Edit tour
Windows
Analysis Report
Setup_patched.exe
Overview
General Information
| Sample name: | Setup_patched.exe |
| Analysis ID: | 1664107 |
| MD5: | b4e8bdda146b28cb226f3b1a77dbc7ec |
| SHA1: | 52e88530567fc1154be2c11fea15018bb24e6824 |
| SHA256: | 0291228d9e8db56848514b2029803999ed513d8b549c2cc60a748d03ca39df55 |
| Tags: | de-pumpedexeLummaStealeruser-aachum |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
Setup_patched.exe (PID: 7836 cmdline: "C:\Users\ user\Deskt op\Setup_p atched.exe " MD5: B4E8BDDA146B28CB226F3B1A77DBC7EC)
- cleanup
{"C2 url": ["jesxterplay.run/tuyhd", "jawdedmirror.run/ewqd", "changeaie.top/geps", "lonfgshadow.live/xawi", "liftally.top/xasj", "nighetwhisper.top/lekd", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "owlflright.digital/qopy"], "Build id": "637b55279021aab33278188cfa638397"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-13T17:04:55.287739+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49703 | 89.169.54.153 | 443 | TCP |
| 2025-04-13T17:05:16.627058+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49692 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:19.882870+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49694 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:21.701529+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49697 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:24.042700+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49698 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:28.598364+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49699 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:29.956435+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49700 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:31.688199+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49701 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:33.613012+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49702 | 104.21.80.1 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 3_3_029AF3B1 | |
| Source: | Code function: | 3_3_029AA19B | |
| Source: | Code function: | 3_3_029AF68D | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_3_029BFAE0 | |
| Source: | Code function: | 3_3_029A9080 | |
| Source: | Code function: | 3_3_029E00B0 | |
| Source: | Code function: | 3_3_029E08D0 | |
| Source: | Code function: | 3_3_029D4680 | |
| Source: | Code function: | 3_3_029D4680 | |
| Source: | Code function: | 3_3_029A1748 | |
| Source: | Code function: | 3_3_029DEF70 | |
| Source: | Code function: | 3_3_029DFCB0 | |
| Source: | Code function: | 3_3_029DFCB0 | |
| Source: | Code function: | 3_3_029B05B0 | |
| Source: | Code function: | 3_3_029B05B0 | |
| Source: | Code function: | 3_3_0299B2B0 | |
| Source: | Code function: | 3_3_029ABAAF | |
| Source: | Code function: | 3_3_0299CAC0 | |
| Source: | Code function: | 3_3_029E0AC0 | |
| Source: | Code function: | 3_3_029AAA0B | |
| Source: | Code function: | 3_3_029B9230 | |
| Source: | Code function: | 3_3_029DD250 | |
| Source: | Code function: | 3_3_029B2270 | |
| Source: | Code function: | 3_3_029AA3A3 | |
| Source: | Code function: | 3_3_029D9BD0 | |
| Source: | Code function: | 3_3_0299F3F6 | |
| Source: | Code function: | 3_3_029BEBE0 | |
| Source: | Code function: | 3_3_029B7B20 | |
| Source: | Code function: | 3_3_029A0B40 | |
| Source: | Code function: | 3_3_029BF080 | |
| Source: | Code function: | 3_3_0299A8C0 | |
| Source: | Code function: | 3_3_029C08F5 | |
| Source: | Code function: | 3_3_029B2E12 | |
| Source: | Code function: | 3_3_029DA810 | |
| Source: | Code function: | 3_3_029B3815 | |
| Source: | Code function: | 3_3_029DF850 | |
| Source: | Code function: | 3_3_029DF850 | |
| Source: | Code function: | 3_3_029C0199 | |
| Source: | Code function: | 3_3_029D5910 | |
| Source: | Code function: | 3_3_029B2969 | |
| Source: | Code function: | 3_3_029AD16C | |
| Source: | Code function: | 3_3_02999EC0 | |
| Source: | Code function: | 3_3_02999EC0 | |
| Source: | Code function: | 3_3_029B2E12 | |
| Source: | Code function: | 3_3_029DC620 | |
| Source: | Code function: | 3_3_029AAE42 | |
| Source: | Code function: | 3_3_029A0789 | |
| Source: | Code function: | 3_3_029D87F0 | |
| Source: | Code function: | 3_3_029B4965 | |
| Source: | Code function: | 3_3_029B4F4C | |
| Source: | Code function: | 3_3_029B3C80 | |
| Source: | Code function: | 3_3_029B3C80 | |
| Source: | Code function: | 3_3_029ADCB8 | |
| Source: | Code function: | 3_3_029D94F0 | |
| Source: | Code function: | 3_3_029C3DB0 | |
| Source: | Code function: | 3_3_02991DE0 | |
| Source: | Code function: | 3_3_029AFD50 | |
| Source: | Code function: | 3_3_029B3565 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_3_029CEBC0 | |
| Source: | Code function: | 3_3_029CEBC0 | |
| Source: | Code function: | 3_3_02270B72 | |
| Source: | Code function: | 3_3_022710E8 | |
| Source: | Code function: | 3_3_0227066E | |
| Source: | Code function: | 3_3_02270CD8 | |
| Source: | Code function: | 3_2_0221206F | |
| Source: | Code function: | 3_2_022120C2 | |
| Source: | Code function: | 3_2_02212100 | |
| Source: | Code function: | 3_3_029BFAE0 | |
| Source: | Code function: | 3_3_0299DBF0 | |
| Source: | Code function: | 3_3_02993B05 | |
| Source: | Code function: | 3_3_029A9080 | |
| Source: | Code function: | 3_3_029B9840 | |
| Source: | Code function: | 3_3_029B8870 | |
| Source: | Code function: | 3_3_029D4680 | |
| Source: | Code function: | 3_3_029A1EB6 | |
| Source: | Code function: | 3_3_029ADEA5 | |
| Source: | Code function: | 3_3_029A5E00 | |
| Source: | Code function: | 3_3_029A37B3 | |
| Source: | Code function: | 3_3_0299B720 | |
| Source: | Code function: | 3_3_029A1748 | |
| Source: | Code function: | 3_3_029DEF70 | |
| Source: | Code function: | 3_3_029DFCB0 | |
| Source: | Code function: | 3_3_029A1C1A | |
| Source: | Code function: | 3_3_029D8430 | |
| Source: | Code function: | 3_3_029B05B0 | |
| Source: | Code function: | 3_3_029A4D44 | |
| Source: | Code function: | 3_3_029B62A0 | |
| Source: | Code function: | 3_3_0299CAC0 | |
| Source: | Code function: | 3_3_0299FA00 | |
| Source: | Code function: | 3_3_029B9230 | |
| Source: | Code function: | 3_3_029A5A29 | |
| Source: | Code function: | 3_3_029B4A28 | |
| Source: | Code function: | 3_3_029DD250 | |
| Source: | Code function: | 3_3_029A1A7C | |
| Source: | Code function: | 3_3_029D9BD0 | |
| Source: | Code function: | 3_3_0299C3E0 | |
| Source: | Code function: | 3_3_029BEBE0 | |
| Source: | Code function: | 3_3_0299B300 | |
| Source: | Code function: | 3_3_029B7B20 | |
| Source: | Code function: | 3_3_029D3B50 | |
| Source: | Code function: | 3_3_029A0B40 | |
| Source: | Code function: | 3_3_029A236D | |
| Source: | Code function: | 3_3_02998B60 | |
| Source: | Code function: | 3_3_029C5360 | |
| Source: | Code function: | 3_3_029AB094 | |
| Source: | Code function: | 3_3_029BF080 | |
| Source: | Code function: | 3_3_029B38CD | |
| Source: | Code function: | 3_3_0299A8C0 | |
| Source: | Code function: | 3_3_029990E0 | |
| Source: | Code function: | 3_3_029DC8E0 | |
| Source: | Code function: | 3_3_0299C010 | |
| Source: | Code function: | 3_3_029DA810 | |
| Source: | Code function: | 3_3_029DF850 | |
| Source: | Code function: | 3_3_029979D0 | |
| Source: | Code function: | 3_3_029C39C0 | |
| Source: | Code function: | 3_3_029D5910 | |
| Source: | Code function: | 3_3_029DE920 | |
| Source: | Code function: | 3_3_02993150 | |
| Source: | Code function: | 3_3_029B5170 | |
| Source: | Code function: | 3_3_029B2969 | |
| Source: | Code function: | 3_3_029AD16C | |
| Source: | Code function: | 3_3_029AA6B2 | |
| Source: | Code function: | 3_3_029AFEA6 | |
| Source: | Code function: | 3_3_02999EC0 | |
| Source: | Code function: | 3_3_029986F0 | |
| Source: | Code function: | 3_3_029DC620 | |
| Source: | Code function: | 3_3_02991FA0 | |
| Source: | Code function: | 3_3_029B57CD | |
| Source: | Code function: | 3_3_029C87E0 | |
| Source: | Code function: | 3_3_029B2F08 | |
| Source: | Code function: | 3_3_029A2F00 | |
| Source: | Code function: | 3_3_029A9F05 | |
| Source: | Code function: | 3_3_029A3F4E | |
| Source: | Code function: | 3_3_029B3C80 | |
| Source: | Code function: | 3_3_029DF4A0 | |
| Source: | Code function: | 3_3_029B5CD0 | |
| Source: | Code function: | 3_3_029DCCD0 | |
| Source: | Code function: | 3_3_029D94F0 | |
| Source: | Code function: | 3_3_029ABCE0 | |
| Source: | Code function: | 3_3_029AF599 | |
| Source: | Code function: | 3_3_029CC5A0 | |
| Source: | Code function: | 3_3_0299BDE0 | |
| Source: | Code function: | 3_3_029A5500 | |
| Source: | Code function: | 3_2_02210665 | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_02210D75 | |
| Source: | Code function: | 3_3_029D4680 | |
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_3_029DB240 | |
| Source: | Code function: | 3_2_02210665 | |
| Source: | Code function: | 3_2_02210C25 | |
| Source: | Code function: | 3_2_02211275 | |
| Source: | Code function: | 3_2_02211274 | |
| Source: | Code function: | 3_2_02210FD5 | |
| Source: | Code function: | 3_2_02211C63 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 221 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 7% | Virustotal | Browse | ||
| 6% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| jesxterplay.run | 104.21.80.1 | true | true | unknown | |
| h1.mockupeastcoast.shop | 89.169.54.153 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false |
| unknown | |
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 89.169.54.153 | h1.mockupeastcoast.shop | Russian Federation | 31514 | INF-NET-ASRU | false | |
| 104.21.80.1 | jesxterplay.run | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1664107 |
| Start date and time: | 2025-04-13 17:04:09 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 40s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Setup_patched.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.76.34.6, 52.149.20.212, 150.171.28.254
- Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 11:05:16 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 89.169.54.153 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| 104.21.80.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| h1.mockupeastcoast.shop | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| INF-NET-ASRU | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Cobalt Strike, MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Cobalt Strike, MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Cobalt Strike, MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | GO Backdoor, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Koadic | Browse |
| ||
| Get hash | malicious | HTMLPhisher, LummaC Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.892983600650409 |
| TrID: |
|
| File name: | Setup_patched.exe |
| File size: | 1'475'072 bytes |
| MD5: | b4e8bdda146b28cb226f3b1a77dbc7ec |
| SHA1: | 52e88530567fc1154be2c11fea15018bb24e6824 |
| SHA256: | 0291228d9e8db56848514b2029803999ed513d8b549c2cc60a748d03ca39df55 |
| SHA512: | 1309e8be4f6dbafdfcf12e1f9766bdbaf110904e0ef9079409f77fc9185fcf78e17bd52c3598891be15140c6b762ccae0e42985437876a307ccdddd74e78c7f7 |
| SSDEEP: | 24576:EEZXjiinrzY5tO+uKE3eMT0jECZQEbLBDBEnFWsyg7x93THJ92/aolu96:pdmb4TKlD00C1O/u |
| TLSH: | E5656C22A3A64433D4732E75CD6BC2946C36BD202FA5944A7EF89F0C1E79B41BD35392 |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 16312912b129310e |
| Entrypoint: | 0x500004 |
| Entrypoint Section: | .itext |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x55A7B085 [Thu Jul 16 13:24:21 2015 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 1f528eee57f931071fbd7756a8236e9f |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| push ebx |
| push esi |
| push edi |
| mov eax, 004FDD94h |
| call 00007FCADCD1DB1Ah |
| push FFFFFFECh |
| mov eax, dword ptr [00503E14h] |
| mov eax, dword ptr [eax] |
| mov ebx, dword ptr [eax+00000170h] |
| push ebx |
| call 00007FCADCD1E9BDh |
| and eax, FFFFFF7Fh |
| push eax |
| push FFFFFFECh |
| mov eax, dword ptr [00503E14h] |
| push ebx |
| call 00007FCADCD1EC12h |
| xor eax, eax |
| push ebp |
| push 0050007Fh |
| push dword ptr fs:[eax] |
| mov dword ptr fs:[eax], esp |
| push 00000001h |
| call 00007FCADCD1E365h |
| call 00007FCADCE12664h |
| mov eax, dword ptr [004FD9CCh] |
| push eax |
| push 004FDA30h |
| mov eax, dword ptr [00503E14h] |
| mov eax, dword ptr [eax] |
| call 00007FCADCD90E0Dh |
| call 00007FCADCE126B8h |
| xor eax, eax |
| pop edx |
| pop ecx |
| pop ecx |
| mov dword ptr fs:[eax], edx |
| jmp 00007FCADCE14BFBh |
| jmp 00007FCADCD19241h |
| call 00007FCADCE12434h |
| mov eax, 00000001h |
| call 00007FCADCD19D02h |
| call 00007FCADCD19685h |
| mov eax, dword ptr [00503E14h] |
| mov eax, dword ptr [eax] |
| mov edx, 00500214h |
| call 00007FCADCD90918h |
| push 00000005h |
| mov eax, dword ptr [00503E14h] |
| mov eax, dword ptr [eax] |
| mov eax, dword ptr [eax+00000170h] |
| push eax |
| call 00007FCADCD1EBD3h |
| mov eax, dword ptr [00503E14h] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [004D8D14h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x10c000 | 0x382c | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x112000 | 0x62800 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x111000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x10ca7c | 0x888 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xfd224 | 0xfd400 | 5606816c0e3ddb1f4eb74b4fc974cc99 | False | 0.48292124259624875 | data | 6.48940093273947 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0xff000 | 0x1220 | 0x1400 | 6af5b74ebcd128d62db3adf99a2fdade | False | 0.50546875 | data | 5.686380733031578 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x101000 | 0x303c | 0x3200 | e451917917f4a9d9e9f972f25b034fdf | False | 0.4203125 | data | 4.301472640349721 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x105000 | 0x6190 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x10c000 | 0x382c | 0x3a00 | 43c0f118777059b21ad6a5849b132450 | False | 0.3096039870689655 | data | 5.162977041444552 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x110000 | 0x3c | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x111000 | 0x18 | 0x200 | 3f4821d98c8d2f792b0e23905609a7d6 | False | 0.05078125 | data | 0.17014565200323517 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x112000 | 0x62800 | 0x62800 | 311b4a37d8ed9c52140c72da613567f9 | False | 0.7655679925444162 | data | 7.569569397861487 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x112c44 | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | English | United States | 0.38636363636363635 |
| RT_CURSOR | 0x112d78 | 0x134 | data | English | United States | 0.4642857142857143 |
| RT_CURSOR | 0x112eac | 0x134 | data | English | United States | 0.4805194805194805 |
| RT_CURSOR | 0x112fe0 | 0x134 | data | English | United States | 0.38311688311688313 |
| RT_CURSOR | 0x113114 | 0x134 | data | English | United States | 0.36038961038961037 |
| RT_CURSOR | 0x113248 | 0x134 | data | English | United States | 0.4090909090909091 |
| RT_CURSOR | 0x11337c | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | English | United States | 0.4967532467532468 |
| RT_BITMAP | 0x1134b0 | 0x4e8 | Device independent bitmap graphic, 48 x 48 x 4, image size 1152 | 0.2945859872611465 | ||
| RT_BITMAP | 0x113998 | 0xe8 | Device independent bitmap graphic, 16 x 16 x 4, image size 128 | 0.521551724137931 | ||
| RT_ICON | 0x113a80 | 0x20d5 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9303985722784057 |
| RT_ICON | 0x115b58 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.08392116182572613 |
| RT_ICON | 0x118100 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.11960600375234522 |
| RT_ICON | 0x1191a8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.22074468085106383 |
| RT_STRING | 0x119610 | 0xc4 | data | 0.6224489795918368 | ||
| RT_STRING | 0x1196d4 | 0x258 | data | 0.475 | ||
| RT_STRING | 0x11992c | 0x250 | data | 0.46621621621621623 | ||
| RT_STRING | 0x119b7c | 0x438 | StarOffice Gallery theme l, 1627418368 objects, 1st | 0.41388888888888886 | ||
| RT_STRING | 0x119fb4 | 0xa0 | data | 0.7125 | ||
| RT_STRING | 0x11a054 | 0xe4 | data | 0.6359649122807017 | ||
| RT_STRING | 0x11a138 | 0x430 | data | 0.394589552238806 | ||
| RT_STRING | 0x11a568 | 0x39c | data | 0.3906926406926407 | ||
| RT_STRING | 0x11a904 | 0x3dc | data | 0.39271255060728744 | ||
| RT_STRING | 0x11ace0 | 0x360 | data | 0.37037037037037035 | ||
| RT_STRING | 0x11b040 | 0x40c | data | 0.3783783783783784 | ||
| RT_STRING | 0x11b44c | 0x108 | data | 0.5113636363636364 | ||
| RT_STRING | 0x11b554 | 0xcc | data | 0.6029411764705882 | ||
| RT_STRING | 0x11b620 | 0x234 | data | 0.5070921985815603 | ||
| RT_STRING | 0x11b854 | 0x3c8 | data | 0.3181818181818182 | ||
| RT_STRING | 0x11bc1c | 0x32c | data | 0.43349753694581283 | ||
| RT_STRING | 0x11bf48 | 0x2a0 | data | 0.41964285714285715 | ||
| RT_RCDATA | 0x11c1e8 | 0x82e8 | data | English | United States | 0.11261637622344235 |
| RT_RCDATA | 0x1244d0 | 0x10 | data | 1.5 | ||
| RT_RCDATA | 0x1244e0 | 0x1800 | PE32+ executable (console) x86-64, for MS Windows | English | United States | 0.3924153645833333 |
| RT_RCDATA | 0x125ce0 | 0x6b0 | data | 0.647196261682243 | ||
| RT_RCDATA | 0x126390 | 0x5b10 | PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows | English | United States | 0.3255404941660947 |
| RT_RCDATA | 0x12bea0 | 0x125 | Delphi compiled form 'TMainForm' | 0.7508532423208191 | ||
| RT_RCDATA | 0x12bfc8 | 0x3a2 | Delphi compiled form 'TNewDiskForm' | 0.524731182795699 | ||
| RT_RCDATA | 0x12c36c | 0x320 | Delphi compiled form 'TSelectFolderForm' | 0.53625 | ||
| RT_RCDATA | 0x12c68c | 0x300 | Delphi compiled form 'TSelectLanguageForm' | 0.5703125 | ||
| RT_RCDATA | 0x12c98c | 0x5d9 | Delphi compiled form 'TUninstallProgressForm' | 0.4562458249832999 | ||
| RT_RCDATA | 0x12cf68 | 0x461 | Delphi compiled form 'TUninstSharedFileForm' | 0.4335414808206958 | ||
| RT_RCDATA | 0x12d3cc | 0x2057 | Delphi compiled form 'TWizardForm' | 0.2298586785843701 | ||
| RT_GROUP_CURSOR | 0x12f424 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
| RT_GROUP_CURSOR | 0x12f438 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
| RT_GROUP_CURSOR | 0x12f44c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x12f460 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x12f474 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x12f488 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x12f49c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_ICON | 0x12f4b0 | 0x3e | data | English | United States | 0.8064516129032258 |
| RT_VERSION | 0x12f4f0 | 0x15c | data | English | United States | 0.5689655172413793 |
| RT_MANIFEST | 0x12f64c | 0x62c | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4240506329113924 |
| DLL | Import |
|---|---|
| oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
| advapi32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey |
| user32.dll | GetKeyboardType, LoadStringW, MessageBoxA, CharNextW |
| kernel32.dll | GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle |
| kernel32.dll | TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW |
| user32.dll | CreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout |
| msimg32.dll | AlphaBlend |
| gdi32.dll | UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW |
| version.dll | VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW |
| mpr.dll | WNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum |
| kernel32.dll | lstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle |
| advapi32.dll | SetSecurityDescriptorDacl, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid |
| comctl32.dll | InitCommonControls |
| kernel32.dll | Sleep |
| oleaut32.dll | GetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID |
| oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit |
| comctl32.dll | InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls |
| shell32.dll | ShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW |
| shell32.dll | SHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW |
| comdlg32.dll | GetSaveFileNameW, GetOpenFileNameW |
| ole32.dll | CoDisconnectObject |
| advapi32.dll | AdjustTokenPrivileges |
| oleaut32.dll | SysFreeString |
| Description | Data |
|---|---|
| FileDescription | Setup/Uninstall |
| FileVersion | 51.1052.0.0 |
| Translation | 0x0000 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-13T17:04:55.287739+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49703 | 89.169.54.153 | 443 | TCP |
| 2025-04-13T17:05:16.627058+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49692 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:19.882870+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49694 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:21.701529+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49697 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:24.042700+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49698 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:28.598364+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49699 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:29.956435+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49700 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:31.688199+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49701 | 104.21.80.1 | 443 | TCP |
| 2025-04-13T17:05:33.613012+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49702 | 104.21.80.1 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 13, 2025 17:05:16.380281925 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:16.380338907 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:16.380420923 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:16.381814003 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:16.381845951 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:16.626966953 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:16.627058029 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:16.633158922 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:16.633187056 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:16.633605003 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:16.678215027 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:16.683546066 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:16.683588982 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:16.683698893 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.446377039 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.446432114 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.446465969 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.446501970 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.446528912 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.446537018 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.446554899 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.446569920 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.446588993 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.446597099 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.446600914 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.446682930 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.446700096 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.447483063 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.447520018 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.447561979 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.447566986 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.447602987 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.590181112 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.590439081 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.590511084 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.590528965 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.590559006 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.590670109 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.590704918 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.590800047 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.590889931 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.590939999 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.590955019 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591006994 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.591020107 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591109991 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591171980 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.591182947 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591267109 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591320038 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.591331005 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591419935 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591474056 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.591485023 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591573000 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591625929 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.591635942 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591703892 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.591815948 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.591826916 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.592618942 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.592672110 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.592683077 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.592776060 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.592866898 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.595684052 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.595719099 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:17.595745087 CEST | 49692 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:17.595758915 CEST | 443 | 49692 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:19.643099070 CEST | 49694 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:19.643148899 CEST | 443 | 49694 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:19.643201113 CEST | 49694 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:19.643814087 CEST | 49694 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:19.643824100 CEST | 443 | 49694 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:19.882770061 CEST | 443 | 49694 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:19.882869959 CEST | 49694 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:19.897284031 CEST | 49694 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:19.897299051 CEST | 443 | 49694 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:19.897862911 CEST | 443 | 49694 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:19.935307026 CEST | 49694 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:19.935457945 CEST | 49694 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:19.935486078 CEST | 443 | 49694 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:19.935554981 CEST | 49694 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:19.976278067 CEST | 443 | 49694 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:20.813874006 CEST | 443 | 49694 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:20.813991070 CEST | 443 | 49694 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:20.814032078 CEST | 49694 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:20.818531990 CEST | 49694 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:20.818542957 CEST | 443 | 49694 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:21.465120077 CEST | 49697 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:21.465176105 CEST | 443 | 49697 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:21.465307951 CEST | 49697 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:21.465761900 CEST | 49697 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:21.465775967 CEST | 443 | 49697 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:21.701404095 CEST | 443 | 49697 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:21.701529026 CEST | 49697 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:21.702697992 CEST | 49697 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:21.702706099 CEST | 443 | 49697 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:21.702956915 CEST | 443 | 49697 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:21.704632044 CEST | 49697 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:21.704632044 CEST | 49697 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:21.704664946 CEST | 443 | 49697 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:21.704809904 CEST | 49697 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:21.752283096 CEST | 443 | 49697 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:22.192599058 CEST | 443 | 49697 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:22.192719936 CEST | 443 | 49697 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:22.192812920 CEST | 49697 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:22.196239948 CEST | 49697 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:22.196264982 CEST | 443 | 49697 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:23.803025961 CEST | 49698 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:23.803069115 CEST | 443 | 49698 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:23.803143024 CEST | 49698 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:23.804239988 CEST | 49698 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:23.804261923 CEST | 443 | 49698 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:24.042587996 CEST | 443 | 49698 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:24.042700052 CEST | 49698 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:24.047373056 CEST | 49698 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:24.047386885 CEST | 443 | 49698 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:24.048338890 CEST | 443 | 49698 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:24.052246094 CEST | 49698 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:24.052371025 CEST | 49698 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:24.052405119 CEST | 443 | 49698 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:24.052485943 CEST | 49698 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:24.052495956 CEST | 443 | 49698 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:24.559075117 CEST | 443 | 49698 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:24.559278965 CEST | 443 | 49698 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:24.559372902 CEST | 49698 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:24.559464931 CEST | 49698 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:24.559484005 CEST | 443 | 49698 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:28.354223013 CEST | 49699 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:28.354300976 CEST | 443 | 49699 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:28.354412079 CEST | 49699 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:28.354795933 CEST | 49699 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:28.354818106 CEST | 443 | 49699 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:28.598217964 CEST | 443 | 49699 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:28.598364115 CEST | 49699 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:28.599693060 CEST | 49699 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:28.599724054 CEST | 443 | 49699 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:28.600081921 CEST | 443 | 49699 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:28.601617098 CEST | 49699 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:28.601907015 CEST | 49699 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:28.601949930 CEST | 443 | 49699 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:29.335103989 CEST | 443 | 49699 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:29.335215092 CEST | 443 | 49699 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:29.335401058 CEST | 49699 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:29.335401058 CEST | 49699 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:29.647008896 CEST | 49699 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:29.647070885 CEST | 443 | 49699 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:29.721862078 CEST | 49700 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:29.721932888 CEST | 443 | 49700 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:29.722026110 CEST | 49700 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:29.722301960 CEST | 49700 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:29.722335100 CEST | 443 | 49700 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:29.956358910 CEST | 443 | 49700 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:29.956434965 CEST | 49700 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:29.958096027 CEST | 49700 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:29.958106041 CEST | 443 | 49700 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:29.958334923 CEST | 443 | 49700 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:29.959841013 CEST | 49700 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:29.959975004 CEST | 49700 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:29.959995031 CEST | 443 | 49700 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:30.556421995 CEST | 443 | 49700 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:30.556729078 CEST | 443 | 49700 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:30.556876898 CEST | 49700 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:30.556878090 CEST | 49700 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.457693100 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.457762957 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.457863092 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.458384037 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.458415031 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.688039064 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.688199043 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.691874027 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.691900969 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.692218065 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.696655035 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.698241949 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.698292017 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.698420048 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.698486090 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.698625088 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.698909044 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.699084044 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.699120045 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.699326992 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.699393034 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.699594975 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.699641943 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.699661016 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.699763060 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.699893951 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.699966908 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.744277000 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.744489908 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.744573116 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.744606972 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.792311907 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.792582035 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.792679071 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.792721033 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.836297035 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:31.836466074 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:31.880289078 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:32.020559072 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:33.315131903 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:33.315378904 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:33.315623999 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:33.315721035 CEST | 49701 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:33.315762043 CEST | 443 | 49701 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:33.367832899 CEST | 49702 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:33.367886066 CEST | 443 | 49702 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:33.367974043 CEST | 49702 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:33.368263006 CEST | 49702 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:33.368277073 CEST | 443 | 49702 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:33.612919092 CEST | 443 | 49702 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:33.613012075 CEST | 49702 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:33.614336014 CEST | 49702 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:33.614343882 CEST | 443 | 49702 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:33.615324974 CEST | 443 | 49702 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:33.616411924 CEST | 49702 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:33.616437912 CEST | 49702 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:33.616580009 CEST | 443 | 49702 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.180891991 CEST | 443 | 49702 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.181030035 CEST | 443 | 49702 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.181104898 CEST | 49702 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:34.181222916 CEST | 49702 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:34.181268930 CEST | 443 | 49702 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.181298971 CEST | 49702 | 443 | 192.168.2.5 | 104.21.80.1 |
| Apr 13, 2025 17:05:34.181315899 CEST | 443 | 49702 | 104.21.80.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.339066029 CEST | 49703 | 443 | 192.168.2.5 | 89.169.54.153 |
| Apr 13, 2025 17:05:34.339097023 CEST | 443 | 49703 | 89.169.54.153 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.339193106 CEST | 49703 | 443 | 192.168.2.5 | 89.169.54.153 |
| Apr 13, 2025 17:05:34.339612007 CEST | 49703 | 443 | 192.168.2.5 | 89.169.54.153 |
| Apr 13, 2025 17:05:34.339643955 CEST | 443 | 49703 | 89.169.54.153 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.552793026 CEST | 443 | 49703 | 89.169.54.153 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.553699017 CEST | 49704 | 443 | 192.168.2.5 | 89.169.54.153 |
| Apr 13, 2025 17:05:34.553776026 CEST | 443 | 49704 | 89.169.54.153 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.553869009 CEST | 49704 | 443 | 192.168.2.5 | 89.169.54.153 |
| Apr 13, 2025 17:05:34.554162979 CEST | 49704 | 443 | 192.168.2.5 | 89.169.54.153 |
| Apr 13, 2025 17:05:34.554198980 CEST | 443 | 49704 | 89.169.54.153 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.770416975 CEST | 443 | 49704 | 89.169.54.153 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.771051884 CEST | 49705 | 443 | 192.168.2.5 | 89.169.54.153 |
| Apr 13, 2025 17:05:34.771090031 CEST | 443 | 49705 | 89.169.54.153 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.771164894 CEST | 49705 | 443 | 192.168.2.5 | 89.169.54.153 |
| Apr 13, 2025 17:05:34.772085905 CEST | 49705 | 443 | 192.168.2.5 | 89.169.54.153 |
| Apr 13, 2025 17:05:34.772151947 CEST | 443 | 49705 | 89.169.54.153 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.772207022 CEST | 49705 | 443 | 192.168.2.5 | 89.169.54.153 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 13, 2025 17:05:16.174993992 CEST | 53318 | 53 | 192.168.2.5 | 1.1.1.1 |
| Apr 13, 2025 17:05:16.374119997 CEST | 53 | 53318 | 1.1.1.1 | 192.168.2.5 |
| Apr 13, 2025 17:05:34.184140921 CEST | 54446 | 53 | 192.168.2.5 | 1.1.1.1 |
| Apr 13, 2025 17:05:34.337949038 CEST | 53 | 54446 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 13, 2025 17:05:16.174993992 CEST | 192.168.2.5 | 1.1.1.1 | 0x96ba | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 13, 2025 17:05:34.184140921 CEST | 192.168.2.5 | 1.1.1.1 | 0x325a | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 13, 2025 17:05:16.374119997 CEST | 1.1.1.1 | 192.168.2.5 | 0x96ba | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 13, 2025 17:05:16.374119997 CEST | 1.1.1.1 | 192.168.2.5 | 0x96ba | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 13, 2025 17:05:16.374119997 CEST | 1.1.1.1 | 192.168.2.5 | 0x96ba | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 13, 2025 17:05:16.374119997 CEST | 1.1.1.1 | 192.168.2.5 | 0x96ba | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 13, 2025 17:05:16.374119997 CEST | 1.1.1.1 | 192.168.2.5 | 0x96ba | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 13, 2025 17:05:16.374119997 CEST | 1.1.1.1 | 192.168.2.5 | 0x96ba | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 13, 2025 17:05:16.374119997 CEST | 1.1.1.1 | 192.168.2.5 | 0x96ba | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 13, 2025 17:05:34.337949038 CEST | 1.1.1.1 | 192.168.2.5 | 0x325a | No error (0) | 89.169.54.153 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49692 | 104.21.80.1 | 443 | 7836 | C:\Users\user\Desktop\Setup_patched.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 15:05:16 UTC | 265 | OUT | |
| 2025-04-13 15:05:16 UTC | 81 | OUT | |
| 2025-04-13 15:05:17 UTC | 784 | IN | |
| 2025-04-13 15:05:17 UTC | 585 | IN | |
| 2025-04-13 15:05:17 UTC | 1369 | IN | |
| 2025-04-13 15:05:17 UTC | 1369 | IN | |
| 2025-04-13 15:05:17 UTC | 1369 | IN | |
| 2025-04-13 15:05:17 UTC | 1369 | IN | |
| 2025-04-13 15:05:17 UTC | 1369 | IN | |
| 2025-04-13 15:05:17 UTC | 1369 | IN | |
| 2025-04-13 15:05:17 UTC | 1369 | IN | |
| 2025-04-13 15:05:17 UTC | 751 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49694 | 104.21.80.1 | 443 | 7836 | C:\Users\user\Desktop\Setup_patched.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 15:05:19 UTC | 278 | OUT | |
| 2025-04-13 15:05:19 UTC | 14896 | OUT | |
| 2025-04-13 15:05:20 UTC | 816 | IN | |
| 2025-04-13 15:05:20 UTC | 76 | IN | |
| 2025-04-13 15:05:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49697 | 104.21.80.1 | 443 | 7836 | C:\Users\user\Desktop\Setup_patched.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 15:05:21 UTC | 276 | OUT | |
| 2025-04-13 15:05:21 UTC | 15035 | OUT | |
| 2025-04-13 15:05:22 UTC | 812 | IN | |
| 2025-04-13 15:05:22 UTC | 76 | IN | |
| 2025-04-13 15:05:22 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49698 | 104.21.80.1 | 443 | 7836 | C:\Users\user\Desktop\Setup_patched.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 15:05:24 UTC | 283 | OUT | |
| 2025-04-13 15:05:24 UTC | 15331 | OUT | |
| 2025-04-13 15:05:24 UTC | 5228 | OUT | |
| 2025-04-13 15:05:24 UTC | 808 | IN | |
| 2025-04-13 15:05:24 UTC | 76 | IN | |
| 2025-04-13 15:05:24 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49699 | 104.21.80.1 | 443 | 7836 | C:\Users\user\Desktop\Setup_patched.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 15:05:28 UTC | 281 | OUT | |
| 2025-04-13 15:05:28 UTC | 7115 | OUT | |
| 2025-04-13 15:05:29 UTC | 806 | IN | |
| 2025-04-13 15:05:29 UTC | 76 | IN | |
| 2025-04-13 15:05:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49700 | 104.21.80.1 | 443 | 7836 | C:\Users\user\Desktop\Setup_patched.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 15:05:29 UTC | 272 | OUT | |
| 2025-04-13 15:05:29 UTC | 2548 | OUT | |
| 2025-04-13 15:05:30 UTC | 812 | IN | |
| 2025-04-13 15:05:30 UTC | 76 | IN | |
| 2025-04-13 15:05:30 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49701 | 104.21.80.1 | 443 | 7836 | C:\Users\user\Desktop\Setup_patched.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 15:05:31 UTC | 282 | OUT | |
| 2025-04-13 15:05:31 UTC | 15331 | OUT | |
| 2025-04-13 15:05:31 UTC | 15331 | OUT | |
| 2025-04-13 15:05:31 UTC | 15331 | OUT | |
| 2025-04-13 15:05:31 UTC | 15331 | OUT | |
| 2025-04-13 15:05:31 UTC | 15331 | OUT | |
| 2025-04-13 15:05:31 UTC | 15331 | OUT | |
| 2025-04-13 15:05:31 UTC | 15331 | OUT | |
| 2025-04-13 15:05:31 UTC | 15331 | OUT | |
| 2025-04-13 15:05:31 UTC | 15331 | OUT | |
| 2025-04-13 15:05:31 UTC | 15331 | OUT | |
| 2025-04-13 15:05:33 UTC | 814 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49702 | 104.21.80.1 | 443 | 7836 | C:\Users\user\Desktop\Setup_patched.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 15:05:33 UTC | 266 | OUT | |
| 2025-04-13 15:05:33 UTC | 119 | OUT | |
| 2025-04-13 15:05:34 UTC | 793 | IN | |
| 2025-04-13 15:05:34 UTC | 108 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 3 |
| Start time: | 11:04:59 |
| Start date: | 13/04/2025 |
| Path: | C:\Users\user\Desktop\Setup_patched.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'475'072 bytes |
| MD5 hash: | B4E8BDDA146B28CB226F3B1A77DBC7EC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |