Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1435737 |
| MD5: | 16f894f264d824eb23ebeb77bd860de2 |
| SHA1: | 31b1dc2a8e6953adfabe45d481588fbabbfd040c |
| SHA256: | eadc77f7e8f3fe9dedec2de227dfa7bc5a44a8888b0df72cc113f2f49ec6674b |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
file.exe (PID: 6944 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 16F894F264D824EB23EBEB77BD860DE2) 
BitLockerToGo.exe (PID: 1612 cmdline: C:\Windows \BitLocker DiscoveryV olumeConte nts\BitLoc kerToGo.ex e MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "stiffraspyofkwsl.shop"], "Build id": "Q3kDS2--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_00356682 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 2_2_00364478 | |
| Source: | Code function: | 2_2_00364478 | |
| Source: | Code function: | 2_2_0037C461 | |
| Source: | Code function: | 2_2_0037C615 | |
| Source: | Code function: | 2_2_0037E8D0 | |
| Source: | Code function: | 2_2_00366948 | |
| Source: | Code function: | 2_2_003679F5 | |
| Source: | Code function: | 2_2_00353038 | |
| Source: | Code function: | 2_2_00367059 | |
| Source: | Code function: | 2_2_003750A0 | |
| Source: | Code function: | 2_2_0037E09F | |
| Source: | Code function: | 2_2_0036213D | |
| Source: | Code function: | 2_2_0036213D | |
| Source: | Code function: | 2_2_0037D265 | |
| Source: | Code function: | 2_2_0035D35E | |
| Source: | Code function: | 2_2_0035D35E | |
| Source: | Code function: | 2_2_0037C436 | |
| Source: | Code function: | 2_2_00368410 | |
| Source: | Code function: | 2_2_00351419 | |
| Source: | Code function: | 2_2_00355470 | |
| Source: | Code function: | 2_2_0037D48A | |
| Source: | Code function: | 2_2_0037D4E8 | |
| Source: | Code function: | 2_2_0037C571 | |
| Source: | Code function: | 2_2_0037C571 | |
| Source: | Code function: | 2_2_00356555 | |
| Source: | Code function: | 2_2_0034D650 | |
| Source: | Code function: | 2_2_00342650 | |
| Source: | Code function: | 2_2_003626BD | |
| Source: | Code function: | 2_2_00362760 | |
| Source: | Code function: | 2_2_003497F0 | |
| Source: | Code function: | 2_2_003658B0 | |
| Source: | Code function: | 2_2_0037A930 | |
| Source: | Code function: | 2_2_00366953 | |
| Source: | Code function: | 2_2_00364982 | |
| Source: | Code function: | 2_2_00379A20 | |
| Source: | Code function: | 2_2_00368A13 | |
| Source: | Code function: | 2_2_00357ABA | |
| Source: | Code function: | 2_2_0037EAF0 | |
| Source: | Code function: | 2_2_0035DB00 | |
| Source: | Code function: | 2_2_0035DB00 | |
| Source: | Code function: | 2_2_00354D32 | |
| Source: | Code function: | 2_2_0035DDC7 | |
| Source: | Code function: | 2_2_00351E13 | |
| Source: | Code function: | 2_2_0034FE47 | |
| Source: | Code function: | 2_2_0037DEB1 | |
| Source: | Code function: | 2_2_0037DE9C | |
| Source: | Code function: | 2_2_0035DF3A | |
| Source: | Code function: | 2_2_0037DFE0 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00370520 | |
| Source: | Code function: | 2_2_00370520 | |
| Source: | Code function: | 2_2_00371CAA | |
| Source: | Code function: | 2_2_0036112E | |
| Source: | Code function: | 2_2_00362840 | |
| Source: | Code function: | 2_2_003618A0 | |
| Source: | Code function: | 2_2_00344B30 | |
| Source: | Code function: | 2_2_00342D10 | |
| Source: | Code function: | 2_2_0037EE70 | |
| Source: | Code function: | 2_2_003480A0 | |
| Source: | Code function: | 2_2_00377090 | |
| Source: | Code function: | 2_2_0036213D | |
| Source: | Code function: | 2_2_00344160 | |
| Source: | Code function: | 2_2_0037F190 | |
| Source: | Code function: | 2_2_00343360 | |
| Source: | Code function: | 2_2_0035D35E | |
| Source: | Code function: | 2_2_00350390 | |
| Source: | Code function: | 2_2_00346480 | |
| Source: | Code function: | 2_2_0037F500 | |
| Source: | Code function: | 2_2_00345720 | |
| Source: | Code function: | 2_2_0038170F | |
| Source: | Code function: | 2_2_003417B0 | |
| Source: | Code function: | 2_2_0036C85E | |
| Source: | Code function: | 2_2_00346A50 | |
| Source: | Code function: | 2_2_00368AC0 | |
| Source: | Code function: | 2_2_00365B50 | |
| Source: | Code function: | 2_2_00379E10 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00370169 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_003737E7 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_0037B550 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 311 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 31 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Deobfuscate/Decode Files or Information | NTDS | 11 File and Directory Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| stiffraspyofkwsl.shop | 172.67.189.159 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| false |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.189.159 | stiffraspyofkwsl.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1435737 |
| Start date and time: | 2024-05-03 02:56:09 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 6s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@1/1 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target file.exe, PID 6944 because there are no executed function
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: file.exe
| Time | Type | Description |
|---|---|---|
| 02:57:21 | API Interceptor |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| stiffraspyofkwsl.shop | Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | TechSupportScam | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | RisePro Stealer | Browse |
| |
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.430023377352553 |
| TrID: |
|
| File name: | file.exe |
| File size: | 6'055'936 bytes |
| MD5: | 16f894f264d824eb23ebeb77bd860de2 |
| SHA1: | 31b1dc2a8e6953adfabe45d481588fbabbfd040c |
| SHA256: | eadc77f7e8f3fe9dedec2de227dfa7bc5a44a8888b0df72cc113f2f49ec6674b |
| SHA512: | 8cad269d39d0ab80f374f7df8b09fd3494a16395fa815827f3e59604fa0ae7050feb38d85b49eaf2b43d33cb124fd978d0e8c69907eefe75df5a6c246ae90137 |
| SSDEEP: | 49152:jkh7b4TI46e3DOEZI07Xbhsgqn6kJBksELA3xjN5EAoKRA4PLkX6dRxrBctWqHyo:YtsjW0Xqn6q1tE0atve |
| TLSH: | A3565A03ED9545E4C0EAD53189669263BB31BC484B312BD72AA0F7793F72BD06E7A704 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$..&..d\..<.............@............................. c.......\...`... ............................ |
 | |
| Icon Hash: | 32e68e99bbbebeae |
| Entrypoint: | 0x1400014c0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | 0x40265150, 0x1, 0x40265120, 0x1, 0x40268bb0, 0x1 |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 5929190c8765f5bc37b052ab5c6c53e7 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [00594F55h] |
| mov dword ptr [eax], 00000001h |
| call 00007F489116107Fh |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax] |
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [00594F35h] |
| mov dword ptr [eax], 00000000h |
| call 00007F489116105Fh |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax] |
| dec eax |
| sub esp, 28h |
| call 00007F48913CFDDCh |
| dec eax |
| test eax, eax |
| sete al |
| movzx eax, al |
| neg eax |
| dec eax |
| add esp, 28h |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| dec eax |
| lea ecx, dword ptr [00000009h] |
| jmp 00007F4891161399h |
| nop dword ptr [eax+00h] |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| jmp dword ptr [eax] |
| inc edi |
| outsd |
| and byte ptr [edx+75h], ah |
| imul ebp, dword ptr [esp+20h], 203A4449h |
| and dh, byte ptr [edi] |
| outsd |
| jnbe 00007F489116140Fh |
| inc edi |
| pop edx |
| xor al, 76h |
| dec edi |
| cmp byte ptr [ebx+75h], ch |
| je 00007F489116143Bh |
| push 7A54374Bh |
| insd |
| das |
| dec ebx |
| jns 00007F4891161429h |
| sub eax, 67765368h |
| dec ebx |
| xor eax, 73387969h |
| insb |
| insd |
| inc ebp |
| xor dword ptr [eax+6Ah], edx |
| das |
| dec esp |
| je 00007F489116142Eh |
| push 00000047h |
| imul ebp, dword ptr [4F573457h], 00383052h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x60b000 | 0x4e | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x60c000 | 0x13d0 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x610000 | 0x1434f | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x597000 | 0xe1cc | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x625000 | 0xc188 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x595d80 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x60c47c | 0x440 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x26f6e0 | 0x26f800 | 9d483a3d8a05ab1dd77be319f76f8ae2 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x271000 | 0x48e30 | 0x49000 | 99f1381d6558ee7910f1812c7986ff59 | False | 0.3777825342465753 | dBase III DBT, version number 0, next free block index 10, 1st item "o-querystring\011v1.1.0\011h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=" | 4.911390470539749 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x2ba000 | 0x2dcbb0 | 0x2dcc00 | d7434292d36b8b47767f6045a8721563 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .pdata | 0x597000 | 0xe1cc | 0xe200 | eddbea6cc8768319ac6946e8b14f8942 | False | 0.41425262721238937 | data | 5.603561326537566 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .xdata | 0x5a6000 | 0xc44 | 0xe00 | 12dbe62a27b9006ef1d649c4473d821f | False | 0.25613839285714285 | data | 3.9790580043138077 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x5a7000 | 0x63b20 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x60b000 | 0x4e | 0x200 | c612123bb59556abe8bb2708287e5706 | False | 0.08984375 | data | 0.6513844786319263 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .idata | 0x60c000 | 0x13d0 | 0x1400 | bdd7aa1316f7d6ac29f330a4fcaf9931 | False | 0.3173828125 | data | 4.535504719980456 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0x60e000 | 0x70 | 0x200 | 2705b663f0db0014e19996f2038cf424 | False | 0.080078125 | data | 0.4511542940585521 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x60f000 | 0x10 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x610000 | 0x1434f | 0x14400 | fa2b5872382872fc62f404f652d5f582 | False | 0.5421248070987654 | data | 6.474478402713644 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x625000 | 0xc188 | 0xc200 | 7329bf74903c38f7f2be2747fedb4d98 | False | 0.2627456507731959 | data | 5.425785927136699 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x610370 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.29838709677419356 | ||
| RT_ICON | 0x610658 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | 0.40878378378378377 | ||
| RT_ICON | 0x610780 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | 0.4994669509594883 | ||
| RT_ICON | 0x611628 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | 0.5812274368231047 | ||
| RT_ICON | 0x611ed0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | 0.6315028901734104 | ||
| RT_ICON | 0x612438 | 0x700f | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9876250566458674 | ||
| RT_ICON | 0x619448 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | 0.2350614076523382 | ||
| RT_ICON | 0x61d670 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | 0.2735477178423237 | ||
| RT_ICON | 0x61fc18 | 0x1a68 | Device independent bitmap graphic, 40 x 80 x 32, image size 6720 | 0.2964497041420118 | ||
| RT_ICON | 0x621680 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | 0.349671669793621 | ||
| RT_ICON | 0x622728 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | 0.3975409836065574 | ||
| RT_ICON | 0x6230b0 | 0x6b8 | Device independent bitmap graphic, 20 x 40 x 32, image size 1680 | 0.45232558139534884 | ||
| RT_ICON | 0x623768 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | 0.5026595744680851 | ||
| RT_GROUP_ICON | 0x623bd0 | 0xbc | data | 0.6542553191489362 | ||
| RT_VERSION | 0x623c8c | 0x418 | data | English | United States | 0.4217557251908397 |
| RT_MANIFEST | 0x6240a4 | 0x2ab | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5534407027818448 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AddAtomA, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler |
| msvcrt.dll | ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 3, 2024 02:57:21.877274990 CEST | 49735 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:21.877312899 CEST | 443 | 49735 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:21.877391100 CEST | 49735 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:21.880985975 CEST | 49735 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:21.881009102 CEST | 443 | 49735 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.071230888 CEST | 443 | 49735 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.071346045 CEST | 49735 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.075339079 CEST | 49735 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.075345993 CEST | 443 | 49735 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.075599909 CEST | 443 | 49735 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.126271963 CEST | 49735 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.127433062 CEST | 49735 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.127455950 CEST | 49735 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.127533913 CEST | 443 | 49735 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.569403887 CEST | 443 | 49735 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.569495916 CEST | 443 | 49735 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.569545031 CEST | 49735 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.571852922 CEST | 49735 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.571866035 CEST | 443 | 49735 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.607728958 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.607769966 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.608032942 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.608967066 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.608979940 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.795805931 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.796047926 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.797204971 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.797210932 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.797449112 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:22.799030066 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.799030066 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:22.799091101 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315213919 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315265894 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315299034 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315368891 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.315381050 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315473080 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315516949 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315604925 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315655947 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315668106 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.315668106 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.315675020 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315797091 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315843105 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315867901 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315886974 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.315891981 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.315901995 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.315916061 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.316235065 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.316298008 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.316385984 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.316399097 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.316411972 CEST | 49736 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.316417933 CEST | 443 | 49736 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.428631067 CEST | 49737 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.428672075 CEST | 443 | 49737 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.428771973 CEST | 49737 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.429095984 CEST | 49737 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.429115057 CEST | 443 | 49737 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.613949060 CEST | 443 | 49737 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.614047050 CEST | 49737 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.622345924 CEST | 49737 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.622364044 CEST | 443 | 49737 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.622620106 CEST | 443 | 49737 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.624630928 CEST | 49737 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.624823093 CEST | 49737 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.626286030 CEST | 443 | 49737 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:23.626370907 CEST | 49737 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:23.626379013 CEST | 443 | 49737 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:24.123948097 CEST | 443 | 49737 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:24.124038935 CEST | 443 | 49737 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:24.124135017 CEST | 49737 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:25.279721975 CEST | 49737 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:25.279762030 CEST | 443 | 49737 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:25.484136105 CEST | 49738 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:25.484180927 CEST | 443 | 49738 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:25.484256983 CEST | 49738 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:25.484755039 CEST | 49738 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:25.484766960 CEST | 443 | 49738 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:25.671061039 CEST | 443 | 49738 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:25.671154976 CEST | 49738 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:25.672346115 CEST | 49738 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:25.672353983 CEST | 443 | 49738 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:25.672589064 CEST | 443 | 49738 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:25.673898935 CEST | 49738 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:25.674031019 CEST | 49738 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:25.674055099 CEST | 443 | 49738 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:26.164278030 CEST | 443 | 49738 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:26.164407015 CEST | 443 | 49738 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:26.164463043 CEST | 49738 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:26.177896976 CEST | 49738 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:26.177920103 CEST | 443 | 49738 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:26.440707922 CEST | 49739 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:26.440757036 CEST | 443 | 49739 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:26.440869093 CEST | 49739 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:26.441169977 CEST | 49739 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:26.441183090 CEST | 443 | 49739 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:26.627887011 CEST | 443 | 49739 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:26.627952099 CEST | 49739 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:26.629935980 CEST | 49739 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:26.629945040 CEST | 443 | 49739 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:26.630201101 CEST | 443 | 49739 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:26.631414890 CEST | 49739 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:26.631571054 CEST | 49739 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:26.631599903 CEST | 443 | 49739 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:26.631659985 CEST | 49739 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:26.631669044 CEST | 443 | 49739 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:27.129126072 CEST | 443 | 49739 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:27.129244089 CEST | 443 | 49739 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:27.129436970 CEST | 49739 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:27.129465103 CEST | 49739 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:27.376120090 CEST | 49740 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:27.376148939 CEST | 443 | 49740 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:27.376238108 CEST | 49740 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:27.377732038 CEST | 49740 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:27.377743959 CEST | 443 | 49740 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:27.564522982 CEST | 443 | 49740 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:27.564600945 CEST | 49740 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:27.566827059 CEST | 49740 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:27.566832066 CEST | 443 | 49740 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:27.567063093 CEST | 443 | 49740 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:27.568464041 CEST | 49740 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:27.568464041 CEST | 49740 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:27.568500996 CEST | 443 | 49740 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.041436911 CEST | 443 | 49740 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.041551113 CEST | 443 | 49740 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.041599035 CEST | 49740 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:28.041695118 CEST | 49740 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:28.041708946 CEST | 443 | 49740 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.111799955 CEST | 49741 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:28.111829042 CEST | 443 | 49741 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.111891985 CEST | 49741 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:28.112188101 CEST | 49741 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:28.112200022 CEST | 443 | 49741 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.301604986 CEST | 443 | 49741 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.301713943 CEST | 49741 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:28.303026915 CEST | 49741 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:28.303033113 CEST | 443 | 49741 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.303272009 CEST | 443 | 49741 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.304481030 CEST | 49741 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:28.304563999 CEST | 49741 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:28.304568052 CEST | 443 | 49741 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.783581972 CEST | 443 | 49741 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.783710003 CEST | 443 | 49741 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:28.783763885 CEST | 49741 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:29.920746088 CEST | 49741 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:29.920775890 CEST | 443 | 49741 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.481740952 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.481785059 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.481848955 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.482162952 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.482182026 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.668756008 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.668982983 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.701287985 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.701311111 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.701571941 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.702634096 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.703377962 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.703413963 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.703520060 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.703557968 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.703660011 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.703685045 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.703807116 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.703841925 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.703984022 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.704014063 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.704149008 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.704184055 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.752113104 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.752285004 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.752324104 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.800122976 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.800420046 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.800466061 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.800482035 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.848112106 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.848289013 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.848321915 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.879447937 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.879530907 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.879539967 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.879594088 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.879610062 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:32.879642010 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.969490051 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:32.970232010 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:34.331124067 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:34.331254005 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| May 3, 2024 02:57:34.331304073 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:34.331455946 CEST | 49742 | 443 | 192.168.2.4 | 172.67.189.159 |
| May 3, 2024 02:57:34.331485987 CEST | 443 | 49742 | 172.67.189.159 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 3, 2024 02:57:21.774972916 CEST | 54672 | 53 | 192.168.2.4 | 1.1.1.1 |
| May 3, 2024 02:57:21.870480061 CEST | 53 | 54672 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| May 3, 2024 02:57:21.774972916 CEST | 192.168.2.4 | 1.1.1.1 | 0xeb6 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| May 3, 2024 02:57:21.870480061 CEST | 1.1.1.1 | 192.168.2.4 | 0xeb6 | No error (0) | 172.67.189.159 | A (IP address) | IN (0x0001) | false | ||
| May 3, 2024 02:57:21.870480061 CEST | 1.1.1.1 | 192.168.2.4 | 0xeb6 | No error (0) | 104.21.81.139 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49735 | 172.67.189.159 | 443 | 1612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 00:57:22 UTC | 268 | OUT | |
| 2024-05-03 00:57:22 UTC | 8 | OUT | |
| 2024-05-03 00:57:22 UTC | 804 | IN | |
| 2024-05-03 00:57:22 UTC | 7 | IN | |
| 2024-05-03 00:57:22 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49736 | 172.67.189.159 | 443 | 1612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 00:57:22 UTC | 269 | OUT | |
| 2024-05-03 00:57:22 UTC | 49 | OUT | |
| 2024-05-03 00:57:23 UTC | 804 | IN | |
| 2024-05-03 00:57:23 UTC | 565 | IN | |
| 2024-05-03 00:57:23 UTC | 1369 | IN | |
| 2024-05-03 00:57:23 UTC | 1369 | IN | |
| 2024-05-03 00:57:23 UTC | 1369 | IN | |
| 2024-05-03 00:57:23 UTC | 1369 | IN | |
| 2024-05-03 00:57:23 UTC | 1369 | IN | |
| 2024-05-03 00:57:23 UTC | 1369 | IN | |
| 2024-05-03 00:57:23 UTC | 1369 | IN | |
| 2024-05-03 00:57:23 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49737 | 172.67.189.159 | 443 | 1612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 00:57:23 UTC | 287 | OUT | |
| 2024-05-03 00:57:23 UTC | 15331 | OUT | |
| 2024-05-03 00:57:23 UTC | 2827 | OUT | |
| 2024-05-03 00:57:24 UTC | 808 | IN | |
| 2024-05-03 00:57:24 UTC | 23 | IN | |
| 2024-05-03 00:57:24 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49738 | 172.67.189.159 | 443 | 1612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 00:57:25 UTC | 286 | OUT | |
| 2024-05-03 00:57:25 UTC | 8779 | OUT | |
| 2024-05-03 00:57:26 UTC | 810 | IN | |
| 2024-05-03 00:57:26 UTC | 23 | IN | |
| 2024-05-03 00:57:26 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49739 | 172.67.189.159 | 443 | 1612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 00:57:26 UTC | 287 | OUT | |
| 2024-05-03 00:57:26 UTC | 15331 | OUT | |
| 2024-05-03 00:57:26 UTC | 5101 | OUT | |
| 2024-05-03 00:57:27 UTC | 804 | IN | |
| 2024-05-03 00:57:27 UTC | 23 | IN | |
| 2024-05-03 00:57:27 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49740 | 172.67.189.159 | 443 | 1612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 00:57:27 UTC | 286 | OUT | |
| 2024-05-03 00:57:27 UTC | 5435 | OUT | |
| 2024-05-03 00:57:28 UTC | 812 | IN | |
| 2024-05-03 00:57:28 UTC | 23 | IN | |
| 2024-05-03 00:57:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49741 | 172.67.189.159 | 443 | 1612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 00:57:28 UTC | 286 | OUT | |
| 2024-05-03 00:57:28 UTC | 1398 | OUT | |
| 2024-05-03 00:57:28 UTC | 804 | IN | |
| 2024-05-03 00:57:28 UTC | 23 | IN | |
| 2024-05-03 00:57:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49742 | 172.67.189.159 | 443 | 1612 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 00:57:32 UTC | 288 | OUT | |
| 2024-05-03 00:57:32 UTC | 15331 | OUT | |
| 2024-05-03 00:57:32 UTC | 15331 | OUT | |
| 2024-05-03 00:57:32 UTC | 15331 | OUT | |
| 2024-05-03 00:57:32 UTC | 15331 | OUT | |
| 2024-05-03 00:57:32 UTC | 15331 | OUT | |
| 2024-05-03 00:57:32 UTC | 15331 | OUT | |
| 2024-05-03 00:57:32 UTC | 15331 | OUT | |
| 2024-05-03 00:57:32 UTC | 15331 | OUT | |
| 2024-05-03 00:57:32 UTC | 15331 | OUT | |
| 2024-05-03 00:57:32 UTC | 15331 | OUT | |
| 2024-05-03 00:57:34 UTC | 814 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 02:56:57 |
| Start date: | 03/05/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff615040000 |
| File size: | 6'055'936 bytes |
| MD5 hash: | 16F894F264D824EB23EBEB77BD860DE2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Go lang |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 02:57:20 |
| Start date: | 03/05/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xb00000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 15.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 29.5% |
| Total number of Nodes: | 393 |
| Total number of Limit Nodes: | 16 |
Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00344B30 Relevance: 6.7, Strings: 5, Instructions: 474COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00367059 Relevance: 3.7, APIs: 2, Instructions: 742COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00366948 Relevance: 3.7, APIs: 2, Instructions: 676COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037B550 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0036112E Relevance: 2.9, Strings: 2, Instructions: 369COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00368410 Relevance: 1.9, APIs: 1, Instructions: 387COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003618A0 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037EE70 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037E8D0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037C461 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037C615 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00364478 Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00342D10 Relevance: .2, Instructions: 227COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00370169 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037AD26 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037AA87 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003585D0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037B22D Relevance: 1.6, APIs: 1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037AC2D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037B424 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003793AB Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003792D0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0036B978 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00377581 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00370520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003417B0 Relevance: 9.3, Strings: 7, Instructions: 589COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003497F0 Relevance: 9.1, Strings: 7, Instructions: 344COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00356555 Relevance: 7.6, Strings: 6, Instructions: 92COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00353038 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037F500 Relevance: 4.1, Strings: 3, Instructions: 309COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00368AC0 Relevance: 3.7, Strings: 2, Instructions: 1242COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00345720 Relevance: 3.3, Strings: 2, Instructions: 834COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00365B50 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037C571 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00379E10 Relevance: 1.9, Strings: 1, Instructions: 642COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0036213D Relevance: 1.6, Strings: 1, Instructions: 332COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00366953 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037F190 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00346A50 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00362760 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00379A20 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037EAF0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003626BD Relevance: 1.4, Strings: 1, Instructions: 160COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00351E13 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00368A13 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0035DDC7 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00364982 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0035DF3A Relevance: 1.3, Strings: 1, Instructions: 79COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037D4E8 Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003480A0 Relevance: .8, Instructions: 824COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00344160 Relevance: .6, Instructions: 609COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0035D35E Relevance: .6, Instructions: 577COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00346480 Relevance: .5, Instructions: 512COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00357ABA Relevance: .3, Instructions: 337COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00351419 Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0035DB00 Relevance: .2, Instructions: 216COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00377090 Relevance: .2, Instructions: 179COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00355470 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00354D32 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00350390 Relevance: .1, Instructions: 129COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0038170F Relevance: .1, Instructions: 127COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00343360 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00342650 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0034FE47 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003750A0 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 003658B0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037A930 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037DFE0 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037D265 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0034D650 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037D48A Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037E09F Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037C436 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037DE9C Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0037DEB1 Relevance: .0, Instructions: 9COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |