Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1433969 |
| MD5: | 665359fe7ad7626ffde7260978ec9470 |
| SHA1: | 4bf1009eeab5f6644e2caa1305623cc4ced5ea83 |
| SHA256: | 7bde1d12ff1ce50967e116119f003ae93e51198b12c06d3cee85a4199389489a |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
file.exe (PID: 6792 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 665359FE7AD7626FFDE7260978EC9470) - RegAsm.exe (PID: 344 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "greetclassifytalk.shop"], "Build id": "4sxFKu--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 04/30/24-11:44:55.347963 |
| SID: | 2052037 |
| Source Port: | 49735 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/30/24-11:44:49.982146 |
| SID: | 2052037 |
| Source Port: | 49730 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/30/24-11:44:50.754198 |
| SID: | 2052037 |
| Source Port: | 49731 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/30/24-11:44:54.457656 |
| SID: | 2052037 |
| Source Port: | 49734 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/30/24-11:44:52.727126 |
| SID: | 2052037 |
| Source Port: | 49732 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/30/24-11:44:58.825440 |
| SID: | 2052037 |
| Source Port: | 49737 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/30/24-11:44:53.635615 |
| SID: | 2052037 |
| Source Port: | 49733 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/30/24-11:44:49.867931 |
| SID: | 2052028 |
| Source Port: | 58505 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/30/24-11:44:56.091210 |
| SID: | 2052037 |
| Source Port: | 49736 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 1_2_00416C6A | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_003A7331 | |
| Source: | Code function: | 0_2_003DE0F4 | |
| Source: | Code function: | 0_2_003DE0F6 | |
| Source: | Code function: | 0_2_003D80CC | |
| Source: | Code function: | 0_2_003D1CD7 | |
| Source: | Code function: | 0_2_003D1CD7 | |
| Source: | Code function: | 0_2_003F6400 | |
| Source: | Code function: | 0_2_003D244E | |
| Source: | Code function: | 0_2_003D07DB | |
| Source: | Code function: | 0_2_003CC83E | |
| Source: | Code function: | 0_2_003E0880 | |
| Source: | Code function: | 0_2_003B9083 | |
| Source: | Code function: | 0_2_003B9083 | |
| Source: | Code function: | 0_2_003D29A5 | |
| Source: | Code function: | 0_2_003D29A5 | |
| Source: | Code function: | 0_2_003D29A5 | |
| Source: | Code function: | 0_2_003DE980 | |
| Source: | Code function: | 0_2_003BC9E0 | |
| Source: | Code function: | 0_2_003E2A4D | |
| Source: | Code function: | 0_2_003DCB18 | |
| Source: | Code function: | 0_2_003F0C70 | |
| Source: | Code function: | 0_2_003CCCD0 | |
| Source: | Code function: | 0_2_003F8DF6 | |
| Source: | Code function: | 0_2_003FB0E0 | |
| Source: | Code function: | 0_2_003CB133 | |
| Source: | Code function: | 0_2_003F738E | |
| Source: | Code function: | 0_2_003F7422 | |
| Source: | Code function: | 0_2_003C7590 | |
| Source: | Code function: | 0_2_003F761E | |
| Source: | Code function: | 0_2_003BD710 | |
| Source: | Code function: | 0_2_003CD813 | |
| Source: | Code function: | 0_2_003CD813 | |
| Source: | Code function: | 0_2_003C39B0 | |
| Source: | Code function: | 0_2_003F99E9 | |
| Source: | Code function: | 0_2_003CFAB0 | |
| Source: | Code function: | 0_2_003F7B79 | |
| Source: | Code function: | 0_2_003D5C10 | |
| Source: | Code function: | 0_2_003CDC74 | |
| Source: | Code function: | 0_2_003DFC70 | |
| Source: | Code function: | 0_2_003D1CD7 | |
| Source: | Code function: | 0_2_003D1CD7 | |
| Source: | Code function: | 0_2_003D9D0A | |
| Source: | Code function: | 0_2_003D7EB7 | |
| Source: | Code function: | 1_2_0043D21E | |
| Source: | Code function: | 1_2_004163DB | |
| Source: | Code function: | 1_2_004185A5 | |
| Source: | Code function: | 1_2_004185A5 | |
| Source: | Code function: | 1_2_004185A5 | |
| Source: | Code function: | 1_2_004156B0 | |
| Source: | Code function: | 1_2_004178D7 | |
| Source: | Code function: | 1_2_004178D7 | |
| Source: | Code function: | 1_2_00440CE0 | |
| Source: | Code function: | 1_2_0041804E | |
| Source: | Code function: | 1_2_0043C000 | |
| Source: | Code function: | 1_2_00408010 | |
| Source: | Code function: | 1_2_00408010 | |
| Source: | Code function: | 1_2_0043D022 | |
| Source: | Code function: | 1_2_0040D190 | |
| Source: | Code function: | 1_2_00403310 | |
| Source: | Code function: | 1_2_00413413 | |
| Source: | Code function: | 1_2_00413413 | |
| Source: | Code function: | 1_2_0041243E | |
| Source: | Code function: | 1_2_00426480 | |
| Source: | Code function: | 1_2_004025E0 | |
| Source: | Code function: | 1_2_0043F5E9 | |
| Source: | Code function: | 1_2_00424580 | |
| Source: | Code function: | 1_2_004095B0 | |
| Source: | Code function: | 1_2_0042864D | |
| Source: | Code function: | 1_2_0043D779 | |
| Source: | Code function: | 1_2_00422718 | |
| Source: | Code function: | 1_2_00425870 | |
| Source: | Code function: | 1_2_00436870 | |
| Source: | Code function: | 1_2_00413874 | |
| Source: | Code function: | 1_2_0041B810 | |
| Source: | Code function: | 1_2_004128D0 | |
| Source: | Code function: | 1_2_0041F90A | |
| Source: | Code function: | 1_2_0043E9F6 | |
| Source: | Code function: | 1_2_00423CF6 | |
| Source: | Code function: | 1_2_00423CF4 | |
| Source: | Code function: | 1_2_00410D33 | |
| Source: | Code function: | 1_2_004178D7 | |
| Source: | Code function: | 1_2_004178D7 | |
| Source: | Code function: | 1_2_0041DECA | |
| Source: | Code function: | 1_2_0041DECA | |
| Source: | Code function: | 1_2_0043CF8E | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 1_2_00430900 | |
| Source: | Code function: | 1_2_00430900 | |
| Source: | Code function: | 1_2_004314B9 | |
| Source: | Code function: | 0_2_003A6294 | |
| Source: | Code function: | 0_2_003C2410 | |
| Source: | Code function: | 0_2_003BE530 | |
| Source: | Code function: | 0_2_003DC528 | |
| Source: | Code function: | 0_2_003C4580 | |
| Source: | Code function: | 0_2_003FA760 | |
| Source: | Code function: | 0_2_003CA7B0 | |
| Source: | Code function: | 0_2_003C08A0 | |
| Source: | Code function: | 0_2_003E0880 | |
| Source: | Code function: | 0_2_003B9083 | |
| Source: | Code function: | 0_2_003FAA50 | |
| Source: | Code function: | 0_2_003DAB2E | |
| Source: | Code function: | 0_2_003E6B8E | |
| Source: | Code function: | 0_2_003FAD70 | |
| Source: | Code function: | 0_2_003F2F10 | |
| Source: | Code function: | 0_2_003BEF40 | |
| Source: | Code function: | 0_2_003E2FD4 | |
| Source: | Code function: | 0_2_003E12C0 | |
| Source: | Code function: | 0_2_003BD710 | |
| Source: | Code function: | 0_2_003D9820 | |
| Source: | Code function: | 0_2_003A9996 | |
| Source: | Code function: | 0_2_003F5B70 | |
| Source: | Code function: | 0_2_003BFBE4 | |
| Source: | Code function: | 0_2_003E1C0E | |
| Source: | Code function: | 0_2_003E1C63 | |
| Source: | Code function: | 0_2_003DBD10 | |
| Source: | Code function: | 0_2_003E5E01 | |
| Source: | Code function: | 0_2_003BDE62 | |
| Source: | Code function: | 1_2_00440360 | |
| Source: | Code function: | 1_2_00421910 | |
| Source: | Code function: | 1_2_00404B40 | |
| Source: | Code function: | 1_2_00428BD4 | |
| Source: | Code function: | 1_2_00408010 | |
| Source: | Code function: | 1_2_00422128 | |
| Source: | Code function: | 1_2_0040413F | |
| Source: | Code function: | 1_2_0040A180 | |
| Source: | Code function: | 1_2_0041D25E | |
| Source: | Code function: | 1_2_00403310 | |
| Source: | Code function: | 1_2_004103B0 | |
| Source: | Code function: | 1_2_0041F420 | |
| Source: | Code function: | 1_2_00426480 | |
| Source: | Code function: | 1_2_004064A0 | |
| Source: | Code function: | 1_2_00440650 | |
| Source: | Code function: | 1_2_00401740 | |
| Source: | Code function: | 1_2_0043B770 | |
| Source: | Code function: | 1_2_00403775 | |
| Source: | Code function: | 1_2_0042072E | |
| Source: | Code function: | 1_2_0042C78E | |
| Source: | Code function: | 1_2_00427863 | |
| Source: | Code function: | 1_2_0042780E | |
| Source: | Code function: | 1_2_00440970 | |
| Source: | Code function: | 1_2_004069E0 | |
| Source: | Code function: | 1_2_004059E0 | |
| Source: | Code function: | 1_2_0042BA01 | |
| Source: | Code function: | 1_2_00438B10 | |
| Source: | Code function: | 1_2_00405C7C | |
| Source: | Code function: | 1_2_00426EC0 | |
| Source: | Code function: | 1_2_0041DECA | |
| Source: | Code function: | 1_2_00405F9F | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_0042D2DB | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00396A93 | |
| Source: | Code function: | 1_2_004434E0 | |
| Source: | Code function: | 1_2_004448B7 | |
| Source: | Code function: | 1_2_00444A05 | |
| Source: | Code function: | 1_2_00444B65 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_003A7331 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_0043CD20 | |
| Source: | Code function: | 0_2_00396E56 | |
| Source: | Code function: | 0_2_003A84AC | |
| Source: | Code function: | 0_2_0039F2BC | |
| Source: | Code function: | 0_2_003AAAAB | |
| Source: | Code function: | 0_2_00396E56 | |
| Source: | Code function: | 0_2_00396FB2 | |
| Source: | Code function: | 0_2_003970C5 | |
| Source: | Code function: | 0_2_0039B916 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00396B7C | |
| Source: | Code function: | 0_2_003AA0E0 | |
| Source: | Code function: | 0_2_003AA187 | |
| Source: | Code function: | 0_2_003AA1D2 | |
| Source: | Code function: | 0_2_003AA26D | |
| Source: | Code function: | 0_2_003AA2F8 | |
| Source: | Code function: | 0_2_003AA54B | |
| Source: | Code function: | 0_2_003AA674 | |
| Source: | Code function: | 0_2_003AA77A | |
| Source: | Code function: | 0_2_003AA849 | |
| Source: | Code function: | 0_2_003A1AC2 | |
| Source: | Code function: | 0_2_003A9EE5 | |
| Source: | Code function: | 0_2_003A1FE8 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00396D50 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 31 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 11 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | malware | ||
| 21% | Virustotal | Browse | ||
| 20% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 14% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 16% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 17% | Virustotal | Browse | ||
| 14% | Virustotal | Browse | ||
| 12% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 21% | Virustotal | Browse | ||
| 12% | Virustotal | Browse | ||
| 17% | Virustotal | Browse | ||
| 1% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| greetclassifytalk.shop | 172.67.177.98 | true | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.177.98 | greetclassifytalk.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1433969 |
| Start date and time: | 2024-04-30 11:44:04 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 40s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 2 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Excluded IPs from analysis (whitelisted): 40.68.123.157
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 11:44:50 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.177.98 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse | |||
| Get hash | malicious | LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| greetclassifytalk.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| |
| Get hash | malicious | FormBook, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | GhostRat | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | FormBook, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, DBatLoader, PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | AgentTesla, DBatLoader, PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | MicroClip | Browse |
| ||
| Get hash | malicious | Latrodectus | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.71875844107937 |
| TrID: |
|
| File name: | file.exe |
| File size: | 515'584 bytes |
| MD5: | 665359fe7ad7626ffde7260978ec9470 |
| SHA1: | 4bf1009eeab5f6644e2caa1305623cc4ced5ea83 |
| SHA256: | 7bde1d12ff1ce50967e116119f003ae93e51198b12c06d3cee85a4199389489a |
| SHA512: | 6e69f4f704f788b17e2213b3a05dde144b2e9385df4450067e352a71d2c353d271b05096924b25c7c044bbbd194124af101ff91cc9945d1b584004c89675c881 |
| SSDEEP: | 12288:N4SkTUGRODehc/Q+NA1nJesa2L4yivGWp/GCqMWr:N44G+hXsa2L4ygGf1Mk |
| TLSH: | 3AB4F146B1C1C032DA33253615F4D6B49A3EBC700EA2AD9BE3D54F7E4F31A82D62156B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e~..e~..e~.c.}..e~.c.{..e~.c.z..e~.c....e~..e...e~.r.z..e~.r.}..e~.r.{..e~.C.w..e~.C.|..e~.Rich.e~.........PE..L.....0f... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x4067b1 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x663014EE [Mon Apr 29 21:45:18 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 319c5a7bfce453072d64c94ea7770db9 |
| Instruction |
|---|
| call 00007F8B64DD257Ch |
| jmp 00007F8B64DD1E09h |
| cmp ecx, dword ptr [00429040h] |
| jne 00007F8B64DD1F93h |
| ret |
| jmp 00007F8B64DD28B9h |
| jmp 00007F8B64DD2A89h |
| push ebp |
| mov ebp, esp |
| jmp 00007F8B64DD1F9Fh |
| push dword ptr [ebp+08h] |
| call 00007F8B64DDC36Ch |
| pop ecx |
| test eax, eax |
| je 00007F8B64DD1FA1h |
| push dword ptr [ebp+08h] |
| call 00007F8B64DD7487h |
| pop ecx |
| test eax, eax |
| je 00007F8B64DD1F78h |
| pop ebp |
| ret |
| cmp dword ptr [ebp+08h], FFFFFFFFh |
| je 00007F8B64DCC9CCh |
| jmp 00007F8B64DD2A5Eh |
| push ebp |
| mov ebp, esp |
| push dword ptr [ebp+08h] |
| call 00007F8B64DD2A4Eh |
| pop ecx |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| test byte ptr [ebp+08h], 00000001h |
| push esi |
| mov esi, ecx |
| mov dword ptr [esi], 004201C0h |
| je 00007F8B64DD1F9Ch |
| push 0000000Ch |
| push esi |
| call 00007F8B64DD1F6Dh |
| pop ecx |
| pop ecx |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| mov ecx, dword ptr [eax+3Ch] |
| add ecx, eax |
| movzx eax, word ptr [ecx+14h] |
| lea edx, dword ptr [ecx+18h] |
| add edx, eax |
| movzx eax, word ptr [ecx+06h] |
| imul esi, eax, 28h |
| add esi, edx |
| cmp edx, esi |
| je 00007F8B64DD1FABh |
| mov ecx, dword ptr [ebp+0Ch] |
| cmp ecx, dword ptr [edx+0Ch] |
| jc 00007F8B64DD1F9Ch |
| mov eax, dword ptr [edx+08h] |
| add eax, dword ptr [edx+0Ch] |
| cmp ecx, eax |
| jc 00007F8B64DD1F9Eh |
| add edx, 28h |
| cmp edx, esi |
| jne 00007F8B64DD1F7Ch |
| xor eax, eax |
| pop esi |
| pop ebp |
| ret |
| mov eax, edx |
| jmp 00007F8B64DD1F8Bh |
| push esi |
| call 00007F8B64DD2A00h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x27d40 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x80000 | 0x1b50 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x260f0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x26030 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1f000 | 0x13c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1d3fa | 0x1d400 | f4b7d6747214eebf9c24f0197e4fa5e6 | False | 0.5775824652777778 | data | 6.616353678954808 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x1f000 | 0x9462 | 0x9600 | e0861e46d69f21a902bd0cf9d97a5b00 | False | 0.387421875 | data | 4.65276889261495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x29000 | 0x1eb4 | 0x1200 | fb631e0825eb8197994a1c9222e5d15a | False | 0.1703559027777778 | DOS executable (block device driver \377\377\377\377,32-bit sector-support) | 2.9508121929568962 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .Shine | 0x2b000 | 0x540c1 | 0x54200 | 88a560ec8628a00f64c417bcfbd1043b | False | 0.9983661079123328 | data | 7.999260966202749 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x80000 | 0x1b50 | 0x1c00 | 17ece04041abecd06a6ded35e787867d | False | 0.75 | data | 6.504308533790372 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | VirtualProtect, WaitForSingleObject, CreateRemoteThread, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapAlloc, GetFileType, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 04/30/24-11:44:55.347963 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/30/24-11:44:49.982146 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/30/24-11:44:50.754198 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/30/24-11:44:54.457656 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/30/24-11:44:52.727126 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/30/24-11:44:58.825440 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/30/24-11:44:53.635615 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| 04/30/24-11:44:49.867931 | UDP | 2052028 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (greetclassifytalk .shop) | 58505 | 53 | 192.168.2.4 | 1.1.1.1 |
| 04/30/24-11:44:56.091210 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 30, 2024 11:44:49.978847980 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:49.978893042 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:49.978976965 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:49.982146025 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:49.982161999 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.200625896 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.200705051 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.203231096 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.203239918 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.203656912 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.258146048 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.258209944 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.258297920 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.746562958 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.746695042 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.746783972 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.748955011 CEST | 49730 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.748971939 CEST | 443 | 49730 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.753818035 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.753854036 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.753926992 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.754198074 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.754213095 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.965034962 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.965176105 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.966207027 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.966214895 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.966547966 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:50.967792034 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.967835903 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:50.967878103 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233374119 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233480930 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233529091 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233531952 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.233566999 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233608007 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.233613968 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233668089 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233704090 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.233711958 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233758926 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233794928 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.233802080 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233838081 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.233879089 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.233885050 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.234261036 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.234302998 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.234308958 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.234365940 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.234410048 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.695137978 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.695175886 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.695189953 CEST | 49731 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.695197105 CEST | 443 | 49731 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.726762056 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.726800919 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.726869106 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.727125883 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.727139950 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.935374022 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.935496092 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.956660032 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.956688881 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.957034111 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.958144903 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.958261967 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.958300114 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:52.958360910 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:52.958372116 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:53.511701107 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:53.511822939 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:53.511986971 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:53.512475967 CEST | 49732 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:53.512495041 CEST | 443 | 49732 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:53.635107994 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:53.635134935 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:53.635217905 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:53.635615110 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:53.635628939 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:53.847871065 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:53.847954988 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:53.863107920 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:53.863126040 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:53.863343954 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:53.866403103 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:53.866868019 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:53.866897106 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:54.406244040 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:54.406543970 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:54.406719923 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.406721115 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.456989050 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.457093000 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:54.457335949 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.457655907 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.457684994 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:54.665592909 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:54.665704966 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.666933060 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.666963100 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:54.667176962 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:54.668318987 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.668431044 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.668473005 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:54.668554068 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.668571949 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:54.712318897 CEST | 49733 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:54.712346077 CEST | 443 | 49733 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:55.256901979 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:55.256984949 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:55.257051945 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:55.257205009 CEST | 49734 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:55.257225990 CEST | 443 | 49734 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:55.347553015 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:55.347601891 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:55.347671986 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:55.347963095 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:55.347979069 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:55.555035114 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:55.555233955 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:55.556699991 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:55.556715965 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:55.556920052 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:55.558130980 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:55.558269978 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:55.558303118 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:56.075395107 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:56.075504065 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:56.075562000 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:56.075642109 CEST | 49735 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:56.075666904 CEST | 443 | 49735 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:56.090801001 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:56.090858936 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:56.090945959 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:56.091209888 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:56.091223955 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:56.298310041 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:56.298397064 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:57.487257957 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:57.487299919 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:57.488250971 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:57.489351988 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:57.489448071 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:57.489454031 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:58.091295958 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:58.091509104 CEST | 443 | 49736 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:58.091512918 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:58.091547012 CEST | 49736 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:58.825025082 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:58.825062990 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:58.825146914 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:58.825439930 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:58.825454950 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.034969091 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.035038948 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.036242008 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.036250114 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.036571980 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.037704945 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.038460016 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.038496971 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.038616896 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.038654089 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.038753033 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.038814068 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.038928986 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.038949013 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.039063931 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.039098978 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.039241076 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.039266109 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.039273977 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.039330006 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.039411068 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.039434910 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.039452076 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.084124088 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.084300041 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.084336042 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.084348917 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.132128000 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.132297993 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.132354975 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.180119991 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.180206060 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.228121042 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.239650011 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.239779949 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:44:59.239784956 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:44:59.284112930 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:45:00.761173010 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:45:00.761250973 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Apr 30, 2024 11:45:00.761307001 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:45:00.763180971 CEST | 49737 | 443 | 192.168.2.4 | 172.67.177.98 |
| Apr 30, 2024 11:45:00.763199091 CEST | 443 | 49737 | 172.67.177.98 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 30, 2024 11:44:49.867930889 CEST | 58505 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 30, 2024 11:44:49.974630117 CEST | 53 | 58505 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 30, 2024 11:44:49.867930889 CEST | 192.168.2.4 | 1.1.1.1 | 0xf6dd | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 30, 2024 11:44:49.974630117 CEST | 1.1.1.1 | 192.168.2.4 | 0xf6dd | No error (0) | 172.67.177.98 | A (IP address) | IN (0x0001) | false | ||
| Apr 30, 2024 11:44:49.974630117 CEST | 1.1.1.1 | 192.168.2.4 | 0xf6dd | No error (0) | 104.21.51.78 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 172.67.177.98 | 443 | 344 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-30 09:44:50 UTC | 269 | OUT | |
| 2024-04-30 09:44:50 UTC | 8 | OUT | |
| 2024-04-30 09:44:50 UTC | 798 | IN | |
| 2024-04-30 09:44:50 UTC | 7 | IN | |
| 2024-04-30 09:44:50 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 172.67.177.98 | 443 | 344 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-30 09:44:50 UTC | 270 | OUT | |
| 2024-04-30 09:44:50 UTC | 49 | OUT | |
| 2024-04-30 09:44:52 UTC | 800 | IN | |
| 2024-04-30 09:44:52 UTC | 569 | IN | |
| 2024-04-30 09:44:52 UTC | 727 | IN | |
| 2024-04-30 09:44:52 UTC | 1369 | IN | |
| 2024-04-30 09:44:52 UTC | 1369 | IN | |
| 2024-04-30 09:44:52 UTC | 1369 | IN | |
| 2024-04-30 09:44:52 UTC | 1369 | IN | |
| 2024-04-30 09:44:52 UTC | 1369 | IN | |
| 2024-04-30 09:44:52 UTC | 1369 | IN | |
| 2024-04-30 09:44:52 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 172.67.177.98 | 443 | 344 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-30 09:44:52 UTC | 288 | OUT | |
| 2024-04-30 09:44:52 UTC | 15331 | OUT | |
| 2024-04-30 09:44:52 UTC | 2827 | OUT | |
| 2024-04-30 09:44:53 UTC | 808 | IN | |
| 2024-04-30 09:44:53 UTC | 20 | IN | |
| 2024-04-30 09:44:53 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 172.67.177.98 | 443 | 344 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-30 09:44:53 UTC | 287 | OUT | |
| 2024-04-30 09:44:53 UTC | 8779 | OUT | |
| 2024-04-30 09:44:54 UTC | 802 | IN | |
| 2024-04-30 09:44:54 UTC | 20 | IN | |
| 2024-04-30 09:44:54 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 172.67.177.98 | 443 | 344 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-30 09:44:54 UTC | 288 | OUT | |
| 2024-04-30 09:44:54 UTC | 15331 | OUT | |
| 2024-04-30 09:44:54 UTC | 5101 | OUT | |
| 2024-04-30 09:44:55 UTC | 800 | IN | |
| 2024-04-30 09:44:55 UTC | 20 | IN | |
| 2024-04-30 09:44:55 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 172.67.177.98 | 443 | 344 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-30 09:44:55 UTC | 287 | OUT | |
| 2024-04-30 09:44:55 UTC | 7079 | OUT | |
| 2024-04-30 09:44:56 UTC | 808 | IN | |
| 2024-04-30 09:44:56 UTC | 20 | IN | |
| 2024-04-30 09:44:56 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 172.67.177.98 | 443 | 344 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-30 09:44:57 UTC | 287 | OUT | |
| 2024-04-30 09:44:57 UTC | 1394 | OUT | |
| 2024-04-30 09:44:58 UTC | 808 | IN | |
| 2024-04-30 09:44:58 UTC | 20 | IN | |
| 2024-04-30 09:44:58 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49737 | 172.67.177.98 | 443 | 344 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-04-30 09:44:59 UTC | 289 | OUT | |
| 2024-04-30 09:44:59 UTC | 15331 | OUT | |
| 2024-04-30 09:44:59 UTC | 15331 | OUT | |
| 2024-04-30 09:44:59 UTC | 15331 | OUT | |
| 2024-04-30 09:44:59 UTC | 15331 | OUT | |
| 2024-04-30 09:44:59 UTC | 15331 | OUT | |
| 2024-04-30 09:44:59 UTC | 15331 | OUT | |
| 2024-04-30 09:44:59 UTC | 15331 | OUT | |
| 2024-04-30 09:44:59 UTC | 15331 | OUT | |
| 2024-04-30 09:44:59 UTC | 15331 | OUT | |
| 2024-04-30 09:44:59 UTC | 15331 | OUT | |
| 2024-04-30 09:45:00 UTC | 808 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:44:49 |
| Start date: | 30/04/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x390000 |
| File size: | 515'584 bytes |
| MD5 hash: | 665359FE7AD7626FFDE7260978EC9470 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 11:44:49 |
| Start date: | 30/04/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x20000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 1.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 2.2% |
| Total number of Nodes: | 404 |
| Total number of Limit Nodes: | 20 |
Graph
Function 003A84AC Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039F2BC Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A1C8B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003920A7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57memorysynchronizationthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A5C5B Relevance: 7.7, APIs: 5, Instructions: 202COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A2125 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A7DDD Relevance: 3.2, APIs: 2, Instructions: 177COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A79E1 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A228D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D9D0A Relevance: 16.7, Strings: 13, Instructions: 473COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AA674 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003C39B0 Relevance: 7.8, Strings: 6, Instructions: 317COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A9EE5 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BEF40 Relevance: 6.7, Strings: 5, Instructions: 498COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00396E56 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E2FD4 Relevance: 5.8, Strings: 4, Instructions: 783COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AA2F8 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E12C0 Relevance: 4.5, Strings: 3, Instructions: 787COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003FAD70 Relevance: 4.0, Strings: 3, Instructions: 299COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A1FE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D29A5 Relevance: 3.4, Strings: 2, Instructions: 945COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BFBE4 Relevance: 3.3, Strings: 2, Instructions: 789COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E0880 Relevance: 3.0, Strings: 2, Instructions: 538COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E1C63 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E1C0E Relevance: 2.9, Strings: 2, Instructions: 410COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D1CD7 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D244E Relevance: 2.8, Strings: 2, Instructions: 314COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00396B7C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A7331 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AA54B Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E2A4D Relevance: 1.6, Strings: 1, Instructions: 304COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AA77A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AA0E0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003FAA50 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003FA760 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00396FB2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003FB0E0 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003AAAAB Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003C2410 Relevance: .7, Instructions: 705COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F5B70 Relevance: .7, Instructions: 665COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BDE62 Relevance: .7, Instructions: 655COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BE530 Relevance: .6, Instructions: 607COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003B9083 Relevance: .5, Instructions: 459COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D5C10 Relevance: .5, Instructions: 452COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003C08A0 Relevance: .4, Instructions: 442COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003DBD10 Relevance: .4, Instructions: 374COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A9996 Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003CD813 Relevance: .3, Instructions: 295COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E6B8E Relevance: .2, Instructions: 226COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F6400 Relevance: .2, Instructions: 209COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003DC528 Relevance: .2, Instructions: 204COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003E5E01 Relevance: .2, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D07DB Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F2F10 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003C4580 Relevance: .2, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003CCCD0 Relevance: .2, Instructions: 164COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003DAB2E Relevance: .2, Instructions: 163COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D80CC Relevance: .2, Instructions: 151COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003CFAB0 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003CA7B0 Relevance: .1, Instructions: 127COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D9820 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003CDC74 Relevance: .1, Instructions: 114COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BD710 Relevance: .1, Instructions: 96COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003BC9E0 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F7422 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F761E Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F0C70 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003DE980 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003DCB18 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003CB133 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F99E9 Relevance: .0, Instructions: 40COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003C7590 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003DE0F6 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F738E Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003DFC70 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003CC83E Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003DE0F4 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F8DF6 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003F7B79 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003D7EB7 Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00399CB8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A551C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00396380 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003936E9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039F2DE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00399A61 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00392334 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00392F03 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039AA92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A70EE Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039E6B8 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A8084 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0039A05D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00393776 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003915D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003A1EE9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 14.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 10.3% |
| Total number of Nodes: | 360 |
| Total number of Limit Nodes: | 18 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043CD20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00416C6A Relevance: 1.7, APIs: 1, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042BA01 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042D2DB Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042D4B8 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 87memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043ACBB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043C593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0041DFB0 Relevance: 3.2, APIs: 2, Instructions: 247COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00415CB8 Relevance: 3.2, APIs: 2, Instructions: 178COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043C89A Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043C737 Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043ABD0 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043CBDC Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00419072 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |