Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1435867 |
| MD5: | 7498af5d4fe090e8e2b4d13d867ab5e0 |
| SHA1: | d3e086f49ef2db4a75ff1f6dc93b0045bba07866 |
| SHA256: | 725c4af20cd8140f12cb87e2b0e3c8a5654257cbccc70f378c765b1fa3322dc6 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
file.exe (PID: 6288 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 7498AF5D4FE090E8E2B4D13D867AB5E0) 
BitLockerToGo.exe (PID: 6644 cmdline: C:\Windows \BitLocker DiscoveryV olumeConte nts\BitLoc kerToGo.ex e MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "acceptabledcooeprs.shop"], "Build id": "xpsGVF--NEW1"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_006550A2 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 2_2_006741A0 | |
| Source: | Code function: | 2_2_006741A0 | |
| Source: | Code function: | 2_2_0067C210 | |
| Source: | Code function: | 2_2_0065F41E | |
| Source: | Code function: | 2_2_0065B580 | |
| Source: | Code function: | 2_2_0065B580 | |
| Source: | Code function: | 2_2_006557D3 | |
| Source: | Code function: | 2_2_00665858 | |
| Source: | Code function: | 2_2_0064C800 | |
| Source: | Code function: | 2_2_00656890 | |
| Source: | Code function: | 2_2_00677A71 | |
| Source: | Code function: | 2_2_00660AA0 | |
| Source: | Code function: | 2_2_00678C73 | |
| Source: | Code function: | 2_2_00678C73 | |
| Source: | Code function: | 2_2_0065FD60 | |
| Source: | Code function: | 2_2_0067AD10 | |
| Source: | Code function: | 2_2_0067AF00 | |
| Source: | Code function: | 2_2_006650B7 | |
| Source: | Code function: | 2_2_0066112F | |
| Source: | Code function: | 2_2_0065624A | |
| Source: | Code function: | 2_2_00651231 | |
| Source: | Code function: | 2_2_006542D1 | |
| Source: | Code function: | 2_2_00649380 | |
| Source: | Code function: | 2_2_006604E2 | |
| Source: | Code function: | 2_2_0064F66E | |
| Source: | Code function: | 2_2_0064F66E | |
| Source: | Code function: | 2_2_0067A7BF | |
| Source: | Code function: | 2_2_0064C790 | |
| Source: | Code function: | 2_2_00659840 | |
| Source: | Code function: | 2_2_00650834 | |
| Source: | Code function: | 2_2_0064F9A2 | |
| Source: | Code function: | 2_2_00671B40 | |
| Source: | Code function: | 2_2_0065BB5E | |
| Source: | Code function: | 2_2_00679B59 | |
| Source: | Code function: | 2_2_0067AB30 | |
| Source: | Code function: | 2_2_0067BB00 | |
| Source: | Code function: | 2_2_00679BB3 | |
| Source: | Code function: | 2_2_00653B90 | |
| Source: | Code function: | 2_2_00654CA6 | |
| Source: | Code function: | 2_2_00647CB0 | |
| Source: | Code function: | 2_2_00642C90 | |
| Source: | Code function: | 2_2_0064ED28 | |
| Source: | Code function: | 2_2_00663D30 | |
| Source: | Code function: | 2_2_0064FD12 | |
| Source: | Code function: | 2_2_00650DD9 | |
| Source: | Code function: | 2_2_0067BE60 | |
| Source: | Code function: | 2_2_00653F60 | |
| Source: | Code function: | 2_2_00679F2C | |
| Source: | Code function: | 2_2_00679F2A | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_0066E700 | |
| Source: | Code function: | 2_2_0066E700 | |
| Source: | Code function: | 2_2_0066E8E0 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Code function: | 2_2_0065F41E | |
| Source: | Code function: | 2_2_00644640 | |
| Source: | Code function: | 2_2_0067B7C0 | |
| Source: | Code function: | 2_2_00660AA0 | |
| Source: | Code function: | 2_2_0065FD60 | |
| Source: | Code function: | 2_2_00646060 | |
| Source: | Code function: | 2_2_00663327 | |
| Source: | Code function: | 2_2_006604E2 | |
| Source: | Code function: | 2_2_0064555B | |
| Source: | Code function: | 2_2_00666EDE | |
| Source: | Code function: | 2_2_00643678 | |
| Source: | Code function: | 2_2_00646630 | |
| Source: | Code function: | 2_2_0065C6DA | |
| Source: | Code function: | 2_2_006766B0 | |
| Source: | Code function: | 2_2_00641730 | |
| Source: | Code function: | 2_2_00665705 | |
| Source: | Code function: | 2_2_00645826 | |
| Source: | Code function: | 2_2_00648920 | |
| Source: | Code function: | 2_2_006469F4 | |
| Source: | Code function: | 2_2_00673A60 | |
| Source: | Code function: | 2_2_00661A68 | |
| Source: | Code function: | 2_2_00665AAD | |
| Source: | Code function: | 2_2_0064EB60 | |
| Source: | Code function: | 2_2_00645B68 | |
| Source: | Code function: | 2_2_00665B47 | |
| Source: | Code function: | 2_2_0065BB5E | |
| Source: | Code function: | 2_2_0067BB00 | |
| Source: | Code function: | 2_2_00643C5F | |
| Source: | Code function: | 2_2_00647CB0 | |
| Source: | Code function: | 2_2_00661C93 | |
| Source: | Code function: | 2_2_00642E60 | |
| Source: | Code function: | 2_2_0067BE60 | |
| Source: | Code function: | 2_2_00646ED4 | |
| Source: | Code function: | 2_2_00666EDE | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_0066E279 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_0068136F | |
| Source: | Code function: | 2_2_006818A3 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00677ED0 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 311 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 31 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Deobfuscate/Decode Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 32% | ReversingLabs | Win64.Spyware.Lummastealer | ||
| 30% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 10% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| acceptabledcooeprs.shop | 104.21.59.156 | true | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| false |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.59.156 | acceptabledcooeprs.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1435867 |
| Start date and time: | 2024-05-03 10:11:10 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 55s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target file.exe, PID 6288 because there are no executed function
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 10:12:16 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.59.156 | Get hash | malicious | Unknown | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, Remcos | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | RisePro Stealer | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | RisePro Stealer | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.393292542165312 |
| TrID: |
|
| File name: | file.exe |
| File size: | 6'685'696 bytes |
| MD5: | 7498af5d4fe090e8e2b4d13d867ab5e0 |
| SHA1: | d3e086f49ef2db4a75ff1f6dc93b0045bba07866 |
| SHA256: | 725c4af20cd8140f12cb87e2b0e3c8a5654257cbccc70f378c765b1fa3322dc6 |
| SHA512: | ad0c01bd34b676b227aa26348ce18c8bbe5e3e9949c50b792bd7fabf97bd42be0eaeef30212fb230c9d53c46d7f06800e50c376711b4978e5c5bb3629f803437 |
| SSDEEP: | 49152:AR2csE7IE7oIPRasjLPqiZ8vRLMpW/VllBRzfGej25ExdfvCXBqFZ4Hb1c1p5:ApfouMsShLMAWdExZZ4hW5 |
| TLSH: | 12665907FC9145E5C0EDD17089629167BB71BC484B212BD72B60FB282F76BD0AE7A358 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.x*...f................@.............................`o......cf...`... ............................ |
 | |
| Icon Hash: | 41cab3b1b386a045 |
| Entrypoint: | 0x1400014c0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | 0x4029d0a0, 0x1, 0x4029d070, 0x1, 0x402a0b10, 0x1 |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | c595f1660e1a3c84f4d9b0761d23cd7a |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [0062F835h] |
| mov dword ptr [eax], 00000001h |
| call 00007F06E119D1BFh |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax] |
| dec eax |
| sub esp, 28h |
| dec eax |
| mov eax, dword ptr [0062F815h] |
| mov dword ptr [eax], 00000000h |
| call 00007F06E119D19Fh |
| nop |
| nop |
| dec eax |
| add esp, 28h |
| ret |
| nop dword ptr [eax] |
| dec eax |
| sub esp, 28h |
| call 00007F06E1443E7Ch |
| dec eax |
| test eax, eax |
| sete al |
| movzx eax, al |
| neg eax |
| dec eax |
| add esp, 28h |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| dec eax |
| lea ecx, dword ptr [00000009h] |
| jmp 00007F06E119D4D9h |
| nop dword ptr [eax+00h] |
| ret |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| jmp dword ptr [eax] |
| inc edi |
| outsd |
| and byte ptr [edx+75h], ah |
| imul ebp, dword ptr [esp+20h], 203A4449h |
| and dh, byte ptr [eax] |
| xor byte ptr [eax+58h], dl |
| jp 00007F06E119D559h |
| inc esi |
| outsb |
| push edx |
| outsb |
| push 69315362h |
| js 00007F06E119D561h |
| sub eax, 2D77542Fh |
| dec ebx |
| push 51357949h |
| je 00007F06E119D554h |
| dec ecx |
| xor ch, byte ptr [edx+66h] |
| xor bh, byte ptr [eax+32h] |
| xor eax, 48552F44h |
| push 0000002Dh |
| arpl word ptr [ecx+70h], bx |
| cmp dword ptr [edi+4Bh], eax |
| push eax |
| inc ebx |
| outsd |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x6d3000 | 0x4e | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6d4000 | 0x1458 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6d8000 | 0xe724 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x632000 | 0x108b4 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6e7000 | 0xed60 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x630660 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x6d4494 | 0x458 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2a7640 | 0x2a7800 | a85485b80cee45efe5851f52cd564819 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x2a9000 | 0x4c6d0 | 0x4c800 | 65f680890dd1848f9020578e2b953f3f | False | 0.3545272926879085 | dBase III DBT, version number 0, next free block index 10, 1st item "ogr\011v1.4.1\011h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=" | 4.776361466960697 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x2f6000 | 0x33b490 | 0x33b600 | c82c753c575e841b61c7c127ac85499e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .pdata | 0x632000 | 0x108b4 | 0x10a00 | e8842d053392b93f9370eb90baff485c | False | 0.4064702772556391 | data | 5.628384707560738 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .xdata | 0x643000 | 0xc50 | 0xe00 | 7333d66ce156368a4a9b6482a1d347ba | False | 0.25809151785714285 | data | 3.993048164403714 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x644000 | 0x8e860 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x6d3000 | 0x4e | 0x200 | a96267c73748517474e50df5e2d1d409 | False | 0.08984375 | data | 0.6437670283782346 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .idata | 0x6d4000 | 0x1458 | 0x1600 | fadc0a29fcb423787a542fb6671404ca | False | 0.296875 | data | 4.273019518687252 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0x6d6000 | 0x70 | 0x200 | 80f3939c070cc9b10968d943535bbe29 | False | 0.083984375 | data | 0.47235209217553853 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x6d7000 | 0x10 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x6d8000 | 0xe724 | 0xe800 | fceeea5930b006833a981c7d6ed2d1a9 | False | 0.5956021012931034 | data | 6.977836018600552 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x6e7000 | 0xed60 | 0xee00 | 2adff319b02cf71d1e92d5d7f7fe896d | False | 0.24653689600840337 | data | 5.429313354931007 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x6d8354 | 0x46eb | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 1.000440649958689 |
| RT_ICON | 0x6dca40 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.41524390243902437 |
| RT_ICON | 0x6dd0a8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.4475806451612903 |
| RT_ICON | 0x6dd390 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.5337837837837838 |
| RT_ICON | 0x6dd4b8 | 0x1754 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9480910917615539 |
| RT_ICON | 0x6dec0c | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.208955223880597 |
| RT_ICON | 0x6dfab4 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.20442238267148014 |
| RT_ICON | 0x6e035c | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.20014450867052022 |
| RT_ICON | 0x6e08c4 | 0x17d7 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9369162706865476 |
| RT_ICON | 0x6e209c | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.10072614107883818 |
| RT_ICON | 0x6e4644 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.11468105065666041 |
| RT_ICON | 0x6e56ec | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.2579787234042553 |
| RT_GROUP_ICON | 0x6e5b54 | 0xae | data | English | United States | 0.603448275862069 |
| RT_VERSION | 0x6e5c04 | 0x4f4 | data | English | United States | 0.2854889589905363 |
| RT_MANIFEST | 0x6e60f8 | 0x62c | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.4240506329113924 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler |
| msvcrt.dll | ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 3, 2024 10:12:15.307290077 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.307312012 CEST | 443 | 49735 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:15.307368040 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.310839891 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.310861111 CEST | 443 | 49735 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:15.503254890 CEST | 443 | 49735 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:15.503359079 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.507525921 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.507534027 CEST | 443 | 49735 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:15.507955074 CEST | 443 | 49735 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:15.554624081 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.557965040 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.558017015 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.558056116 CEST | 443 | 49735 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:15.993974924 CEST | 443 | 49735 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:15.994081020 CEST | 443 | 49735 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:15.994138002 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.996495962 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.996514082 CEST | 443 | 49735 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:15.996545076 CEST | 49735 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:15.996551037 CEST | 443 | 49735 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.000777960 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.000802040 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.000869036 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.001445055 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.001461983 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.185681105 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.185754061 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.186988115 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.186995983 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.187309027 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.199629068 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.199664116 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.199708939 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.704917908 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.704983950 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705064058 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.705074072 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705200911 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705225945 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705272913 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.705279112 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705318928 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.705419064 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705507040 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705614090 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705661058 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.705667019 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705702066 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:16.705714941 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705760002 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705826044 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:16.705864906 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:17.390237093 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:17.390263081 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:17.390275002 CEST | 49737 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:17.390280962 CEST | 443 | 49737 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:17.960824966 CEST | 49738 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:17.960867882 CEST | 443 | 49738 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:17.960943937 CEST | 49738 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:17.961493015 CEST | 49738 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:17.961508989 CEST | 443 | 49738 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:18.148156881 CEST | 443 | 49738 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:18.148262978 CEST | 49738 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:18.149790049 CEST | 49738 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:18.149797916 CEST | 443 | 49738 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:18.150042057 CEST | 443 | 49738 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:18.151201963 CEST | 49738 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:18.151376009 CEST | 49738 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:18.151411057 CEST | 443 | 49738 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:18.151489019 CEST | 49738 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:18.151498079 CEST | 443 | 49738 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:18.629654884 CEST | 443 | 49738 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:18.629776955 CEST | 443 | 49738 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:18.629846096 CEST | 49738 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:18.630815029 CEST | 49738 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:18.630832911 CEST | 443 | 49738 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:18.869774103 CEST | 49739 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:18.869802952 CEST | 443 | 49739 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:18.869875908 CEST | 49739 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:18.870176077 CEST | 49739 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:18.870188951 CEST | 443 | 49739 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.059385061 CEST | 443 | 49739 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.059557915 CEST | 49739 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.061013937 CEST | 49739 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.061021090 CEST | 443 | 49739 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.061336040 CEST | 443 | 49739 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.062860966 CEST | 49739 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.063010931 CEST | 49739 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.063040972 CEST | 443 | 49739 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.547925949 CEST | 443 | 49739 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.548053980 CEST | 443 | 49739 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.548110962 CEST | 49739 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.548170090 CEST | 49739 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.548182964 CEST | 443 | 49739 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.691653013 CEST | 49740 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.691723108 CEST | 443 | 49740 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.691945076 CEST | 49740 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.692159891 CEST | 49740 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.692176104 CEST | 443 | 49740 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.877533913 CEST | 443 | 49740 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.877774000 CEST | 49740 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.878947973 CEST | 49740 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.878954887 CEST | 443 | 49740 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.879300117 CEST | 443 | 49740 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.880526066 CEST | 49740 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.880696058 CEST | 49740 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.880733013 CEST | 443 | 49740 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:19.880799055 CEST | 49740 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:19.880809069 CEST | 443 | 49740 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:20.415819883 CEST | 443 | 49740 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:20.415980101 CEST | 443 | 49740 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:20.416035891 CEST | 49740 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:20.416194916 CEST | 49740 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:20.416208982 CEST | 443 | 49740 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:20.526498079 CEST | 49741 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:20.526537895 CEST | 443 | 49741 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:20.526621103 CEST | 49741 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:20.526963949 CEST | 49741 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:20.526981115 CEST | 443 | 49741 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:20.711649895 CEST | 443 | 49741 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:20.711822987 CEST | 49741 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:20.713094950 CEST | 49741 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:20.713103056 CEST | 443 | 49741 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:20.713331938 CEST | 443 | 49741 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:20.714579105 CEST | 49741 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:20.714694977 CEST | 49741 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:20.714723110 CEST | 443 | 49741 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:21.189892054 CEST | 443 | 49741 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:21.189966917 CEST | 443 | 49741 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:21.190115929 CEST | 49741 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.296906948 CEST | 49741 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.296941996 CEST | 443 | 49741 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:22.340914965 CEST | 49742 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.340949059 CEST | 443 | 49742 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:22.341010094 CEST | 49742 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.341797113 CEST | 49742 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.341818094 CEST | 443 | 49742 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:22.524535894 CEST | 443 | 49742 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:22.524738073 CEST | 49742 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.527717113 CEST | 49742 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.527726889 CEST | 443 | 49742 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:22.527956963 CEST | 443 | 49742 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:22.529115915 CEST | 49742 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.529213905 CEST | 49742 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.529220104 CEST | 443 | 49742 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:22.992604017 CEST | 443 | 49742 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:22.992682934 CEST | 443 | 49742 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:22.992739916 CEST | 49742 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.996164083 CEST | 49742 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:22.996190071 CEST | 443 | 49742 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.735694885 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.735728979 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.735852957 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.736172915 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.736186981 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.919342041 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.919425011 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.920634031 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.920639992 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.920855999 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.922024012 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.922751904 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.922782898 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.922869921 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.922903061 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.922995090 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.923032045 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.923129082 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.923157930 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.923269987 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.923300982 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.923417091 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.923444033 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.923449993 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.923464060 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.923563957 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.923587084 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.923603058 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.923693895 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.923719883 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.964126110 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:23.964272022 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.964303017 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:23.964325905 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:24.008127928 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:24.008225918 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:24.056118965 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:25.438133001 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:25.438235044 CEST | 443 | 49743 | 104.21.59.156 | 192.168.2.4 |
| May 3, 2024 10:12:25.438546896 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| May 3, 2024 10:12:25.438568115 CEST | 49743 | 443 | 192.168.2.4 | 104.21.59.156 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 3, 2024 10:12:15.206686020 CEST | 57485 | 53 | 192.168.2.4 | 1.1.1.1 |
| May 3, 2024 10:12:15.301578045 CEST | 53 | 57485 | 1.1.1.1 | 192.168.2.4 |
| May 3, 2024 10:12:28.082751989 CEST | 49157 | 53 | 192.168.2.4 | 1.1.1.1 |
| May 3, 2024 10:12:28.177026033 CEST | 53 | 49157 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| May 3, 2024 10:12:15.206686020 CEST | 192.168.2.4 | 1.1.1.1 | 0xbfee | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| May 3, 2024 10:12:28.082751989 CEST | 192.168.2.4 | 1.1.1.1 | 0xfa60 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| May 3, 2024 10:12:15.301578045 CEST | 1.1.1.1 | 192.168.2.4 | 0xbfee | No error (0) | 104.21.59.156 | A (IP address) | IN (0x0001) | false | ||
| May 3, 2024 10:12:15.301578045 CEST | 1.1.1.1 | 192.168.2.4 | 0xbfee | No error (0) | 172.67.180.137 | A (IP address) | IN (0x0001) | false | ||
| May 3, 2024 10:12:28.177026033 CEST | 1.1.1.1 | 192.168.2.4 | 0xfa60 | No error (0) | 172.67.180.137 | A (IP address) | IN (0x0001) | false | ||
| May 3, 2024 10:12:28.177026033 CEST | 1.1.1.1 | 192.168.2.4 | 0xfa60 | No error (0) | 104.21.59.156 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49735 | 104.21.59.156 | 443 | 6644 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 08:12:15 UTC | 270 | OUT | |
| 2024-05-03 08:12:15 UTC | 8 | OUT | |
| 2024-05-03 08:12:15 UTC | 812 | IN | |
| 2024-05-03 08:12:15 UTC | 7 | IN | |
| 2024-05-03 08:12:15 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49737 | 104.21.59.156 | 443 | 6644 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 08:12:16 UTC | 271 | OUT | |
| 2024-05-03 08:12:16 UTC | 53 | OUT | |
| 2024-05-03 08:12:16 UTC | 808 | IN | |
| 2024-05-03 08:12:16 UTC | 561 | IN | |
| 2024-05-03 08:12:16 UTC | 727 | IN | |
| 2024-05-03 08:12:16 UTC | 1369 | IN | |
| 2024-05-03 08:12:16 UTC | 1369 | IN | |
| 2024-05-03 08:12:16 UTC | 1369 | IN | |
| 2024-05-03 08:12:16 UTC | 1369 | IN | |
| 2024-05-03 08:12:16 UTC | 1369 | IN | |
| 2024-05-03 08:12:16 UTC | 1369 | IN | |
| 2024-05-03 08:12:16 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49738 | 104.21.59.156 | 443 | 6644 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 08:12:18 UTC | 289 | OUT | |
| 2024-05-03 08:12:18 UTC | 15331 | OUT | |
| 2024-05-03 08:12:18 UTC | 2831 | OUT | |
| 2024-05-03 08:12:18 UTC | 816 | IN | |
| 2024-05-03 08:12:18 UTC | 23 | IN | |
| 2024-05-03 08:12:18 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49739 | 104.21.59.156 | 443 | 6644 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 08:12:19 UTC | 288 | OUT | |
| 2024-05-03 08:12:19 UTC | 8783 | OUT | |
| 2024-05-03 08:12:19 UTC | 814 | IN | |
| 2024-05-03 08:12:19 UTC | 23 | IN | |
| 2024-05-03 08:12:19 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49740 | 104.21.59.156 | 443 | 6644 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 08:12:19 UTC | 289 | OUT | |
| 2024-05-03 08:12:19 UTC | 15331 | OUT | |
| 2024-05-03 08:12:19 UTC | 5105 | OUT | |
| 2024-05-03 08:12:20 UTC | 820 | IN | |
| 2024-05-03 08:12:20 UTC | 23 | IN | |
| 2024-05-03 08:12:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 104.21.59.156 | 443 | 6644 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 08:12:20 UTC | 288 | OUT | |
| 2024-05-03 08:12:20 UTC | 3797 | OUT | |
| 2024-05-03 08:12:21 UTC | 818 | IN | |
| 2024-05-03 08:12:21 UTC | 23 | IN | |
| 2024-05-03 08:12:21 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49742 | 104.21.59.156 | 443 | 6644 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 08:12:22 UTC | 288 | OUT | |
| 2024-05-03 08:12:22 UTC | 1392 | OUT | |
| 2024-05-03 08:12:22 UTC | 816 | IN | |
| 2024-05-03 08:12:22 UTC | 23 | IN | |
| 2024-05-03 08:12:22 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49743 | 104.21.59.156 | 443 | 6644 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-03 08:12:23 UTC | 290 | OUT | |
| 2024-05-03 08:12:23 UTC | 15331 | OUT | |
| 2024-05-03 08:12:23 UTC | 15331 | OUT | |
| 2024-05-03 08:12:23 UTC | 15331 | OUT | |
| 2024-05-03 08:12:23 UTC | 15331 | OUT | |
| 2024-05-03 08:12:23 UTC | 15331 | OUT | |
| 2024-05-03 08:12:23 UTC | 15331 | OUT | |
| 2024-05-03 08:12:23 UTC | 15331 | OUT | |
| 2024-05-03 08:12:23 UTC | 15331 | OUT | |
| 2024-05-03 08:12:23 UTC | 15331 | OUT | |
| 2024-05-03 08:12:23 UTC | 15331 | OUT | |
| 2024-05-03 08:12:25 UTC | 822 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:11:54 |
| Start date: | 03/05/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6f6a00000 |
| File size: | 6'685'696 bytes |
| MD5 hash: | 7498AF5D4FE090E8E2B4D13D867AB5E0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Go lang |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 10:12:14 |
| Start date: | 03/05/2024 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf40000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 14.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 38.5% |
| Total number of Nodes: | 348 |
| Total number of Limit Nodes: | 14 |
Graph
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00660AA0 Relevance: 13.0, Strings: 10, Instructions: 472COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00677A71 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00656890 Relevance: 6.7, Strings: 5, Instructions: 421COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0064C800 Relevance: 6.5, Strings: 5, Instructions: 262COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00644640 Relevance: 5.5, Strings: 4, Instructions: 529COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0065F41E Relevance: 5.4, Strings: 4, Instructions: 438COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0067AF00 Relevance: 5.2, Strings: 4, Instructions: 157COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006557D3 Relevance: 4.1, Strings: 3, Instructions: 352COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006741A0 Relevance: 4.0, Strings: 3, Instructions: 224COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00677ED0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0065C6DA Relevance: 3.5, APIs: 2, Instructions: 487COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0067AD10 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00665858 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0067B7C0 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0067C210 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0065FD60 Relevance: .4, Instructions: 357COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0065B580 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00678C73 Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0066E279 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00677577 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00677D72 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0065C700 Relevance: 3.2, APIs: 2, Instructions: 215COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00656DD0 Relevance: 3.1, APIs: 2, Instructions: 75COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00666683 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00666771 Relevance: 1.8, APIs: 1, Instructions: 345COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00677989 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0066A23C Relevance: 1.6, APIs: 1, Instructions: 88memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00675CA1 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00675B80 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006778CB Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00673E1D Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0066E700 Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 131clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00665705 Relevance: 12.1, Strings: 9, Instructions: 805COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00641730 Relevance: 10.6, Strings: 8, Instructions: 593COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00665AAD Relevance: 5.4, Strings: 4, Instructions: 433COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00665B47 Relevance: 5.4, Strings: 4, Instructions: 433COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0065624A Relevance: 5.3, Strings: 4, Instructions: 316COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0067BE60 Relevance: 4.1, Strings: 3, Instructions: 325COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00649380 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0064555B Relevance: 3.0, Strings: 2, Instructions: 514COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006604E2 Relevance: 3.0, Strings: 2, Instructions: 478COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00663327 Relevance: 2.9, Strings: 2, Instructions: 449COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00645826 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00645B68 Relevance: 2.7, Strings: 2, Instructions: 222COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0067AB30 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00679F2C Relevance: 2.5, Strings: 2, Instructions: 41COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00679F2A Relevance: 2.5, Strings: 2, Instructions: 40COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00659840 Relevance: 1.7, Strings: 1, Instructions: 433COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00661C93 Relevance: 1.6, Strings: 1, Instructions: 380COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0067BB00 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00646630 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0064F66E Relevance: 1.5, Strings: 1, Instructions: 243COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00650834 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006650B7 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00650DD9 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006542D1 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00651231 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00654CA6 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0064ED28 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00647CB0 Relevance: .8, Instructions: 822COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006766B0 Relevance: .6, Instructions: 618COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00646060 Relevance: .5, Instructions: 497COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006469F4 Relevance: .4, Instructions: 378COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00646ED4 Relevance: .3, Instructions: 316COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00643C5F Relevance: .3, Instructions: 315COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00643678 Relevance: .3, Instructions: 301COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00648920 Relevance: .3, Instructions: 301COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0064F9A2 Relevance: .3, Instructions: 258COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00661A68 Relevance: .2, Instructions: 196COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00673A60 Relevance: .2, Instructions: 179COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00642C90 Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00653B90 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0064EB60 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00642E60 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00679BB3 Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0067A7BF Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00671B40 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00653F60 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00663D30 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0064C790 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0064FD12 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00679B59 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0066112F Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |