596 | |
| Source: | Code function: | 0_2_00CE46E6 | |
| Source: | Code function: | 0_2_00CEF640 | |
| Source: | Code function: | 0_2_00CE37C9 | |
| Source: | Code function: | 0_2_00CF271D | |
| Source: | Code function: | 0_2_00CEA8C0 | |
| Source: | Code function: | 0_2_00CFF890 | |
| Source: | Code function: | 0_2_00CF58A2 | |
| Source: | Code function: | 0_2_00CF58A2 | |
| Source: | Code function: | 0_2_00CEF828 | |
| Source: | Code function: | 0_2_00CF59CD | |
| Source: | Code function: | 0_2_00CF59D2 | |
| Source: | Code function: | 0_2_00CF594F | |
| Source: | Code function: | 0_2_00CECAEC | |
| Source: | Code function: | 0_2_00CDFA49 | |
| Source: | Code function: | 0_2_00CE1A44 | |
| Source: | Code function: | 0_2_00D01A70 | |
| Source: | Code function: | 0_2_00CF1CC7 | |
| Source: | Code function: | 0_2_00CE6CDD | |
| Source: | Code function: | 0_2_00CF4CB0 | |
| Source: | Code function: | 0_2_00CE3C46 | |
| Source: | Code function: | 0_2_00D07C45 | |
| Source: | Code function: | 0_2_00D07C47 | |
| Source: | Code function: | 0_2_00CE5D7D | |
| Source: | Code function: | 0_2_00CE3E4A | |
| Source: | Code function: | 0_2_00CDEF2D | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00D02010 | |
| Source: | Code function: | 0_2_00CF04B7 | |
| Source: | Code function: | 0_2_00CD4740 | |
| Source: | Code function: | 0_2_00CF0CA0 | |
| Source: | Code function: | 0_2_00CD1000 | |
| Source: | Code function: | 0_2_00CD6030 | |
| Source: | Code function: | 0_2_00CD52F0 | |
| Source: | Code function: | 0_2_00CD3260 | |
| Source: | Code function: | 0_2_00D045F0 | |
| Source: | Code function: | 0_2_00CD65F0 | |
| Source: | Code function: | 0_2_00CDF690 | |
| Source: | Code function: | 0_2_00D097D0 | |
| Source: | Code function: | 0_2_00CD1700 | |
| Source: | Code function: | 0_2_00CF58A2 | |
| Source: | Code function: | 0_2_00D3387F | |
| Source: | Code function: | 0_2_00CF59D2 | |
| Source: | Code function: | 0_2_00CF594F | |
| Source: | Code function: | 0_2_00D09AF0 | |
| Source: | Code function: | 0_2_00CECAEC | |
| Source: | Code function: | 0_2_00D01A70 | |
| Source: | Code function: | 0_2_00CD7CB0 | |
| Source: | Code function: | 0_2_00CD3D70 | |
| Source: | Code function: | 0_2_00CD2E70 | |
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00D1B046 | |
| Source: | Code function: | 0_2_00D1A204 | |
| Source: | Code function: | 0_2_00D1A354 | |
| Source: | Code function: | 0_2_00D1A31E | |
| Source: | Code function: | 0_2_00D194FB | |
| Source: | Code function: | 0_2_00D1B5E8 | |
| Source: | Code function: | 0_2_00D1C576 | |
| Source: | Code function: | 0_2_00D1C6F1 | |
| Source: | Code function: | 0_2_00D196E6 | |
| Source: | Code function: | 0_2_00D2F6A0 | |
| Source: | Code function: | 0_2_00D1980C | |
| Source: | Code function: | 0_2_00D1A7D6 | |
| Source: | Code function: | 0_2_00D1A7DE | |
| Source: | Code function: | 0_2_00D1A758 | |
| Source: | Code function: | 0_2_00D1986E | |
| Source: | Code function: | 0_2_00D19870 | |
| Source: | Code function: | 0_2_00D1A836 | |
| Source: | Code function: | 0_2_00D1BAB2 | |
| Source: | Code function: | 0_2_00D1AA3C | |
| Source: | Code function: | 0_2_00D24576 | |
| Source: | Code function: | 0_2_00D1BA30 | |
| Source: | Code function: | 0_2_00D19B95 | |
| Source: | Code function: | 0_2_00D19B91 | |
| Source: | Code function: | 0_2_00D1AC96 | |
| Source: | Code function: | 0_2_00D1ACB1 | |
| Source: | Code function: | 0_2_00D2DFE3 | |
| Source: | Code function: | 0_2_00D1B046 | |
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00D03CC0 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 321 Security Software Discovery | Remote Services | 1 Credential API Hooking | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Deobfuscate/Decode Files or Information | 1 Credential API Hooking | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 3 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 112 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1352800 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse | ||
| 0% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 14% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 16% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 14% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 12% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 17% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 16% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 17% | Virustotal | Browse | ||
| 17% | Virustotal | Browse | ||
| 18% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| greetclassifytalk.shop | 104.21.51.78 | true | true |
| unknown |
| fp2e7a.wpc.phicdn.net | 192.229.211.108 | true | false |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.51.78 | greetclassifytalk.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1431577 |
| Start date and time: | 2024-04-25 13:32:08 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 29s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 1 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Excluded IPs from analysis (whitelisted): 13.85.23.86, 23.47.204.74, 23.47.204.65, 13.85.23.206
- Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 13:32:58 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.51.78 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| fp2e7a.wpc.phicdn.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| greetclassifytalk.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | HtmlDropper, HTMLPhisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | AsyncRAT | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.957533593819779 |
| TrID: |
|
| File name: | file.exe |
| File size: | 5'745'152 bytes |
| MD5: | c91f9c9ffa73cd9d586d34f73beee0cd |
| SHA1: | 0c6c645322b236944142fdffacbb610906177ee3 |
| SHA256: | 1b17680574d595b6211da1ca0664113f78cfb0e678c209dd61664d0f99841942 |
| SHA512: | 403eb2e3f09aacbaf06496d8e727d4a1c7d9fbff3b7437e14ab65cd142216189c0eb9d2ddc775f800a678b53ba7948c4704b48cd10de6b04a53d989dbfdc4286 |
| SSDEEP: | 98304:Guha6IiuJPovwGz5z0TWmakZv/Rjg3ozLRKdcB4S/BDTRm:nIiullGzOTNa+pjg3on0dwnJD9m |
| TLSH: | 974623232275209AF1E2CC3D853BFDF672F6126E8A83EC7C659A5CC438265F49613953 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....8#f..............................D...........@..........................@............@.................................0.O.... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x84f01e |
| Entrypoint Section: | .vmp1 |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x662338B6 [Sat Apr 20 03:38:30 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d435064ba91569f26a23505d954231af |
| Instruction |
|---|
| push DA78F8D9h |
| call 00007F0ABC7A0F7Eh |
| bswap esi |
| inc ecx |
| test dh, ch |
| inc ecx |
| cmp al, 0000000Bh |
| push ebx |
| neg bx |
| xor dword ptr [esp], esi |
| pop ebx |
| dec ecx |
| test esi, 35C6434Eh |
| cmc |
| dec eax |
| arpl si, si |
| inc ecx |
| test ebx, edi |
| inc sp |
| cmp ebx, edi |
| dec esp |
| add eax, esi |
| jmp 00007F0ABCC05F7Bh |
| mov eax, dword ptr [ebp+00h] |
| mov cx, 2DE6h |
| stc |
| cmp dh, 00000078h |
| mov cx, word ptr [ebp+04h] |
| lea ebp, dword ptr [ebp+00000006h] |
| stc |
| test si, 696Eh |
| cmp esi, esi |
| mov word ptr [eax], cx |
| xor cx, 2FEDh |
| adc cl, ch |
| rol ecx, FFFFFFBAh |
| lea esi, dword ptr [esi-00000004h] |
| cmp ebp, 1CC81D4Dh |
| bts ecx, eax |
| rcr cl, cl |
| mov ecx, dword ptr [esi] |
| clc |
| xor ecx, ebx |
| ror ecx, 02h |
| jmp 00007F0ABC8B8427h |
| sysenter |
| push 9D50F6B0h |
| call 00007F0ABC8A39C0h |
| jmp 00007F0ABCC3ECF3h |
| dec edx |
| cmc |
| not edx |
| cmc |
| clc |
| rol edx, 1 |
| cmp cx, si |
| neg edx |
| test edi, eax |
| jmp 00007F0ABCCBBA7Dh |
| jne 00007F0ABC7D7940h |
| mov eax, dword ptr [ebp+00h] |
| jmp 00007F0ABC8B13C1h |
| mov edx, dword ptr [ebp+00h] |
| mov cl, byte ptr [ebp+04h] |
| test dl, FFFFFF80h |
| stc |
| sub ebp, 00000002h |
| shl edx, cl |
| cmovnle ecx, edi |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4f9b30 | 0xdc | .vmp1 |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8f3000 | 0x5bc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x396000 | 0x80 | .vmp1 |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x39105 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x3b000 | 0x28fb | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3e000 | 0xa534 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .vmp0 | 0x49000 | 0x32f379 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .vmp1 | 0x379000 | 0x579f00 | 0x57a000 | 118b68720f6ba0c5afa62a9c9bfccebb | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .reloc | 0x8f3000 | 0x5bc | 0x600 | 7c28dc7a41b61cce52c073cf5cfaf0ef | False | 0.51953125 | data | 4.1633892646707835 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | ExitProcess |
| OLEAUT32.dll | SysAllocString |
| ole32.dll | CoCreateInstance |
| USER32.dll | CloseClipboard |
| GDI32.dll | BitBlt |
| WTSAPI32.dll | WTSSendMessageW |
| KERNEL32.dll | VirtualQuery |
| USER32.dll | GetProcessWindowStation |
| KERNEL32.dll | LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress |
| USER32.dll | GetProcessWindowStation, GetUserObjectInformationW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 04/25/24-13:33:01.018564 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| 04/25/24-13:33:06.114264 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| 04/25/24-13:32:58.942006 | UDP | 2052028 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (greetclassifytalk .shop) | 56442 | 53 | 192.168.2.4 | 1.1.1.1 |
| 04/25/24-13:33:01.871434 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49733 | 443 | 192.168.2.4 | 104.21.51.78 |
| 04/25/24-13:33:04.680270 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| 04/25/24-13:32:59.247616 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| 04/25/24-13:33:02.853848 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| 04/25/24-13:33:03.855093 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49735 | 443 | 192.168.2.4 | 104.21.51.78 |
| 04/25/24-13:33:00.026464 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 25, 2024 13:32:59.122523069 CEST | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:32:59.122611046 CEST | 443 | 49730 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:32:59.122694969 CEST | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:32:59.247616053 CEST | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:32:59.247689009 CEST | 443 | 49730 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:32:59.486295938 CEST | 443 | 49730 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:32:59.486620903 CEST | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:32:59.488821030 CEST | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:32:59.488845110 CEST | 443 | 49730 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:32:59.489295006 CEST | 443 | 49730 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:32:59.534889936 CEST | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:32:59.554635048 CEST | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:32:59.554635048 CEST | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:32:59.554780960 CEST | 443 | 49730 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.015755892 CEST | 443 | 49730 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.015872002 CEST | 443 | 49730 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.015965939 CEST | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.018657923 CEST | 49730 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.018680096 CEST | 443 | 49730 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.026053905 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.026103973 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.026190996 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.026463985 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.026480913 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.262747049 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.262861967 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.264755011 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.264761925 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.265482903 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.267242908 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.267288923 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.267338037 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.797049046 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.797255993 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.797317028 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.797336102 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.797492981 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.797547102 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.797554970 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.797684908 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.797758102 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.797765970 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.797873020 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.797940016 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.797947884 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.798053026 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.798161030 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.798196077 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.798203945 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.798279047 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.798310995 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.798520088 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.798580885 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.798993111 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.799005985 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:00.799021006 CEST | 49731 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:00.799026012 CEST | 443 | 49731 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.018023014 CEST | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.018048048 CEST | 443 | 49732 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.018138885 CEST | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.018563986 CEST | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.018575907 CEST | 443 | 49732 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.256438017 CEST | 443 | 49732 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.256612062 CEST | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.258501053 CEST | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.258507967 CEST | 443 | 49732 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.258924961 CEST | 443 | 49732 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.260672092 CEST | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.260835886 CEST | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.260874033 CEST | 443 | 49732 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.260940075 CEST | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.260948896 CEST | 443 | 49732 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.783024073 CEST | 443 | 49732 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.783288956 CEST | 443 | 49732 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.783360958 CEST | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.784147978 CEST | 49732 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.870944023 CEST | 49733 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.870970964 CEST | 443 | 49733 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:01.871059895 CEST | 49733 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.871433973 CEST | 49733 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:01.871443987 CEST | 443 | 49733 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:02.106620073 CEST | 443 | 49733 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:02.106827021 CEST | 49733 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:02.108443975 CEST | 49733 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:02.108452082 CEST | 443 | 49733 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:02.108786106 CEST | 443 | 49733 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:02.110449076 CEST | 49733 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:02.110615015 CEST | 49733 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:02.110646963 CEST | 443 | 49733 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:02.618048906 CEST | 443 | 49733 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:02.618338108 CEST | 443 | 49733 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:02.618416071 CEST | 49733 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:02.618490934 CEST | 49733 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:02.618505001 CEST | 443 | 49733 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:02.853316069 CEST | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:02.853348970 CEST | 443 | 49734 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:02.853559017 CEST | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:02.853847980 CEST | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:02.853862047 CEST | 443 | 49734 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:03.089853048 CEST | 443 | 49734 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:03.090102911 CEST | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:03.091790915 CEST | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:03.091816902 CEST | 443 | 49734 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:03.092803001 CEST | 443 | 49734 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:03.094485044 CEST | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:03.094705105 CEST | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:03.094769955 CEST | 443 | 49734 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:03.094882965 CEST | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:03.094898939 CEST | 443 | 49734 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:03.652002096 CEST | 443 | 49734 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:03.652293921 CEST | 443 | 49734 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:03.652333975 CEST | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:03.652383089 CEST | 49734 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:03.854599953 CEST | 49735 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:03.854633093 CEST | 443 | 49735 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:03.854747057 CEST | 49735 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:03.855093002 CEST | 49735 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:03.855104923 CEST | 443 | 49735 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.094806910 CEST | 443 | 49735 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.095029116 CEST | 49735 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.096179962 CEST | 49735 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.096185923 CEST | 443 | 49735 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.096524000 CEST | 443 | 49735 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.097584963 CEST | 49735 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.097682953 CEST | 49735 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.097702026 CEST | 443 | 49735 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.599586964 CEST | 443 | 49735 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.599806070 CEST | 49735 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.679807901 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.679888010 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.679976940 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.680269957 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.680320978 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.923499107 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.923722029 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.924705982 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.924715042 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.925146103 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:04.927428007 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.927510023 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:04.927517891 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:05.426395893 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:05.426646948 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.113842964 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.113889933 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.113965034 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.114264011 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.114279032 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.352583885 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.352665901 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.354197979 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.354206085 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.355220079 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.356853008 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.358391047 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.358434916 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.358558893 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.358601093 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.358730078 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.358786106 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.358946085 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.358974934 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.359136105 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.359164953 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.359349966 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.359380960 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.359394073 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.359586954 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.359618902 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.404120922 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.404355049 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.404408932 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.404428005 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.452105999 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.452315092 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.452362061 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.452390909 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.500118017 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.500395060 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:06.548115969 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:06.691236019 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:07.929084063 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:07.929426908 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| Apr 25, 2024 13:33:07.929428101 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Apr 25, 2024 13:33:07.929507017 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 25, 2024 13:32:58.942006111 CEST | 56442 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 25, 2024 13:32:59.088901997 CEST | 53 | 56442 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 25, 2024 13:32:58.942006111 CEST | 192.168.2.4 | 1.1.1.1 | 0xf04c | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 25, 2024 13:32:59.088901997 CEST | 1.1.1.1 | 192.168.2.4 | 0xf04c | No error (0) | 104.21.51.78 | A (IP address) | IN (0x0001) | false | ||
| Apr 25, 2024 13:32:59.088901997 CEST | 1.1.1.1 | 192.168.2.4 | 0xf04c | No error (0) | 172.67.177.98 | A (IP address) | IN (0x0001) | false | ||
| Apr 25, 2024 13:33:16.475043058 CEST | 1.1.1.1 | 192.168.2.4 | 0xe122 | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 25, 2024 13:33:16.475043058 CEST | 1.1.1.1 | 192.168.2.4 | 0xe122 | No error (0) | 192.229.211.108 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 104.21.51.78 | 443 | 7328 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-25 11:32:59 UTC | 269 | OUT | |
| 2024-04-25 11:32:59 UTC | 8 | OUT | |
| 2024-04-25 11:33:00 UTC | 808 | IN | |
| 2024-04-25 11:33:00 UTC | 7 | IN | |
| 2024-04-25 11:33:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 104.21.51.78 | 443 | 7328 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-25 11:33:00 UTC | 270 | OUT | |
| 2024-04-25 11:33:00 UTC | 49 | OUT | |
| 2024-04-25 11:33:00 UTC | 802 | IN | |
| 2024-04-25 11:33:00 UTC | 567 | IN | |
| 2024-04-25 11:33:00 UTC | 716 | IN | |
| 2024-04-25 11:33:00 UTC | 1369 | IN | |
| 2024-04-25 11:33:00 UTC | 1369 | IN | |
| 2024-04-25 11:33:00 UTC | 1369 | IN | |
| 2024-04-25 11:33:00 UTC | 1369 | IN | |
| 2024-04-25 11:33:00 UTC | 1369 | IN | |
| 2024-04-25 11:33:00 UTC | 1369 | IN | |
| 2024-04-25 11:33:00 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 104.21.51.78 | 443 | 7328 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-25 11:33:01 UTC | 288 | OUT | |
| 2024-04-25 11:33:01 UTC | 15331 | OUT | |
| 2024-04-25 11:33:01 UTC | 2827 | OUT | |
| 2024-04-25 11:33:01 UTC | 810 | IN | |
| 2024-04-25 11:33:01 UTC | 23 | IN | |
| 2024-04-25 11:33:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 104.21.51.78 | 443 | 7328 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-25 11:33:02 UTC | 287 | OUT | |
| 2024-04-25 11:33:02 UTC | 8779 | OUT | |
| 2024-04-25 11:33:02 UTC | 804 | IN | |
| 2024-04-25 11:33:02 UTC | 23 | IN | |
| 2024-04-25 11:33:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 104.21.51.78 | 443 | 7328 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-25 11:33:03 UTC | 288 | OUT | |
| 2024-04-25 11:33:03 UTC | 15331 | OUT | |
| 2024-04-25 11:33:03 UTC | 5101 | OUT | |
| 2024-04-25 11:33:03 UTC | 808 | IN | |
| 2024-04-25 11:33:03 UTC | 23 | IN | |
| 2024-04-25 11:33:03 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 104.21.51.78 | 443 | 7328 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-25 11:33:04 UTC | 287 | OUT | |
| 2024-04-25 11:33:04 UTC | 5433 | OUT | |
| 2024-04-25 11:33:04 UTC | 806 | IN | |
| 2024-04-25 11:33:04 UTC | 23 | IN | |
| 2024-04-25 11:33:04 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 104.21.51.78 | 443 | 7328 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-25 11:33:04 UTC | 287 | OUT | |
| 2024-04-25 11:33:04 UTC | 1378 | OUT | |
| 2024-04-25 11:33:05 UTC | 806 | IN | |
| 2024-04-25 11:33:05 UTC | 23 | IN | |
| 2024-04-25 11:33:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49737 | 104.21.51.78 | 443 | 7328 | C:\Users\user\Desktop\file.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-25 11:33:06 UTC | 289 | OUT | |
| 2024-04-25 11:33:06 UTC | 15331 | OUT | |
| 2024-04-25 11:33:06 UTC | 15331 | OUT | |
| 2024-04-25 11:33:06 UTC | 15331 | OUT | |
| 2024-04-25 11:33:06 UTC | 15331 | OUT | |
| 2024-04-25 11:33:06 UTC | 15331 | OUT | |
| 2024-04-25 11:33:06 UTC | 15331 | OUT | |
| 2024-04-25 11:33:06 UTC | 15331 | OUT | |
| 2024-04-25 11:33:06 UTC | 15331 | OUT | |
| 2024-04-25 11:33:06 UTC | 15331 | OUT | |
| 2024-04-25 11:33:06 UTC | 15331 | OUT | |
| 2024-04-25 11:33:07 UTC | 802 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 13:32:56 |
| Start date: | 25/04/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xcd0000 |
| File size: | 5'745'152 bytes |
| MD5 hash: | C91F9C9FFA73CD9D586D34F73BEEE0CD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 12.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 10.5% |
| Total number of Nodes: | 712 |
| Total number of Limit Nodes: | 19 |
Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CD4740 Relevance: 5.5, Strings: 4, Instructions: 501COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CEC540 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D03CC0 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE37C9 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE4C49 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF04B7 Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF0CA0 Relevance: .4, Instructions: 371COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D02010 Relevance: .3, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D03D10 Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF2458 Relevance: .2, Instructions: 153COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE42F0 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D057CA Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D059E2 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D06041 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D06CD4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE7810 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF7F5A Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF7F84 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CFD608 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D06209 Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D05F1F Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D03B50 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D075CD Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D03C2A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CD1700 Relevance: 10.6, Strings: 8, Instructions: 594COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CDEF2D Relevance: 6.4, Strings: 5, Instructions: 151COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CD52F0 Relevance: 3.4, Strings: 2, Instructions: 851COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D09AF0 Relevance: 2.8, Strings: 2, Instructions: 310COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE3E4A Relevance: 2.6, Strings: 2, Instructions: 146COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D05412 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF58A2 Relevance: 2.1, Strings: 1, Instructions: 839COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CD1000 Relevance: 1.8, Strings: 1, Instructions: 544COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE6CDD Relevance: 1.6, Strings: 1, Instructions: 374COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CEA8C0 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CEA420 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CD65F0 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE3C46 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CD7CB0 Relevance: .9, Instructions: 863COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CD3260 Relevance: .7, Instructions: 739COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D045F0 Relevance: .7, Instructions: 654COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CD3D70 Relevance: .6, Instructions: 606COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CD6030 Relevance: .5, Instructions: 506COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF594F Relevance: .4, Instructions: 439COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF59D2 Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF59CD Relevance: .4, Instructions: 388COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D097D0 Relevance: .3, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D01A70 Relevance: .2, Instructions: 186COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CDF690 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE5D7D Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE46E6 Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CD2E70 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CEF234 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CEF828 Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF271D Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CEF640 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF4CB0 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CFF890 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE1A44 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CF1CC7 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CEE451 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CDFA49 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CDD140 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00CE4596 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D07C45 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D07C47 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D2EEF8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D378E0 Relevance: 7.8, APIs: 5, Instructions: 263COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00D3284B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |