Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe |
| Analysis ID: | 1436373 |
| MD5: | bab05624883fc9d5fe21f6e26c509c80 |
| SHA1: | b9dfddb30341606e41f19b369995e1fe619214ae |
| SHA256: | ac9128c77beb18f3e26656a39e6df34964866ce61e8bc2424afca4c45d1aed8d |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe (PID: 6652 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Win32.Evo- gen.17272. 18065.exe" MD5: BAB05624883FC9D5FE21F6E26C509C80) - RegAsm.exe (PID: 6676 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "pearcyworkeronej.shop"], "Build id": "uYY3NI--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 05/04/24-22:22:48.334726 |
| SID: | 2052368 |
| Source Port: | 49731 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/04/24-22:22:56.178293 |
| SID: | 2052369 |
| Source Port: | 49735 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/04/24-22:22:57.267481 |
| SID: | 2052369 |
| Source Port: | 49736 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/04/24-22:22:53.534195 |
| SID: | 2052369 |
| Source Port: | 49734 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/04/24-22:22:49.603300 |
| SID: | 2052369 |
| Source Port: | 49731 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/04/24-22:22:52.371820 |
| SID: | 2052369 |
| Source Port: | 49733 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/04/24-22:22:58.672362 |
| SID: | 2052369 |
| Source Port: | 49737 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/04/24-22:22:51.059487 |
| SID: | 2052369 |
| Source Port: | 49732 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 05/04/24-22:22:48.500879 |
| SID: | 2052369 |
| Source Port: | 49730 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 1_2_00416682 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00FE8F57 | |
| Source: | Code function: | 0_2_0100BA68 | |
| Source: | Code function: | 0_2_01038D48 | |
| Source: | Code function: | 0_2_01007C08 | |
| Source: | Code function: | 0_2_0103CCE8 | |
| Source: | Code function: | 0_2_0103CF08 | |
| Source: | Code function: | 0_2_01037E38 | |
| Source: | Code function: | 1_2_0043C461 | |
| Source: | Code function: | 1_2_00415470 | |
| Source: | Code function: | 1_2_00424478 | |
| Source: | Code function: | 1_2_00424478 | |
| Source: | Code function: | 1_2_0043C615 | |
| Source: | Code function: | 1_2_0043E8D0 | |
| Source: | Code function: | 1_2_00426948 | |
| Source: | Code function: | 1_2_004279F5 | |
| Source: | Code function: | 1_2_00427059 | |
| Source: | Code function: | 1_2_00413038 | |
| Source: | Code function: | 1_2_0043E09F | |
| Source: | Code function: | 1_2_004350A0 | |
| Source: | Code function: | 1_2_0042213D | |
| Source: | Code function: | 1_2_0042213D | |
| Source: | Code function: | 1_2_0043D265 | |
| Source: | Code function: | 1_2_0041D35E | |
| Source: | Code function: | 1_2_0041D35E | |
| Source: | Code function: | 1_2_00428410 | |
| Source: | Code function: | 1_2_00411419 | |
| Source: | Code function: | 1_2_0043C436 | |
| Source: | Code function: | 1_2_0043D4E8 | |
| Source: | Code function: | 1_2_0043D48A | |
| Source: | Code function: | 1_2_00416555 | |
| Source: | Code function: | 1_2_0043C571 | |
| Source: | Code function: | 1_2_0043C571 | |
| Source: | Code function: | 1_2_0040D650 | |
| Source: | Code function: | 1_2_00402650 | |
| Source: | Code function: | 1_2_004226BD | |
| Source: | Code function: | 1_2_00422760 | |
| Source: | Code function: | 1_2_004097F0 | |
| Source: | Code function: | 1_2_004258B0 | |
| Source: | Code function: | 1_2_00426953 | |
| Source: | Code function: | 1_2_0043A930 | |
| Source: | Code function: | 1_2_00424982 | |
| Source: | Code function: | 1_2_00428A13 | |
| Source: | Code function: | 1_2_00439A20 | |
| Source: | Code function: | 1_2_0043EAF0 | |
| Source: | Code function: | 1_2_00417ABA | |
| Source: | Code function: | 1_2_0041DB00 | |
| Source: | Code function: | 1_2_0041DB00 | |
| Source: | Code function: | 1_2_00414D32 | |
| Source: | Code function: | 1_2_0041DDC7 | |
| Source: | Code function: | 1_2_0040FE47 | |
| Source: | Code function: | 1_2_00411E13 | |
| Source: | Code function: | 1_2_0043DE9C | |
| Source: | Code function: | 1_2_0043DEB1 | |
| Source: | Code function: | 1_2_0041DF3A | |
| Source: | Code function: | 1_2_0043DFE0 | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 1_2_00430520 | |
| Source: | Code function: | 1_2_00430520 | |
| Source: | Code function: | 1_2_00431CAA | |
| Source: | Binary or memory string: | memstr_8f54870f-c | |
| Source: | Code function: | 0_2_0103D918 | |
| Source: | Code function: | 0_2_01004898 | |
| Source: | Code function: | 0_2_01038228 | |
| Source: | Code function: | 0_2_0103D288 | |
| Source: | Code function: | 0_2_01002578 | |
| Source: | Code function: | 0_2_0103D5A8 | |
| Source: | Code function: | 0_2_00FECD70 | |
| Source: | Code function: | 0_2_010354A8 | |
| Source: | Code function: | 0_2_010064B8 | |
| Source: | Code function: | 0_2_0101FCB8 | |
| Source: | Code function: | 0_2_00FDEEE0 | |
| Source: | Code function: | 0_2_01001778 | |
| Source: | Code function: | 0_2_00FDBE6D | |
| Source: | Code function: | 0_2_0100E7A8 | |
| Source: | Code function: | 0_2_00FE3653 | |
| Source: | Code function: | 0_2_00FE3F3F | |
| Source: | Code function: | 1_2_0042112E | |
| Source: | Code function: | 1_2_004017B0 | |
| Source: | Code function: | 1_2_00422840 | |
| Source: | Code function: | 1_2_004218A0 | |
| Source: | Code function: | 1_2_00404B30 | |
| Source: | Code function: | 1_2_00402D10 | |
| Source: | Code function: | 1_2_0043EE70 | |
| Source: | Code function: | 1_2_00437090 | |
| Source: | Code function: | 1_2_004080A0 | |
| Source: | Code function: | 1_2_00404160 | |
| Source: | Code function: | 1_2_0042213D | |
| Source: | Code function: | 1_2_0043F190 | |
| Source: | Code function: | 1_2_0041D35E | |
| Source: | Code function: | 1_2_00403360 | |
| Source: | Code function: | 1_2_00410390 | |
| Source: | Code function: | 1_2_00406480 | |
| Source: | Code function: | 1_2_0043F500 | |
| Source: | Code function: | 1_2_00405720 | |
| Source: | Code function: | 1_2_0042C85E | |
| Source: | Code function: | 1_2_00406A50 | |
| Source: | Code function: | 1_2_00428AC0 | |
| Source: | Code function: | 1_2_00425B50 | |
| Source: | Code function: | 1_2_00439E10 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_00430169 | |
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00FD616B | |
| Source: | Code function: | 0_2_00FF5F46 | |
| Source: | Code function: | 1_2_004337E7 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FE8F57 | |
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_0043B550 | |
| Source: | Code function: | 0_2_00FD67DD | |
| Source: | Code function: | 0_2_00FEA021 | |
| Source: | Code function: | 0_2_00FE010F | |
| Source: | Code function: | 0_2_00FEC620 | |
| Source: | Code function: | 0_2_00FD6939 | |
| Source: | Code function: | 0_2_00FD6A4A | |
| Source: | Code function: | 0_2_00FD67DD | |
| Source: | Code function: | 0_2_00FDA713 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FD64BC | |
| Source: | Code function: | 0_2_00FEC0C0 | |
| Source: | Code function: | 0_2_00FE5022 | |
| Source: | Code function: | 0_2_00FEC1E9 | |
| Source: | Code function: | 0_2_00FEC2EF | |
| Source: | Code function: | 0_2_00FEC3BE | |
| Source: | Code function: | 0_2_00FEBCFC | |
| Source: | Code function: | 0_2_00FEBDE2 | |
| Source: | Code function: | 0_2_00FE5548 | |
| Source: | Code function: | 0_2_00FEBD47 | |
| Source: | Code function: | 0_2_00FEBE6D | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FD66D0 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | 11 Input Capture | 141 Security Software Discovery | Remote Desktop Protocol | 11 Input Capture | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 1 Archive Collected Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 31 Data from Local System | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 11 File and Directory Discovery | SSH | 2 Clipboard Data | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 46% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1314931 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 1% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 2% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 2% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 11% | Virustotal | Browse | ||
| 1% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| pearcyworkeronej.shop | 172.67.131.204 | true | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.131.204 | pearcyworkeronej.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1436373 |
| Start date and time: | 2024-05-04 22:22:04 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 36s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 3 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 22:22:49 | API Interceptor |
| Source | URL |
|---|---|
| Screenshot | http://<UNKNOWNECI:015160>System.Byte[]</UNKNOWNECI> |
| Screenshot | http://<UNKNOWNECI:015160>System.Byte[]</UNKNOWNECI> |
| Screenshot | http://<UNKNOWNECI:015160>System.Byte[]</UNKNOWNECI> |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.131.204 | Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| pearcyworkeronej.shop | Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine, Snake Keylogger | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine, Snake Keylogger | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | VMdetect | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.273245524862648 |
| TrID: |
|
| File name: | SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe |
| File size: | 578'048 bytes |
| MD5: | bab05624883fc9d5fe21f6e26c509c80 |
| SHA1: | b9dfddb30341606e41f19b369995e1fe619214ae |
| SHA256: | ac9128c77beb18f3e26656a39e6df34964866ce61e8bc2424afca4c45d1aed8d |
| SHA512: | 73a605ecd62f6c46f525dd13be73439ee9cab263786b45cf90a7146122e947d70dc228811a26fff0d8ec4ccb7999d1954993f79edf41cdfd8fa47b0fe682c1e1 |
| SSDEEP: | 12288:t/fI5jU8WtkonTgdwt8fU2A84yDfupl5zK7FHo:t3IeOfU25WnE7l |
| TLSH: | 33C4F11174C080B2E57315320AE1DAB85E3EBD300A729A9F67881FBF5F312D2E755A57 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(tY.F'Y.F'Y.F'..E&U.F'..C&..F'..B&L.F'..B&K.F'..E&M.F'..G&\.F'Y.G'..F'..C&..F'..C&X.F'..D&X.F'RichY.F'................PE..L.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x406102 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6634E6D5 [Fri May 3 13:29:57 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f23588e58d9b5c75df2f16b529527a2e |
| Instruction |
|---|
| call 00007F69D48172DBh |
| jmp 00007F69D4816B39h |
| push ebp |
| mov ebp, esp |
| jmp 00007F69D4816CCFh |
| push dword ptr [ebp+08h] |
| call 00007F69D48225B1h |
| pop ecx |
| test eax, eax |
| je 00007F69D4816CD1h |
| push dword ptr [ebp+08h] |
| call 00007F69D481D919h |
| pop ecx |
| test eax, eax |
| je 00007F69D4816CA8h |
| pop ebp |
| ret |
| cmp dword ptr [ebp+08h], FFFFFFFFh |
| je 00007F69D48139A8h |
| jmp 00007F69D4814AB9h |
| push ebp |
| mov ebp, esp |
| push dword ptr [ebp+08h] |
| call 00007F69D48175C3h |
| pop ecx |
| pop ebp |
| ret |
| cmp ecx, dword ptr [0042D040h] |
| jne 00007F69D4816CC3h |
| ret |
| jmp 00007F69D48175DFh |
| mov ecx, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], ecx |
| pop ecx |
| pop edi |
| pop edi |
| pop esi |
| pop ebx |
| mov esp, ebp |
| pop ebp |
| push ecx |
| ret |
| mov ecx, dword ptr [ebp-10h] |
| xor ecx, ebp |
| call 00007F69D4816C99h |
| jmp 00007F69D4816CA2h |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [0042D040h] |
| xor eax, ebp |
| push eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [0042D040h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x83000 | 0xdae | .INV |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x81000 | 0x1a6c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2aba8 | 0x1c | .DAX |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2aae8 | 0x40 | .DAX |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x23000 | 0x13c | .DAX |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x211ef | 0x21200 | cc51c6f65a5e51c9015def07988f5938 | False | 0.583262087264151 | data | 6.64090329332346 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .DAX | 0x23000 | 0x9cf6 | 0x9e00 | 7b1b09f50a89ab15ae62d26f668f64ee | False | 0.43421182753164556 | data | 4.953928845663177 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2d000 | 0x1d54 | 0x1000 | 96f6fc94400f9b3c80d126cafa6f2df3 | False | 0.190673828125 | data | 3.018020491461944 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .Left | 0x2f000 | 0x510c4 | 0x51200 | c7183028291c3a4d7fdf1b6f8c8b05fa | False | 0.998236469568567 | OpenPGP Public Key | 7.999212238267937 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x81000 | 0x1a6c | 0x1c00 | 6f40397f4829021ef609cc1670e7efd9 | False | 0.7197265625 | data | 6.348967303435409 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .INV | 0x83000 | 0xdae | 0xde00 | b2382c6356dde49d143d0236613e527a | False | 0.029402449324324325 | data | 0.5552536644324805 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| USER32.DLL | OpenIcon, RegisterRawInputDevices, OemToCharBuffW, TranslateAccelerator, EvaluateProximityToRect, DrawTextA, DrawStateA, IsCharAlphaNumericW, RegisterClipboardFormatA, LoadKeyboardLayoutA, EnumDisplaySettingsW, DdeCreateStringHandleA, OemToCharA, SendMessageTimeoutW, GetIconInfoExW, InvertRect, GetSystemMenu, FreeDDElParam, SetCursor, GetWindowContextHelpId, PrintWindow, DwmGetDxSharedSurface, ReleaseDwmHitTestWaiters, OpenWindowStationW, DwmGetRemoteSessionOcclusionEvent, GetParent, TrackPopupMenuEx, _UserTestTokenForInteractive, DdeQueryStringW, ScrollChildren |
| KERNEL32.DLL | LoadLibraryExW, CreateFileW, VirtualProtect, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, HeapSize, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, WriteConsoleW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW |
| MSVCRT.DLL | _mbsupr_s, _set_errno, _wtoi64, _mbsnextc_l, _islower_l, _wutime64, _vfwprintf_l, __pwctype_func, _mktemp, _popen, __CxxCallUnwindDtor, _fwscanf_s_l, _gcvt, _sprintf_l, _cwscanf_l, _wcstoul_l, _wtempnam_dbg, _vcprintf, __ExceptionPtrCopy, _swprintf_s_l, _get_environ, _mbscpy, _fprintf_s_l, _wspawnvpe, exit |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 05/04/24-22:22:48.334726 | UDP | 2052368 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pearcyworkeronej .shop) | 49731 | 53 | 192.168.2.4 | 1.1.1.1 |
| 05/04/24-22:22:56.178293 | TCP | 2052369 | ET TROJAN Observed Lumma Stealer Related Domain (pearcyworkeronej .shop in TLS SNI) | 49735 | 443 | 192.168.2.4 | 172.67.131.204 |
| 05/04/24-22:22:57.267481 | TCP | 2052369 | ET TROJAN Observed Lumma Stealer Related Domain (pearcyworkeronej .shop in TLS SNI) | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| 05/04/24-22:22:53.534195 | TCP | 2052369 | ET TROJAN Observed Lumma Stealer Related Domain (pearcyworkeronej .shop in TLS SNI) | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| 05/04/24-22:22:49.603300 | TCP | 2052369 | ET TROJAN Observed Lumma Stealer Related Domain (pearcyworkeronej .shop in TLS SNI) | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| 05/04/24-22:22:52.371820 | TCP | 2052369 | ET TROJAN Observed Lumma Stealer Related Domain (pearcyworkeronej .shop in TLS SNI) | 49733 | 443 | 192.168.2.4 | 172.67.131.204 |
| 05/04/24-22:22:58.672362 | TCP | 2052369 | ET TROJAN Observed Lumma Stealer Related Domain (pearcyworkeronej .shop in TLS SNI) | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| 05/04/24-22:22:51.059487 | TCP | 2052369 | ET TROJAN Observed Lumma Stealer Related Domain (pearcyworkeronej .shop in TLS SNI) | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| 05/04/24-22:22:48.500879 | TCP | 2052369 | ET TROJAN Observed Lumma Stealer Related Domain (pearcyworkeronej .shop in TLS SNI) | 49730 | 443 | 192.168.2.4 | 172.67.131.204 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 4, 2024 22:22:48.497545004 CEST | 49730 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:48.497623920 CEST | 443 | 49730 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:48.497731924 CEST | 49730 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:48.500879049 CEST | 49730 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:48.500916004 CEST | 443 | 49730 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:48.829025984 CEST | 443 | 49730 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:48.829128027 CEST | 49730 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:48.831804037 CEST | 49730 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:48.831820965 CEST | 443 | 49730 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:48.832310915 CEST | 443 | 49730 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:48.877679110 CEST | 49730 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:48.877679110 CEST | 49730 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:48.877815962 CEST | 443 | 49730 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:49.579178095 CEST | 443 | 49730 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:49.579303980 CEST | 443 | 49730 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:49.579380989 CEST | 49730 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:49.598860979 CEST | 49730 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:49.598917961 CEST | 443 | 49730 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:49.602843046 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:49.602870941 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:49.602946043 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:49.603300095 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:49.603313923 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:49.918915033 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:49.919009924 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.008554935 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.008569002 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.009458065 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.053241968 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.236330032 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.236330032 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.236550093 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.984241009 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.984322071 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.984366894 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.984375954 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.984395027 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.984431982 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.984438896 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.984750032 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.984786034 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.984788895 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.984800100 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.984832048 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.985323906 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.985682011 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.985719919 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.985727072 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.986377954 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.986416101 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:50.986423016 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.986526966 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:50.986583948 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.021748066 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.021764040 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:51.021778107 CEST | 49731 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.021781921 CEST | 443 | 49731 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:51.059062004 CEST | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.059093952 CEST | 443 | 49732 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:51.059185982 CEST | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.059487104 CEST | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.059499025 CEST | 443 | 49732 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:51.373191118 CEST | 443 | 49732 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:51.373284101 CEST | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.374557972 CEST | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.374567986 CEST | 443 | 49732 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:51.374900103 CEST | 443 | 49732 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:51.376085997 CEST | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.376209021 CEST | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.376280069 CEST | 443 | 49732 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:51.376382113 CEST | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:51.376394987 CEST | 443 | 49732 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:52.268080950 CEST | 443 | 49732 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:52.268467903 CEST | 443 | 49732 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:52.268539906 CEST | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:52.271702051 CEST | 49732 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:52.271723986 CEST | 443 | 49732 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:52.353688002 CEST | 49733 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:52.353728056 CEST | 443 | 49733 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:52.353792906 CEST | 49733 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:52.371819973 CEST | 49733 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:52.371834993 CEST | 443 | 49733 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:52.688962936 CEST | 443 | 49733 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:52.689168930 CEST | 49733 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:52.690345049 CEST | 49733 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:52.690354109 CEST | 443 | 49733 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:52.690630913 CEST | 443 | 49733 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:52.691785097 CEST | 49733 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:52.691895962 CEST | 49733 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:52.691926003 CEST | 443 | 49733 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:53.449810028 CEST | 443 | 49733 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:53.449913025 CEST | 443 | 49733 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:53.450014114 CEST | 49733 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:53.450139999 CEST | 49733 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:53.450164080 CEST | 443 | 49733 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:53.533775091 CEST | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:53.533817053 CEST | 443 | 49734 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:53.533891916 CEST | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:53.534194946 CEST | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:53.534209013 CEST | 443 | 49734 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:53.845582962 CEST | 443 | 49734 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:53.845820904 CEST | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:53.848186970 CEST | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:53.848193884 CEST | 443 | 49734 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:53.848427057 CEST | 443 | 49734 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:53.849709988 CEST | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:53.849849939 CEST | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:53.849880934 CEST | 443 | 49734 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:53.849958897 CEST | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:53.849967003 CEST | 443 | 49734 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:54.636591911 CEST | 443 | 49734 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:54.637003899 CEST | 443 | 49734 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:54.637177944 CEST | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:54.655247927 CEST | 49734 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:54.655281067 CEST | 443 | 49734 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:56.177694082 CEST | 49735 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:56.177738905 CEST | 443 | 49735 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:56.177809954 CEST | 49735 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:56.178292990 CEST | 49735 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:56.178306103 CEST | 443 | 49735 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:56.492996931 CEST | 443 | 49735 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:56.493185043 CEST | 49735 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:56.494360924 CEST | 49735 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:56.494369984 CEST | 443 | 49735 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:56.494688988 CEST | 443 | 49735 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:56.495754957 CEST | 49735 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:56.495857000 CEST | 49735 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:56.495887041 CEST | 443 | 49735 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:57.251162052 CEST | 443 | 49735 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:57.251301050 CEST | 443 | 49735 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:57.251388073 CEST | 49735 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:57.251418114 CEST | 49735 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:57.266966105 CEST | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:57.267009020 CEST | 443 | 49736 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:57.267124891 CEST | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:57.267481089 CEST | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:57.267498970 CEST | 443 | 49736 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:57.579824924 CEST | 443 | 49736 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:57.580149889 CEST | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:57.585406065 CEST | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:57.585429907 CEST | 443 | 49736 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:57.585767031 CEST | 443 | 49736 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:57.587198019 CEST | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:57.587403059 CEST | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:57.587415934 CEST | 443 | 49736 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.374918938 CEST | 443 | 49736 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.375082016 CEST | 443 | 49736 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.375251055 CEST | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.375252008 CEST | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.671936035 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.671976089 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.672072887 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.672362089 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.672379971 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.678277969 CEST | 49736 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.678318977 CEST | 443 | 49736 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.987936974 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.988014936 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.989687920 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.989696980 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.990041018 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.991425037 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.992326021 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.992366076 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.992482901 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.992523909 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.992674112 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.992711067 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.992865086 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.992893934 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.993092060 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.993120909 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:58.993323088 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:58.993357897 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:59.036138058 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:59.036370039 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:59.036411047 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:59.080118895 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:59.080327034 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:59.080374956 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:59.080389977 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:59.124125957 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:59.124326944 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:59.124372959 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:59.172111988 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:59.172301054 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:59.220118999 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:59.292660952 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:59.292793036 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:22:59.292862892 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:59.292890072 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:22:59.484277010 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:23:01.511112928 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:23:01.511389971 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| May 4, 2024 22:23:01.511390924 CEST | 443 | 49737 | 172.67.131.204 | 192.168.2.4 |
| May 4, 2024 22:23:01.511450052 CEST | 49737 | 443 | 192.168.2.4 | 172.67.131.204 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 4, 2024 22:22:48.334726095 CEST | 49731 | 53 | 192.168.2.4 | 1.1.1.1 |
| May 4, 2024 22:22:48.493444920 CEST | 53 | 49731 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| May 4, 2024 22:22:48.334726095 CEST | 192.168.2.4 | 1.1.1.1 | 0x27a3 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| May 4, 2024 22:22:48.493444920 CEST | 1.1.1.1 | 192.168.2.4 | 0x27a3 | No error (0) | 172.67.131.204 | A (IP address) | IN (0x0001) | false | ||
| May 4, 2024 22:22:48.493444920 CEST | 1.1.1.1 | 192.168.2.4 | 0x27a3 | No error (0) | 104.21.4.79 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 172.67.131.204 | 443 | 6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-04 20:22:48 UTC | 268 | OUT | |
| 2024-05-04 20:22:48 UTC | 8 | OUT | |
| 2024-05-04 20:22:49 UTC | 814 | IN | |
| 2024-05-04 20:22:49 UTC | 7 | IN | |
| 2024-05-04 20:22:49 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 172.67.131.204 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-04 20:22:50 UTC | 269 | OUT | |
| 2024-05-04 20:22:50 UTC | 49 | OUT | |
| 2024-05-04 20:22:50 UTC | 808 | IN | |
| 2024-05-04 20:22:50 UTC | 561 | IN | |
| 2024-05-04 20:22:50 UTC | 1369 | IN | |
| 2024-05-04 20:22:50 UTC | 1369 | IN | |
| 2024-05-04 20:22:50 UTC | 1369 | IN | |
| 2024-05-04 20:22:50 UTC | 1369 | IN | |
| 2024-05-04 20:22:50 UTC | 1369 | IN | |
| 2024-05-04 20:22:50 UTC | 1369 | IN | |
| 2024-05-04 20:22:50 UTC | 1369 | IN | |
| 2024-05-04 20:22:50 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 172.67.131.204 | 443 | 6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-04 20:22:51 UTC | 287 | OUT | |
| 2024-05-04 20:22:51 UTC | 15331 | OUT | |
| 2024-05-04 20:22:51 UTC | 2827 | OUT | |
| 2024-05-04 20:22:52 UTC | 808 | IN | |
| 2024-05-04 20:22:52 UTC | 22 | IN | |
| 2024-05-04 20:22:52 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 172.67.131.204 | 443 | 6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-04 20:22:52 UTC | 286 | OUT | |
| 2024-05-04 20:22:52 UTC | 8779 | OUT | |
| 2024-05-04 20:22:53 UTC | 808 | IN | |
| 2024-05-04 20:22:53 UTC | 22 | IN | |
| 2024-05-04 20:22:53 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 172.67.131.204 | 443 | 6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-04 20:22:53 UTC | 287 | OUT | |
| 2024-05-04 20:22:53 UTC | 15331 | OUT | |
| 2024-05-04 20:22:53 UTC | 5101 | OUT | |
| 2024-05-04 20:22:54 UTC | 802 | IN | |
| 2024-05-04 20:22:54 UTC | 22 | IN | |
| 2024-05-04 20:22:54 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 172.67.131.204 | 443 | 6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-04 20:22:56 UTC | 286 | OUT | |
| 2024-05-04 20:22:56 UTC | 7079 | OUT | |
| 2024-05-04 20:22:57 UTC | 812 | IN | |
| 2024-05-04 20:22:57 UTC | 22 | IN | |
| 2024-05-04 20:22:57 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 172.67.131.204 | 443 | 6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-04 20:22:57 UTC | 286 | OUT | |
| 2024-05-04 20:22:57 UTC | 1392 | OUT | |
| 2024-05-04 20:22:58 UTC | 806 | IN | |
| 2024-05-04 20:22:58 UTC | 22 | IN | |
| 2024-05-04 20:22:58 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49737 | 172.67.131.204 | 443 | 6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-05-04 20:22:58 UTC | 288 | OUT | |
| 2024-05-04 20:22:58 UTC | 15331 | OUT | |
| 2024-05-04 20:22:58 UTC | 15331 | OUT | |
| 2024-05-04 20:22:58 UTC | 15331 | OUT | |
| 2024-05-04 20:22:58 UTC | 15331 | OUT | |
| 2024-05-04 20:22:58 UTC | 15331 | OUT | |
| 2024-05-04 20:22:58 UTC | 15331 | OUT | |
| 2024-05-04 20:22:58 UTC | 15331 | OUT | |
| 2024-05-04 20:22:58 UTC | 15331 | OUT | |
| 2024-05-04 20:22:58 UTC | 15331 | OUT | |
| 2024-05-04 20:22:58 UTC | 15331 | OUT | |
| 2024-05-04 20:23:01 UTC | 812 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 22:22:46 |
| Start date: | 04/05/2024 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.17272.18065.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xfd0000 |
| File size: | 578'048 bytes |
| MD5 hash: | BAB05624883FC9D5FE21F6E26C509C80 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 22:22:47 |
| Start date: | 04/05/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x760000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 1.7% |
| Total number of Nodes: | 1385 |
| Total number of Limit Nodes: | 24 |
Graph
Function 00FEA021 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FE010F Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FE51EB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD3D0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FECD70 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01007C08 Relevance: 9.1, Strings: 7, Instructions: 344COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FEC1E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FE8F57 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD67DD Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FEBE6D Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0103D918 Relevance: 4.1, Strings: 3, Instructions: 309COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01038228 Relevance: 1.9, Strings: 1, Instructions: 642COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD64BC Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0101FCB8 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FEC0C0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0103D5A8 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FEC2EF Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FE5022 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0103D288 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD6939 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01037E38 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0103CCE8 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0103CF08 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FEC620 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010064B8 Relevance: .8, Instructions: 824COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01002578 Relevance: .6, Instructions: 609COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01004898 Relevance: .5, Instructions: 512COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 010354A8 Relevance: .2, Instructions: 179COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100E7A8 Relevance: .1, Instructions: 129COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01001778 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01038D48 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0100BA68 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF1093 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD9628 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FF04BA Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FEEDED Relevance: 9.3, APIs: 6, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD483B Relevance: 9.1, APIs: 6, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FE0131 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FE61EA Relevance: 7.7, APIs: 5, Instructions: 202COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FDA402 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FE8C63 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FDF50B Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FE9BF9 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD19D7 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD1AC9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD1A50 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD99CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00FD1C4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 15.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 9.5% |
| Total number of Nodes: | 433 |
| Total number of Limit Nodes: | 23 |
Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00427059 Relevance: 3.7, APIs: 2, Instructions: 742COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00426948 Relevance: 3.7, APIs: 2, Instructions: 676COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B550 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00428410 Relevance: 1.9, APIs: 1, Instructions: 387COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00430169 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AD26 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AA87 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004185D0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B22D Relevance: 1.6, APIs: 1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043AC2D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0043B424 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004393AB Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004392D0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0042B978 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00437581 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00430520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |