Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1435438 |
| MD5: | e04cdcb33735437ae84e00dd308fa527 |
| SHA1: | f0252f8a571ccb35de4b407f28bbc04627e3237b |
| SHA256: | 8640a33799d7774932b0a197183a2051ef417b57e290b0d1aa32929c02a45393 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
file.exe (PID: 7436 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: E04CDCB33735437AE84E00DD308FA527) 
BitLockerToGo.exe (PID: 7688 cmdline: C:\Windows \BitLocker DiscoveryV olumeConte nts\BitLoc kerToGo.ex e MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "greetclassifytalk.shop"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 05/02/24-17:58:17.045554 |
| SID: | 2052037 |
| Source Port: | 49737 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/02/24-17:58:24.101749 |
| SID: | 2052037 |
| Source Port: | 49742 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/02/24-17:58:16.141641 |
| SID: | 2052028 |
| Source Port: | 49831 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/02/24-17:58:22.145210 |
| SID: | 2052037 |
| Source Port: | 49741 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/02/24-17:58:16.342531 |
| SID: | 2052037 |
| Source Port: | 49736 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/02/24-17:58:21.230919 |
| SID: | 2052037 |
| Source Port: | 49740 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/02/24-17:58:25.205454 |
| SID: | 2052037 |
| Source Port: | 49743 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/02/24-17:58:20.405974 |
| SID: | 2052037 |
| Source Port: | 49739 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/02/24-17:58:19.442158 |
| SID: | 2052037 |
| Source Port: | 49738 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Code function: | 2_2_00B56682 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 2_2_00B64478 | |
| Source: | Code function: | 2_2_00B64478 | |
| Source: | Code function: | 2_2_00B7C461 | |
| Source: | Code function: | 2_2_00B7C615 | |
| Source: | Code function: | 2_2_00B7E8D0 | |
| Source: | Code function: | 2_2_00B679F5 | |
| Source: | Code function: | 2_2_00B66948 | |
| Source: | Code function: | 2_2_00B750A0 | |
| Source: | Code function: | 2_2_00B7E09F | |
| Source: | Code function: | 2_2_00B53038 | |
| Source: | Code function: | 2_2_00B67059 | |
| Source: | Code function: | 2_2_00B6213D | |
| Source: | Code function: | 2_2_00B6213D | |
| Source: | Code function: | 2_2_00B7D265 | |
| Source: | Code function: | 2_2_00B5D35E | |
| Source: | Code function: | 2_2_00B5D35E | |
| Source: | Code function: | 2_2_00B7D48A | |
| Source: | Code function: | 2_2_00B7D4E8 | |
| Source: | Code function: | 2_2_00B7C436 | |
| Source: | Code function: | 2_2_00B68410 | |
| Source: | Code function: | 2_2_00B51419 | |
| Source: | Code function: | 2_2_00B55470 | |
| Source: | Code function: | 2_2_00B7C571 | |
| Source: | Code function: | 2_2_00B7C571 | |
| Source: | Code function: | 2_2_00B5757A | |
| Source: | Code function: | 2_2_00B5757A | |
| Source: | Code function: | 2_2_00B56555 | |
| Source: | Code function: | 2_2_00B626BD | |
| Source: | Code function: | 2_2_00B4D650 | |
| Source: | Code function: | 2_2_00B42650 | |
| Source: | Code function: | 2_2_00B497F0 | |
| Source: | Code function: | 2_2_00B557D5 | |
| Source: | Code function: | 2_2_00B62760 | |
| Source: | Code function: | 2_2_00B658B0 | |
| Source: | Code function: | 2_2_00B64982 | |
| Source: | Code function: | 2_2_00B7A930 | |
| Source: | Code function: | 2_2_00B66953 | |
| Source: | Code function: | 2_2_00B57ABA | |
| Source: | Code function: | 2_2_00B7EAF0 | |
| Source: | Code function: | 2_2_00B79A20 | |
| Source: | Code function: | 2_2_00B68A13 | |
| Source: | Code function: | 2_2_00B5DB00 | |
| Source: | Code function: | 2_2_00B5DB00 | |
| Source: | Code function: | 2_2_00B5DDC7 | |
| Source: | Code function: | 2_2_00B54D32 | |
| Source: | Code function: | 2_2_00B56D57 | |
| Source: | Code function: | 2_2_00B7DEB1 | |
| Source: | Code function: | 2_2_00B7DE9C | |
| Source: | Code function: | 2_2_00B51E13 | |
| Source: | Code function: | 2_2_00B4FE47 | |
| Source: | Code function: | 2_2_00B7DFE0 | |
| Source: | Code function: | 2_2_00B56F3B | |
| Source: | Code function: | 2_2_00B5DF3A | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00B70520 | |
| Source: | Code function: | 2_2_00B70520 | |
| Source: | Code function: | 2_2_00B71CAA | |
| Source: | Code function: | 2_2_00B6112E | |
| Source: | Code function: | 2_2_00B618A0 | |
| Source: | Code function: | 2_2_00B62840 | |
| Source: | Code function: | 2_2_00B44B30 | |
| Source: | Code function: | 2_2_00B42D10 | |
| Source: | Code function: | 2_2_00B7EE70 | |
| Source: | Code function: | 2_2_00B480A0 | |
| Source: | Code function: | 2_2_00B77090 | |
| Source: | Code function: | 2_2_00B7F190 | |
| Source: | Code function: | 2_2_00B6213D | |
| Source: | Code function: | 2_2_00B44160 | |
| Source: | Code function: | 2_2_00B50390 | |
| Source: | Code function: | 2_2_00B43360 | |
| Source: | Code function: | 2_2_00B5D35E | |
| Source: | Code function: | 2_2_00B46480 | |
| Source: | Code function: | 2_2_00B7F500 | |
| Source: | Code function: | 2_2_00B417B0 | |
| Source: | Code function: | 2_2_00B45720 | |
| Source: | Code function: | 2_2_00B6C85E | |
| Source: | Code function: | 2_2_00B68AC0 | |
| Source: | Code function: | 2_2_00B46A50 | |
| Source: | Code function: | 2_2_00B65B50 | |
| Source: | Code function: | 2_2_00B79E10 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00B70169 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_00B737E7 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00B7B550 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 311 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 31 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Deobfuscate/Decode Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 13% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 1% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| greetclassifytalk.shop | 104.21.51.78 | true | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.51.78 | greetclassifytalk.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1435438 |
| Start date and time: | 2024-05-02 17:57:09 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 19s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target file.exe, PID 7436 because there are no executed function
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 17:58:16 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.51.78 | Get hash | malicious | LummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine | Browse | ||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| greetclassifytalk.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | AgentTesla, PureLog Stealer, RedLine | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HtmlDropper, HTMLPhisher | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | Amadey | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.38701211855582 |
| TrID: |
|
| File name: | file.exe |
| File size: | 7'379'456 bytes |
| MD5: | e04cdcb33735437ae84e00dd308fa527 |
| SHA1: | f0252f8a571ccb35de4b407f28bbc04627e3237b |
| SHA256: | 8640a33799d7774932b0a197183a2051ef417b57e290b0d1aa32929c02a45393 |
| SHA512: | d99e80c28f94d3365871e2258127bb45c72bacfeca737d31c0ccc2ef30a3b3bb1c6d494502bff98ba4a4b2b1052ca9efed76b642bfd436ab7b43f4ceb82ea14b |
| SSDEEP: | 49152:6Or1QlR8tElrFMtZkk1vwa6lghIEzC5MFQ/Rp5qL9dQ0R/yAqGixjg5EV5Jznv/I:LGRaELV7zVoQ0R/lEdI7iNj |
| TLSH: | C2764907ECA149E4C0ED92748566815A7B72BC494B3027D72B60F7382FB6BD0AF7A354 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$../...p................@..............................v.......q...`... ............................ |
 | |
| Icon Hash: | 8e0369317929070e |
| Entrypoint: | 0x1400014c0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | 0x402e62f0, 0x1, 0x402e62c0, 0x1, 0x402e9d50, 0x1 |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 5929190c8765f5bc37b052ab5c6c53e7 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [006CF255h] |
| mov dword ptr [eax], 00000001h |
| call 00007F2D9932E52Fh |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax] |
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [006CF235h] |
| mov dword ptr [eax], 00000000h |
| call 00007F2D9932E50Fh |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax] |
| dec eax |
| sub esp, 28h |
| call 00007F2D9961E42Ch |
| dec eax |
| test eax, eax |
| sete al |
| movzx eax, al |
| neg eax |
| dec eax |
| add esp, 28h |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| dec eax |
| lea ecx, dword ptr [00000009h] |
| jmp 00007F2D9932E849h |
| nop dword ptr [eax+00h] |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| jmp dword ptr [eax] |
| inc edi |
| outsd |
| and byte ptr [edx+75h], ah |
| imul ebp, dword ptr [esp+20h], 203A4449h |
| and ch, byte ptr [ebx+7Ah] |
| xor dl, byte ptr [edx+41h] |
| cmp byte ptr [ebp+69h], dl |
| jnbe 00007F2D9932E8E4h |
| imul esi, dword ptr [esi+eax*2+6Bh], 76342D67h |
| dec edx |
| das |
| push edx |
| bound esi, dword ptr [eax+48h] |
| jns 00007F2D9932E8DCh |
| pop edx |
| dec edi |
| xor byte ptr [ebp+5Fh], al |
| dec cx |
| push ebp |
| js 00007F2D9932E8AAh |
| dec ebx |
| dec eax |
| xor al, 4Dh |
| das |
| inc edi |
| inc esp |
| xor byte ptr [eax], bh |
| dec edx |
| inc esp |
| jp 00007F2D9932E89Fh |
| jns 00007F2D9932E8D4h |
| outsd |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x744000 | 0x4e | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x745000 | 0x13d0 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x749000 | 0x143de | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x6d1000 | 0x13d4c | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x75e000 | 0xf12c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x6d0080 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x74547c | 0x440 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2f0880 | 0x2f0a00 | a30c3beeaf0c435985f83805daf52710 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x2f2000 | 0x3ffb0 | 0x40000 | aece6b7a40c4ca7cb39e3464ab8f491e | False | 0.38483428955078125 | dBase III DBT, version number 0, next free block index 10, 1st item "4.8\011h1:ey/L8FGBMrJ1Xh+Rltj1MAFPZ4LOQYGJqNa5B1Na6B0=" | 4.94236231012946 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x332000 | 0x39eeb0 | 0x39f000 | e2b8179f688d2469f241acc11c5ddbd9 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .pdata | 0x6d1000 | 0x13d4c | 0x13e00 | 93119aa1bac026b115ded2a17f408a5e | False | 0.4066062303459119 | data | 5.653487717761268 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .xdata | 0x6e5000 | 0xc44 | 0xe00 | 288e05fdf921660d48450e3355fc1130 | False | 0.25613839285714285 | data | 3.9773968313183308 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x6e6000 | 0x5d580 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x744000 | 0x4e | 0x200 | 40228e8a1e4ba5eda4d2c4d863a22ae1 | False | 0.08984375 | data | 0.6513844786319263 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .idata | 0x745000 | 0x13d0 | 0x1400 | ec8785a06331a50b410999b917020d31 | False | 0.3169921875 | data | 4.39723632679586 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0x747000 | 0x70 | 0x200 | 9ee5287835e330d2cf0d18d8b3239f7c | False | 0.08203125 | data | 0.47139462148086453 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x748000 | 0x10 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x749000 | 0x143de | 0x14400 | 1682c49717a886cb4113bfa176701d0b | False | 0.4810956790123457 | data | 5.75846340979481 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x75e000 | 0xf12c | 0xf200 | ad11cf28236240b943d24fc83cf873c1 | False | 0.2417032541322314 | data | 5.4277008612986934 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x749388 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.2862903225806452 | ||
| RT_ICON | 0x749670 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | 0.4560810810810811 | ||
| RT_ICON | 0x749798 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | 0.4291044776119403 | ||
| RT_ICON | 0x74a640 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | 0.5649819494584838 | ||
| RT_ICON | 0x74aee8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | 0.6705202312138728 | ||
| RT_ICON | 0x74b450 | 0x6463 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9970815985057785 | ||
| RT_ICON | 0x7518b4 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | 0.16597779877184696 | ||
| RT_ICON | 0x755adc | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | 0.20093360995850623 | ||
| RT_ICON | 0x758084 | 0x1a68 | Device independent bitmap graphic, 40 x 80 x 32, image size 6720 | 0.23106508875739645 | ||
| RT_ICON | 0x759aec | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | 0.2926829268292683 | ||
| RT_ICON | 0x75ab94 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | 0.3639344262295082 | ||
| RT_ICON | 0x75b51c | 0x6b8 | Device independent bitmap graphic, 20 x 40 x 32, image size 1680 | 0.4308139534883721 | ||
| RT_ICON | 0x75bbd4 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | 0.5079787234042553 | ||
| RT_GROUP_ICON | 0x75c03c | 0xbc | data | 0.6595744680851063 | ||
| RT_VERSION | 0x75c0f8 | 0x3a0 | data | Japanese | Japan | 0.44719827586206895 |
| RT_MANIFEST | 0x75c498 | 0x8cb | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2191), with CRLF line terminators | English | United States | 0.31941359395824076 |
| RT_MANIFEST | 0x75cd64 | 0x67a | XML 1.0 document, ASCII text, with CRLF line terminators | Japanese | Japan | 0.3968636911942099 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AddAtomA, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler |
| msvcrt.dll | ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Japanese | Japan |  |
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 05/02/24-17:58:17.045554 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| 05/02/24-17:58:24.101749 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49742 | 443 | 192.168.2.4 | 104.21.51.78 |
| 05/02/24-17:58:16.141641 | UDP | 2052028 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (greetclassifytalk .shop) | 49831 | 53 | 192.168.2.4 | 1.1.1.1 |
| 05/02/24-17:58:22.145210 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49741 | 443 | 192.168.2.4 | 104.21.51.78 |
| 05/02/24-17:58:16.342531 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| 05/02/24-17:58:21.230919 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| 05/02/24-17:58:25.205454 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| 05/02/24-17:58:20.405974 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49739 | 443 | 192.168.2.4 | 104.21.51.78 |
| 05/02/24-17:58:19.442158 | TCP | 2052037 | ET TROJAN Observed Lumma Stealer Related Domain (greetclassifytalk .shop in TLS SNI) | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 2, 2024 17:58:16.245809078 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:16.245839119 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:16.245908976 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:16.342530966 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:16.342556000 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:16.530976057 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:16.531059980 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:16.534950018 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:16.534955025 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:16.535193920 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:16.587460041 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:16.587475061 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:16.587546110 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.036206961 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.036288023 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.036369085 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.038696051 CEST | 49736 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.038708925 CEST | 443 | 49736 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.045084000 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.045114040 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.045279980 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.045553923 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.045564890 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.232688904 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.232747078 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.233962059 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.233966112 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.234162092 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.240511894 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.240530014 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.240569115 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.748414040 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.748738050 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.748779058 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.748779058 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.748789072 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.748836994 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.748846054 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.748872995 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.748914957 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.748939037 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.748972893 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.748981953 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.748991966 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.749541044 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.749567986 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.749588013 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.749593019 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.749636889 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.749814034 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.749901056 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.749983072 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.750097990 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.750109911 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:17.750118017 CEST | 49737 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:17.750123024 CEST | 443 | 49737 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:19.441515923 CEST | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:19.441550016 CEST | 443 | 49738 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:19.441612959 CEST | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:19.442157984 CEST | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:19.442171097 CEST | 443 | 49738 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:19.624828100 CEST | 443 | 49738 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:19.624974966 CEST | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:19.651770115 CEST | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:19.651782990 CEST | 443 | 49738 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:19.652360916 CEST | 443 | 49738 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:19.654077053 CEST | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:19.654226065 CEST | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:19.654253960 CEST | 443 | 49738 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:19.654313087 CEST | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:19.654320002 CEST | 443 | 49738 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:20.159718990 CEST | 443 | 49738 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:20.159801006 CEST | 443 | 49738 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:20.159852982 CEST | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:20.169570923 CEST | 49738 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:20.169585943 CEST | 443 | 49738 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:20.405605078 CEST | 49739 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:20.405642986 CEST | 443 | 49739 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:20.405709982 CEST | 49739 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:20.405973911 CEST | 49739 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:20.405987978 CEST | 443 | 49739 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:20.590395927 CEST | 443 | 49739 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:20.590461016 CEST | 49739 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:20.591996908 CEST | 49739 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:20.592006922 CEST | 443 | 49739 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:20.592226982 CEST | 443 | 49739 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:20.593588114 CEST | 49739 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:20.593687057 CEST | 49739 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:20.596609116 CEST | 443 | 49739 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.077544928 CEST | 443 | 49739 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.077627897 CEST | 443 | 49739 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.077723026 CEST | 49739 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.077774048 CEST | 49739 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.077789068 CEST | 443 | 49739 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.230338097 CEST | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.230422020 CEST | 443 | 49740 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.230509043 CEST | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.230918884 CEST | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.230956078 CEST | 443 | 49740 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.411376953 CEST | 443 | 49740 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.411489010 CEST | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.412667036 CEST | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.412687063 CEST | 443 | 49740 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.412904024 CEST | 443 | 49740 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.415448904 CEST | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.415663004 CEST | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.415713072 CEST | 443 | 49740 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.415785074 CEST | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.415798903 CEST | 443 | 49740 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.943799019 CEST | 443 | 49740 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.943907976 CEST | 443 | 49740 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:21.944092989 CEST | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:21.944159031 CEST | 49740 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:22.144835949 CEST | 49741 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:22.144875050 CEST | 443 | 49741 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:22.144937992 CEST | 49741 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:22.145210028 CEST | 49741 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:22.145225048 CEST | 443 | 49741 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:22.327846050 CEST | 443 | 49741 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:22.327940941 CEST | 49741 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:22.328982115 CEST | 49741 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:22.328989029 CEST | 443 | 49741 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:22.329183102 CEST | 443 | 49741 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:22.330159903 CEST | 49741 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:22.330254078 CEST | 49741 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:22.330280066 CEST | 443 | 49741 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:22.811590910 CEST | 443 | 49741 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:22.811670065 CEST | 443 | 49741 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:22.811750889 CEST | 49741 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:23.903106928 CEST | 49741 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:23.903143883 CEST | 443 | 49741 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:24.100616932 CEST | 49742 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:24.100653887 CEST | 443 | 49742 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:24.100713968 CEST | 49742 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:24.101748943 CEST | 49742 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:24.101771116 CEST | 443 | 49742 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:24.286366940 CEST | 443 | 49742 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:24.286438942 CEST | 49742 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:24.291913986 CEST | 49742 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:24.291920900 CEST | 443 | 49742 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:24.292138100 CEST | 443 | 49742 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:24.293652058 CEST | 49742 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:24.293731928 CEST | 49742 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:24.293737888 CEST | 443 | 49742 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:24.765860081 CEST | 443 | 49742 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:24.765939951 CEST | 443 | 49742 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:24.766000032 CEST | 49742 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:24.772699118 CEST | 49742 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:24.772716999 CEST | 443 | 49742 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.204932928 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.204968929 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.205174923 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.205454111 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.205470085 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.390393019 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.390463114 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.391527891 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.391536951 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.391741991 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.393115997 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.393507004 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.393538952 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.393627882 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.393661022 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.393754005 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.393776894 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.393886089 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.393909931 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.394047022 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.394072056 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.394198895 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.394224882 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.394232988 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.394356012 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.394382954 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.440119982 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.440291882 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.440327883 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.440341949 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.488112926 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.488279104 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.488317013 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.488349915 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.536123037 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.536284924 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:25.570002079 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:25.659945011 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:26.748923063 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:26.749022007 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| May 2, 2024 17:58:26.749080896 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:26.749315023 CEST | 49743 | 443 | 192.168.2.4 | 104.21.51.78 |
| May 2, 2024 17:58:26.749331951 CEST | 443 | 49743 | 104.21.51.78 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 2, 2024 17:58:16.141640902 CEST | 49831 | 53 | 192.168.2.4 | 1.1.1.1 |
| May 2, 2024 17:58:16.240375042 CEST | 53 | 49831 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| May 2, 2024 17:58:16.141640902 CEST | 192.168.2.4 | 1.1.1.1 | 0x1799 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| May 2, 2024 17:58:16.240375042 CEST | 1.1.1.1 | 192.168.2.4 | 0x1799 | No error (0) | 104.21.51.78 | A (IP address) | IN (0x0001) | false | ||
| May 2, 2024 17:58:16.240375042 CEST | 1.1.1.1 | 192.168.2.4 | 0x1799 | No error (0) | 172.67.177.98 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49736 | 104.21.51.78 | 443 | 7688 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-02 15:58:16 UTC | 269 | OUT | |
| 2024-05-02 15:58:16 UTC | 8 | OUT | |
| 2024-05-02 15:58:17 UTC | 814 | IN | |
| 2024-05-02 15:58:17 UTC | 7 | IN | |
| 2024-05-02 15:58:17 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49737 | 104.21.51.78 | 443 | 7688 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-02 15:58:17 UTC | 270 | OUT | |
| 2024-05-02 15:58:17 UTC | 61 | OUT | |
| 2024-05-02 15:58:17 UTC | 806 | IN | |
| 2024-05-02 15:58:17 UTC | 563 | IN | |
| 2024-05-02 15:58:17 UTC | 1369 | IN | |
| 2024-05-02 15:58:17 UTC | 1369 | IN | |
| 2024-05-02 15:58:17 UTC | 1369 | IN | |
| 2024-05-02 15:58:17 UTC | 1369 | IN | |
| 2024-05-02 15:58:17 UTC | 1369 | IN | |
| 2024-05-02 15:58:17 UTC | 1369 | IN | |
| 2024-05-02 15:58:17 UTC | 1369 | IN | |
| 2024-05-02 15:58:17 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49738 | 104.21.51.78 | 443 | 7688 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-02 15:58:19 UTC | 288 | OUT | |
| 2024-05-02 15:58:19 UTC | 15331 | OUT | |
| 2024-05-02 15:58:19 UTC | 2839 | OUT | |
| 2024-05-02 15:58:20 UTC | 802 | IN | |
| 2024-05-02 15:58:20 UTC | 23 | IN | |
| 2024-05-02 15:58:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49739 | 104.21.51.78 | 443 | 7688 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-02 15:58:20 UTC | 287 | OUT | |
| 2024-05-02 15:58:20 UTC | 8791 | OUT | |
| 2024-05-02 15:58:21 UTC | 806 | IN | |
| 2024-05-02 15:58:21 UTC | 23 | IN | |
| 2024-05-02 15:58:21 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49740 | 104.21.51.78 | 443 | 7688 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-02 15:58:21 UTC | 288 | OUT | |
| 2024-05-02 15:58:21 UTC | 15331 | OUT | |
| 2024-05-02 15:58:21 UTC | 5113 | OUT | |
| 2024-05-02 15:58:21 UTC | 808 | IN | |
| 2024-05-02 15:58:21 UTC | 23 | IN | |
| 2024-05-02 15:58:21 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 104.21.51.78 | 443 | 7688 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-02 15:58:22 UTC | 287 | OUT | |
| 2024-05-02 15:58:22 UTC | 7091 | OUT | |
| 2024-05-02 15:58:22 UTC | 804 | IN | |
| 2024-05-02 15:58:22 UTC | 23 | IN | |
| 2024-05-02 15:58:22 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49742 | 104.21.51.78 | 443 | 7688 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-02 15:58:24 UTC | 287 | OUT | |
| 2024-05-02 15:58:24 UTC | 1426 | OUT | |
| 2024-05-02 15:58:24 UTC | 804 | IN | |
| 2024-05-02 15:58:24 UTC | 23 | IN | |
| 2024-05-02 15:58:24 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49743 | 104.21.51.78 | 443 | 7688 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-02 15:58:25 UTC | 289 | OUT | |
| 2024-05-02 15:58:25 UTC | 15331 | OUT | |
| 2024-05-02 15:58:25 UTC | 15331 | OUT | |
| 2024-05-02 15:58:25 UTC | 15331 | OUT | |
| 2024-05-02 15:58:25 UTC | 15331 | OUT | |
| 2024-05-02 15:58:25 UTC | 15331 | OUT | |
| 2024-05-02 15:58:25 UTC | 15331 | OUT | |
| 2024-05-02 15:58:25 UTC | 15331 | OUT | |
| 2024-05-02 15:58:25 UTC | 15331 | OUT | |
| 2024-05-02 15:58:25 UTC | 15331 | OUT | |
| 2024-05-02 15:58:25 UTC | 15331 | OUT | |
| 2024-05-02 15:58:26 UTC | 802 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:57:55 |
| Start date: | 02/05/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff662f30000 |
| File size: | 7'379'456 bytes |
| MD5 hash: | E04CDCB33735437AE84E00DD308FA527 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Go lang |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 17:58:15 |
| Start date: | 02/05/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xec0000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 16.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 27.2% |
| Total number of Nodes: | 426 |
| Total number of Limit Nodes: | 17 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B44B30 Relevance: 6.7, Strings: 5, Instructions: 474COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B67059 Relevance: 3.7, APIs: 2, Instructions: 742COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B66948 Relevance: 3.7, APIs: 2, Instructions: 676COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7B550 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B6112E Relevance: 2.9, Strings: 2, Instructions: 369COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B68410 Relevance: 1.9, APIs: 1, Instructions: 387COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B618A0 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7EE70 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7E8D0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7C461 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7C615 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B64478 Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B42D10 Relevance: .2, Instructions: 227COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B70169 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B585D0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7B22D Relevance: 1.6, APIs: 1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7AD26 Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7AC2D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7B424 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B793AB Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B792D0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B6B978 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B77581 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7AA87 Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B70520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B417B0 Relevance: 9.3, Strings: 7, Instructions: 589COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B497F0 Relevance: 9.1, Strings: 7, Instructions: 344COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B5757A Relevance: 7.8, Strings: 6, Instructions: 276COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B56555 Relevance: 7.6, Strings: 6, Instructions: 92COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B53038 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7F500 Relevance: 4.1, Strings: 3, Instructions: 309COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B68AC0 Relevance: 3.7, Strings: 2, Instructions: 1242COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B45720 Relevance: 3.3, Strings: 2, Instructions: 834COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B65B50 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7C571 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B79E10 Relevance: 1.9, Strings: 1, Instructions: 642COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B66953 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7F190 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B46A50 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B62760 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B79A20 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7EAF0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B626BD Relevance: 1.4, Strings: 1, Instructions: 160COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B51E13 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B68A13 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B5DDC7 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B64982 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B5DF3A Relevance: 1.3, Strings: 1, Instructions: 79COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B480A0 Relevance: .8, Instructions: 824COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B44160 Relevance: .6, Instructions: 609COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B5D35E Relevance: .6, Instructions: 577COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B46480 Relevance: .5, Instructions: 512COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B57ABA Relevance: .3, Instructions: 337COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B6213D Relevance: .3, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B51419 Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B557D5 Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B5DB00 Relevance: .2, Instructions: 216COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B77090 Relevance: .2, Instructions: 179COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B55470 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B54D32 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B50390 Relevance: .1, Instructions: 129COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B56D57 Relevance: .1, Instructions: 119COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B43360 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B42650 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B4FE47 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B750A0 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B658B0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7A930 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7DFE0 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7D265 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B56F3B Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B4D650 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7D48A Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7E09F Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7C436 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7DE9C Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7D4E8 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00B7DEB1 Relevance: .0, Instructions: 9COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |